DOD putting final touches on new zero trust ‘assessment standard’
A new assessment standard to guide how Pentagon components evaluate and approve zero-trust cybersecurity solutions for responsible use will soon be finalized and ready for release, according to a senior official overseeing its making.
In the Defense Department, the term “zero trust” refers to a nascent cybersecurity framework and set of 152 activities collectively meant to enable non-stop monitoring and constant authentication to secure critical national security data and information. As its name suggests, the zero-trust concept assumes all networks are compromised from the get-go.
During FedTalks 2024, hosted by Scoop News Group on Tuesday, Les Call — director of the DOD’s Zero Trust Portfolio Management Office — provided the latest update on his team’s unfolding pursuits to drive this implementation, and to continue “progressing at a fast rate.”
“One of the things about a freight train is, once you get it going, you can’t stop, or it’s very, very difficult to stop. That’s the momentum that we’ve created, and that’s what we’re trying to do,” Call said.
The Biden Administration issued an executive order in 2021 mandating the federal government to secure cloud services and other assets via approved zero-trust approaches. Not long after that, in 2022, DOD’s then Chief Information Officer John Sherman set the department on an ambitious path to implement a fully zero trust-based architecture across its sprawling enterprise by 2027.
Call said Pentagon officials are working closely with a range of industry partners and representatives, including the Cloud Security Alliance, to pinpoint compliant capabilities that can accelerate DOD components’ paths to fully achieving zero trust.
“2024 was the year of concepts. We put together 18 proof of concepts, and three of them we’ve completed. One we’ve actually assessed — and that’s the Navy’s Flank Speed, which assessed the Microsoft cloud service provider network, which was very favorable in zero trust,” Call explained.
He confirmed that his team has also recently linked up with MIT Lincoln Laboratory to put together what he said will be “a proving ground” to continue to assess solutions.
“We’re actually working on right now and finalizing an actual assessment standard, because you can’t assess zero trust the way you would do a normal red team assessment,” Call said.
Although he did not provide further details on that effort, Call highlighted some of the CIO’s early progress on zero trust to date. However, he also emphasized the challenges that accompany “changing the culture” of how the Pentagon operates, particularly in terms of technology acquisition and cybersecurity at scale.
Following Sherman’s recent departure, Principal Deputy Chief Information Officer Leslie Beaver stepped in as acting CIO and subsequently rolled out the department’s new IT advancement strategy called Fulcrum.
Call said that Beavers had been “quietly working on” Fulcrum for two years. The strategy broadly places a sharp focus on agile processes and user experience, and outlines concrete metrics for officials to track tangible progress.
“And so as her philosophy lined up with what we’re doing, it now gives us the opportunity to utilize the hammer — that’s the CIO’s office — to affect this culture change,” Call said.
Before joining the Pentagon in 2023 as its “orchestrator for zero trust,” in his words, Call served as the White House National Security Council’s IT director.
“The DOD is the largest federal organization. When you think of your services, your military including the National Guard and Reserves, you’ve got over 2 million people, over 750,000 civilians made up of 43 separate components — and that covers more than 500,000 facilities across the world. And when you think about securing that vast space and how difficult that is — not to mention what a target that we are — it’s a pretty traumatizing task. And that’s kind of what I thought when I first was introduced a little over a year ago,” he noted.
Still, these measures and the ambitious approach are necessary to deter adversaries like the Chinese government, which Call said is operating on “correlating timelines” as DOD regarding cyber threats and security.
“All of your major [U.S.] intel organizations have reported to Congress to say, ‘Hey, there’s this group called the People’s Republic of China, and they’re involved in all of our critical infrastructure and, oh, by the way, they’re doing this philosophy, which we call Living Off the Land where they’re just kind of camping out, and they’re waiting for the word so that they can create social havoc — meaning you and I could wake up one morning and we have no cell service, we have no power, and the water tastes like chlorine, so we can’t drink it. And then what do we do?’” Call said.