Senate NDAA calls for guidance to apply zero trust to ‘internet of military things’ devices

Amid the Department of Defense’s all-out push to adopt a zero-trust security framework across its enterprise by 2027, Senate lawmakers want to make sure that “internet of military things” hardware is included in that.

The Senate Armed Services Committee on Monday released the full text and report for its version of the fiscal 2025 National Defense Authorization Act with a number of cybersecurity provisions included in it related to zero trust — a widely recognized, cloud-based concept that assumes an adversary has already gained access to a network and therefore looks to limit further movement internally by requiring constant monitoring and authentication of users and their devices as they pass from one part of a network to another.

Key among them is a requirement that, if passed as is, would enlist the DOD chief information officer to issue new guidance tailoring the department’s zero-trust framework to “human-wearable devices, sensors, and other smart technology” included in the so-called military internet of things within 180 days of the law’s passage.

Like traditional internet-of-things hardware, the military internet of things is generally comprised of interconnected, data-rich, sensor-driven devices meant to communicate or share information on a domain in both combat and non-combat settings. While the devices are credited for inexpensively enhancing the military’s ability to sense and share information — in some cases in an automated fashion — they also have led to a proliferation of endpoints that adversaries can target for a cyberattack. A 2015 Center for Strategic and International Studies report referred to security as the “single most important challenge for IoT implementation across the military.”

The guidance from the CIO would also require details on the role that identity, credential, and access management technologies would play in that larger zero-trust strategy as it’s applied to the military internet of things.

A Defense Department strategy signed out in 2022 outlines “target levels” of zero trust, which are a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to achieve those target levels no later than Sept. 30, 2027 — a deadline that David McKeown, the department’s chief information security officer, wants to accelerate.

Senate lawmakers have also taken note of a successful zero-trust pilot and subsequent production contract led by the Defense Information Systems Agency called Thunderdome. In the committee report accompanying the text of the chamber’s version of the 2025 policy bill, the committee urges department components to leverage the success of Thunderdome in replacing the agency’s previous security model known as the Joint Regional Security Stacks (JRSS), which aimed to consolidate the department’s attack surface by reducing thousands of network stacks globally to roughly 25. DISA decided to begin sunsetting that program in 2021.

“The committee is encouraged by the successful prototyping and production agreement for the Thunderdome program, which is expected to scale rapidly across the entire DOD enterprise,” the report reads. “To achieve stated goals within DOD’s specified timelines, the committee believes that DOD components should leverage technologies like Thunderdome, which rely on an open vendor selection process and comprehensive prototyping before production. The committee believes that such attributes are necessary to ensure upgradability and adaptability over time.”

That provision calls on the DOD CIO and director of DISA to brief congressional armed services committees on the progress made with Thunderdome and progress transitioning away from JRSS, “with a focus on how legacy JRSS will incorporate zero trust-aligned continuous trust verification and security inspection regardless of user location or device.”