WASHINGTON –
The Defense Department's chief information officer released the nearly 400-page "Zero Trust Overlays" document June 4 designed to serve as both a road map and guide for helping the department achieve goals set forth in a 2021 executive order signed by President Joe Biden.
"The zero trust overlays are another tool in the department's toolbox supporting components' execution by providing clear guidance on which controls facilitate specific zero trust activities and outcomes," said Dave McKeown, DOD's deputy CIO for cybersecurity and chief information security officer.
The overlays are expected to be a boon to those tasked with implementing "zero trust" across the department.
"The overlays help our risk management practitioners achieve zero trust outcomes, ensuring our adversaries cannot move laterally within our networks," said Randy Resnick, DOD's chief zero trust officer.
The zero trust concept redefines how data, networks and information systems are secured — not just within DOD, but across industry and the entire federal government, said Will Schmitt, a division chief within DOD's Zero Trust Portfolio Management Office.
Spotlight: DOD Innovates
"Zero trust is a modern cybersecurity approach requiring all users and devices, whether inside or outside an organization's network, to be authenticated and authorized before being granted access to data, assets, applications and services," he said. "Zero trust assumes that the adversary is already embedded in your infrastructure and, notwithstanding, implements cybersecurity rules, policies and techniques which have the effect of thwarting, constraining and frustrating an adversary's freedom of movement and ability to exploit data."
Security today, Schmitt said, is focused on the network. Users authenticate — prove that they are authorized to be on a network, with a CAC login, for instance — and once on that network, they have free rein to look at and modify everything on the network.
With zero trust, the user will still authenticate themselves onto a network, but they will also need to prove they are authorized to access every document, file and subsystem available on that network. What that means is that when an adversary hacks into a network, they won't have access to everything — they'll be continuously challenged to provide additional credentials for everything they want to look at.
Spotlight: Science & Tech
"Zero trust is a data-centric strategy for security," Schmitt said. "You're protecting the data itself. You're moving that protection boundary from the perimeter right down to what's critical to be protected. And what that means is that everybody has to be authorized and authenticated to access that piece of information."
A big assumption of zero trust, Schmitt said, is that the network is already breached by an adversary — that the enemy is already in the network.
"The idea is to make it very difficult for them to do any lateral movement," he said. "And if they do, we're able to identify it and block them."
Zero trust is not yet in place across the department, but by fiscal year 2027 it's expected to reach "target level" implementation. That, Schmitt said, involves DOD having implemented 91 out of the 152 target activities identified in DOD's Zero Trust Strategy and Roadmap, which was released in November 2022.
Implementing that across DOD and the military services' systems and workforce will be a challenge. But information contained in the newly released "Department of Defense Zero Trust Overlays" will help those most responsible for making it happen to meet the deadlines set by the department and the White House.
Spotlight: Engineering in DOD
Schmitt said the overlays will, for the first time, standardize how DOD implements zero trust across the defense enterprise, prescribe a phased approach to implementing zero trust controls, and develop a zero-trust gap analysis for system architects and authorization officials.