Security

DoDIIS 2023: Zero-Trust Tools Must Work Across Agencies That Need to Share Data

Experts from DIA, NGA and DOD call on agencies and industry to work harder to achieve interoperability.

Twitter

Elizabeth Neus is the former managing editor of FedTech and the former producer of FedTech's award-winning Feds in the Field video series. The Washington Nationals are her team; 80s Brit pop is her sound.

Key defense and intelligence officials working to create zero-trust environments are calling on industry partners to give them more information about interoperability as they search for the right cybersecurity solutions.

“I don’t have any idea what you actually do,” said Ben Phelps, CISO for internal systems at the Office of the Director of National Intelligence. “You’re putting zero trust out there to catch our eyes. Do us all a favor in government: Map to your capabilities and activities. Start mapping who you’re interoperable with. Then I know what I’m looking for.”

He was part of a panel that spoke Thursday at the 2023 Department of Defense Intelligence Information System Worldwide Conference in Portland, Ore.

“No single vendor can deliver zero trust to the target level. It’s probably going to take four or five or six vendors, minimum, to fill out the map of the 91 activities that I’m looking for in the DOD to fill out zero trust,” added Randy Resnick, the lead on the DOD’s zero-trust effort.

“It’s very difficult for the government to figure out what we need to buy, procure or architect without this information,” he added. “The government is not going to engineer cybersecurity products and services on the fly anymore. We’re going to be buying integrations.”

Click the banner to keep in touch after DoDIIS by becoming an Insider.

ICAM Must Work Among Agencies to Be Effective

The DOD released its zero-trust strategy in October 2022; the service branches and individual intelligence agencies are preparing their own. Defense agencies have until 2027 to finalize their zero-trust plans.

Concerns about interoperability were not limited to industry partners, however. Agencies must find ways to integrate security tools such as identity, credential and access management (ICAM) — important in the defense and intelligence worlds, where information must be shared among agencies in real time amid crisis.

Unexpectedly, this has become an issue with unclassified information. “We really didn’t have a realization of how much unclassified mission we had in the intelligence community until after COVID. It’s coming out of the woodwork,” Phelps said.

“We have a lot of focus on the high side (classified and top secret) when it comes to interoperability, data standards, how we federated, but unclassified, we’re just not there,” he added.

He recently had to join an unclassified teleconference as a guest, he said, because his system wasn’t federated with the other agency’s; the other agency was unable to verify his identity as a result.

“ICAM is one of the more critical capabilities to make zero trust a possibility,” said Evan Kehayias, division chief of cybersecurity engineering at the National Geospatial-Intelligence Agency. “And we need ICAM to be interoperable so that someone at NGA can access data at another agency.”

DIVE DEEPER: Learn how federal agencies can achieve a solid zero-trust environment.

Identity Is Key to Interoperability in Defense Agencies

The Cybersecurity and Infrastructure Security Agency organizes zero-trust priorities into five “pillars”: identity, devices, networks, applications and workloads, and data. The DOD strategy adapts those into seven: users, devices, applications and workloads, data, network and environment, automation and orchestration, and visibility and analytics.

“All things are kind of equal in regard to the pillars, but everything starts with identity,” said Stephen Kensinger, CIO of the cyber and security division and senior technical adviser for the Defense Intelligence Agency.

“For interoperability in particular, we have to work across our partnerships to embrace the same standards. If we have different data marking and tagging standards utilized throughout the government, that will defeat interoperability.”

“The systems that are set up for ID management across all the different agencies are different, and we need to be able to translate that,” said acting DIA Chief Data Officer Mac Townsend.

To learn more about DoDIIS 2023, visit our conference page. You can also follow us on X (formerly Twitter) at @FedTechMagazine to see behind-the-scenes moments.