Q&A: DOD’s Principal Deputy CIO Outlines Progress Toward Zero Trust

FEDTECH: What zero-trust challenges does DOD have that a civilian agency might not?

BEAVERS: We’ve got in the neighborhood of 3 million people spread over several hundred thousand facilities globally and networks going to all of those locations. Within our networks, we deal with classified information at various levels as well as unclassified information. This is something that is very particular to the government, not just DOD, and that adds a layer of complexity to tagging and managing information. We have to enable sharing but also protect information at the same time; those two ideas are diametrically opposed. We have to walk a fine line to make sure that we’re able to understand who is requesting information at a level of scrutiny that is much higher than on the civilian side, because we have to determine trustworthiness from the classification level as well.

FEDTECH: Are you able to upgrade existing technology, or have you had to acquire new technology to build zero trust?

BEAVERS: Both. With the DOD, this is another area where we have a bit of a unique challenge, although there are other industries that have the same issue. We were early adopters in the technology realm, and we have poured an enormous amount of capital and resources into our technology. We have an enormous legacy installed base, which wasn’t designed to be monitored. It wasn’t designed to be in the cloud. It wasn’t designed with artificial intelligence and data sharing and the machine-to-machine communication that you see today. That’s a challenge to secure that information and make it available in modernized systems. We are also continuing to buy, so we have a lot of newer technology as well. It can be a struggle to make it backward compatible and also maintain its security.

EXPLORE: Organizations can address emerging security challenges with zero trust.

FEDTECH: What have you learned along the way that you could pass on to other CIOs who might not be as far along in the process?

BEAVERS: The journey starts with getting back to basics and doing basic cybersecurity. The practice of knowing your architecture and infrastructure has become a little less rigorous over the years. With zero trust, you’ve got to know what you have and who’s on the architecture. Starting with the basics and getting really good at that is the first and biggest step. You do that as you start trying to map out your architecture so you can instrument it to tag the people, tag the data and audit it.

FEDTECH: What have you learned from other agencies or from the individual military branches that has helped DOD with the zero-trust project?

BEAVERS: The intelligence community’s advancement in the tagging realm is one of the big lessons. The supply chain risk and the real need to have a standard and executable approach for our defense industrial base is another area. We’re talking to industry and hearing what they have to say, and we’re partnering really closely, listening to feedback and making adjustments.

We know we need to secure our networks in a different way than we have in the past, because we have a different threat than we had in the past. It isn’t that our past methods were bad, it’s that the threat today has evolved. It’s pervasive, and it’s coming after our society and stealing our intellectual property in a way that is really detrimental to the free world. There’s a different level of threat that requires a different defensive behavior. Partnerships with the commercial world have been really important as well.

FEDTECH: How is the DOD workforce adapting to the change?

BEAVERS: In the DOD, we are kind of desensitized to multiple logins and multiple authentications — or at least I am from my years of experience with the department. It is a mindset shift for the workforce, though. When you talk about the workforce within the CIO’s area, the information officers and the network people, I think they understand it.

READ MORE: Agencies onboarding contractors need more diverse authentication technologies.

The big shift that I’m seeing is with folks outside of the CIO community. We are absolutely addressing the need to embrace it and understand why it’s important, and then how to not get frustrated with the multiple authentications when they have to log on. We’re trying to make sure we’re conveying the right message as we roll out these capabilities.

I’ve been foot-stomping the customer’s perspective on functionality and interoperability. There’s secure, and there’s so secure that nobody can access it, and that is not helpful. I should be very clear that it is the CIO organization, under CIO John Sherman’s leadership, that is really the thought leader in this space. I’m a recent addition to the team; I’m getting to add my two cents, and I’m enjoying it.

FEDTECH: What are you doing to keep the workforce engaged with the changes?

BEAVERS: This change in our security posture and the change in the threat are also driving a level of professionalism and specialization in our cyber workforce. We have adopted a workforce strategy that was released earlier this year, and now we’ve got the implementation plan out. It’s a metrics-based approach; we defined cybersecurity roles and the skill sets associated with those roles.

We’re pretty excited about the reception so far. Our lead for that, Mark Gorak, was talking to a group in Hawaii, and he got some really excited feedback from the Army folks in the audience about the roles all the way down to the junior enlisted. They were so grateful to have those cyber roles defined, and know what skills they needed to have to apply for and get work with us in these areas. It gives me some insight into the types of recruiting we need to be doing as well.