There are multiple zero-trust cybersecurity pilots underway across the Defense Department, a development that is being driven by the department’s embrace of expanded telework capabilities.
With so many users engaged in remote work across the sprawling Pentagon landscape due to the coronavirus pandemic, the department and various components have been embracing zero-trust principles at a faster clip than civilian agencies.
“When COVID hit and we had to push everybody home, we found that we couldn’t put everybody through our normal security architectures,” Navy CISO Christopher Cleary tells FedTech. “We couldn’t put everybody on a VPN connection. It was just too much. And we discovered that not everybody needed that.”
Speaking at the FedScoop Red Hat Government Symposium, John Sherman, the DOD’s principal deputy CIO, said in November that like other crises, COVID has “forced innovation and new ways of thinking that might not have otherwise been brought to bear, at least not so quickly,” according to a DOD post.
REGISTER: Sign up for a free cybersecurity-focused webinar with government IT leader Theresa Payton.
How DOD Thinks About Zero Trust
Brandon Iske, chief engineer for the security enablers portfolio at the Defense Information Systems Agency, tells FedTech, “The COVID environment of mass telework has been a big driver and catalyst for accelerating some of these concepts.”
DISA and the Navy are two elements of the DOD that are exploring zero trust, which, in the words of the National Institute of Standards and Technology is “a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
Sherman noted at the FedScoop event that the desire to move to zero trust varies across the breadth of the DOD, but that the current environment and need for change has engendered a lively discussion among DOD technology leaders, according to FedScoop. The publication reports that Sherman indicated that there is some disagreement among those IT leaders about how best to make zero trust a reality, but he did not go into details.
“This crisis has forced us to think differently,” Sherman said of putting zero-trust network security policies in place.
The Pentagon is exploring how best to get enhanced visibility into its networks, and is exploring how to put in place more controlled access points and train its security workforce to better understand zero-trust environments.
According to FedScoop, Sherman said he leads a weekly senior-level meeting with counterparts from agencies such as DISA, IT leaders from military service branches, the U.S. Cyber Command and others. “The newness of this concept … has created a healthy dialog in our meetings,” Sherman said. “Innovation is not born out of groupthink.”
The Future of Remote Work Within DOD
Remote work is a driving force behind zero trust in part because it has led to an increase in the attack surface and in phishing attacks against users.
In late October, Sherman also indicated that the DOD wants to turn its main telework tool, the Commercial Virtual Remote (CVR) environment, into a permanent capability by next summer, according to Defense Systems. CVR uses the cloud-based Microsoft Teams collaboration tool and serves more than 1 million employees across the DOD enterprise.
“We are currently working on a more enduring [Microsoft] Office 365 base capability,” with higher security capabilities, Sherman said Oct. 28 during C4ISRNET’s CyberCon event, Defense Systems reports. The goal is to deploy a platform with CVR capabilities that supports Impact Level 5 security for the DOD’s most sensitive unclassified data.
However, in a zero-trust environment, successful phishing attacks would not cause much damage, Sherman argued at the FedScoop event, since an attacker who harvested a DOD user’s credentials would not get access to the network without additional authentication.
The DOD needs to work toward deploying “fine-grained access” for users, Sherman said, according to FedScoop. “This just might be the exact preview of how we will have to operate” in the future, he said.
EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust.
