The Pentagon's upcoming zero-trust strategy will look at implementation across the Defense Department's "enterprise," according to Microsoft Federal Security Chief Technology Officer Steve Faehl, which he says differs from the approach on the civilian side of government and allows for increased coordination among the military services.
“On the civilian side, [the Cybersecurity and Infrastructure Security Agency] and [the White House Office of Management and Budget] have both leaned in with achievable measurable targets for each of the agencies as a part” of their zero-trust strategy, Faehl told Inside Cybersecurity. “DOD’s approach is slightly different in that they are looking to act as one enterprise.”
Faehl said, “The central responsibility and accountability that sits with the DOD zero-trust strategy is a big difference in approach, but we don’t expect drastically different paths or outcomes. As a result, these strategies are very well aligned and much of it builds on the foundation [the National Institute of Standards and Technology] created with Special Publication 800-207.”
Microsoft is one of the collaborating vendors in NIST’s National Cybersecurity Center of Excellence project on zero trust. “NIST is a common link in the chain connecting the two strategies with slightly different execution paths,” Faehl said.
OMB released its zero-trust strategy through a January memorandum and CISA has put out a zero-trust maturity model to help agencies work on their approaches.
As part of the memo, OMB asked agencies to provide information on funding needs to transition to zero trust starting in their fiscal year 2024 budgets.
The DOD and OMB strategies will be “convergent,” Faehl said. “As there are more production implementations, as there are more successful projects around zero trust, it is easier to factor in what those lessons learned and best practices are. We see across the board where there is collaboration, we see as more mature implementations are occurring they are all starting to look more and more similar.”
Faehl said, “The great news is the work that has gone on the federal civilian executive branch and DOD is very well aligned from a zero-trust strategy perspective but the implementation details in DOD are going to be different and DOD is a bit more prescriptive than we see on the civilian side.”
The DOD strategy will build on initial efforts started through its zero-trust reference architecture to go beyond the “seven pillars” laid out in that framework through the creation of tiers defined by a required capability set, according to Pentagon cyber chief David McKeown.
McKeown said in September, the soon-to-be-released plan defines 90 capabilities within what he called “the targeted zero-trust level” -- a floor that represents the department-wide cybersecurity goal that officials want to reach by the end of FY-27.
The Office of the DOD CIO stood up a zero-trust portfolio management office in January led by former National Security Agency official Randy Resnick.
Microsoft was among the cloud service providers invited by DOD to provide input on the Pentagon’s strategy.
The strategy should be “threat-informed, agile, measurable, achievable and flexible,” Faehl said, calling the five aspects “transformational.”
Faehl said, “As we see DOD move out as one entity, the ability to inform a common defense will raise all boats for the DOD. And so that’s the expectation from us, as each military department gets aligned they will achieve more rapidly progress and great zero trust outcomes as a result.”
By focusing on capabilities, Faehl said the strategy will provide a “greater level of detail” for each pillar, along with “more granularity that is needed than just devices or applications or users” and DOD should focus on “getting to what capabilities enable secure devices, what capabilities underlying do you expect from technology or your personnel in order to enable secure users.”
Faehl said, “Going into that level of detail around capabilities really helps planning and consistent to plan across the buildouts.”
DOD’s FY-27 target to complete the transition is possible because work started two years ago through the services and agencies, Faehl said.
Faehl said, “For a time-scale comparison, it has been eight years since our first zero-trust strategy at Microsoft. It’s been six years since our first zero-trust-focused product feature was released and it took three years for our corporate shift to zero trust to be completed.”
“We still have work to do, we are still iterating on our zero-trust strategy but those core elements were completed in about three years,” Faehl said.
From an “agility perspective,” Faehl said DOD has the ability to “move rapidly.” The DOD strategy is “threat-informed,” Faehl said, which creates a “sense of urgency” and quick activities.