Leslie Beavers, Principal Deputy CIO for the Department of Defense, shares her plans for meeting zero trust compliance.

Jan 30 2024
Security

Q&A: DOD’s Principal Deputy CIO Outlines Progress Toward Zero Trust

Defense agencies are working on compliance, architecture and workplace buy-in as their 2027 deadline approaches.

Even the most secure networks are expected to be in compliance with White House requirements to create a zero-trust environment. The Department of Defense has to develop three — one for its nonclassified network, another for its classified network and one more for its top-secret/sensitive network. When Leslie Beavers became DOD’s principal deputy CIO in May 2023, she joined an agency whose zero-trust requirements were so complex that it was given more time to comply than civilian agencies, whose deadline is September 2024. She discussed DOD’s plans for zero trust with FedTech Managing Editor Elizabeth Neus in November.

FEDTECH: Although the DOD’s deadline for creating a zero-trust environment isn’t until 2027, can you discuss the progress made so far?

BEAVERS: We’ve defined the requirements for zero trust from a capability standpoint, and we have put in place the objective for the services to meet the target level of zero trust by 2027. The services have submitted their plans to us, and those are currently being evaluated. There are more than 90 capabilities that are required to meet the basic level of zero trust.

We’re focusing on the required compliance capability at its highest level — tag the people, tag the data and audit. We’re well on our way. We’re not aiming to get rid of the perimeter defense. That, of course, is still part of a network. We want to increase our awareness of what’s happening on the network to improve our ability to secure the information within our networks. There’s also identity and access management and endpoint monitoring — watching the activity on the network and then having triggers for that activity and threshold.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

FEDTECH: What zero-trust challenges does DOD have that a civilian agency might not?

BEAVERS: We’ve got in the neighborhood of 3 million people spread over several hundred thousand facilities globally and networks going to all of those locations. Within our networks, we deal with classified information at various levels as well as unclassified information. This is something that is very particular to the government, not just DOD, and that adds a layer of complexity to tagging and managing information. We have to enable sharing but also protect information at the same time; those two ideas are diametrically opposed. We have to walk a fine line to make sure that we’re able to understand who is requesting information at a level of scrutiny that is much higher than on the civilian side, because we have to determine trustworthiness from the classification level as well.

FEDTECH: Are you able to upgrade existing technology, or have you had to acquire new technology to build zero trust?

BEAVERS: Both. With the DOD, this is another area where we have a bit of a unique challenge, although there are other industries that have the same issue. We were early adopters in the technology realm, and we have poured an enormous amount of capital and resources into our technology. We have an enormous legacy installed base, which wasn’t designed to be monitored. It wasn’t designed to be in the cloud. It wasn’t designed with artificial intelligence and data sharing and the machine-to-machine communication that you see today. That’s a challenge to secure that information and make it available in modernized systems. We are also continuing to buy, so we have a lot of newer technology as well. It can be a struggle to make it backward compatible and also maintain its security.

EXPLORE: Organizations can address emerging security challenges with zero trust.

FEDTECH: What have you learned along the way that you could pass on to other CIOs who might not be as far along in the process?

BEAVERS: The journey starts with getting back to basics and doing basic cybersecurity. The practice of knowing your architecture and infrastructure has become a little less rigorous over the years. With zero trust, you’ve got to know what you have and who’s on the architecture. Starting with the basics and getting really good at that is the first and biggest step. You do that as you start trying to map out your architecture so you can instrument it to tag the people, tag the data and audit it.

Leslie Beavers
We know we need to secure our networks in a different way than we have in the past, because we have a different threat than we had in the past.”

Leslie Beavers Principal Deputy CIO, Department of Defense

FEDTECH: What have you learned from other agencies or from the individual military branches that has helped DOD with the zero-trust project?

BEAVERS: The intelligence community’s advancement in the tagging realm is one of the big lessons. The supply chain risk and the real need to have a standard and executable approach for our defense industrial base is another area. We’re talking to industry and hearing what they have to say, and we’re partnering really closely, listening to feedback and making adjustments.

We know we need to secure our networks in a different way than we have in the past, because we have a different threat than we had in the past. It isn’t that our past methods were bad, it’s that the threat today has evolved. It’s pervasive, and it’s coming after our society and stealing our intellectual property in a way that is really detrimental to the free world. There’s a different level of threat that requires a different defensive behavior. Partnerships with the commercial world have been really important as well.

FEDTECH: How is the DOD workforce adapting to the change?

BEAVERS: In the DOD, we are kind of desensitized to multiple logins and multiple authentications — or at least I am from my years of experience with the department. It is a mindset shift for the workforce, though. When you talk about the workforce within the CIO’s area, the information officers and the network people, I think they understand it.

READ MORE: Agencies onboarding contractors need more diverse authentication technologies.

The big shift that I’m seeing is with folks outside of the CIO community. We are absolutely addressing the need to embrace it and understand why it’s important, and then how to not get frustrated with the multiple authentications when they have to log on. We’re trying to make sure we’re conveying the right message as we roll out these capabilities.

I’ve been foot-stomping the customer’s perspective on functionality and interoperability. There’s secure, and there’s so secure that nobody can access it, and that is not helpful. I should be very clear that it is the CIO organization, under CIO John Sherman’s leadership, that is really the thought leader in this space. I’m a recent addition to the team; I’m getting to add my two cents, and I’m enjoying it.

FEDTECH: What are you doing to keep the workforce engaged with the changes?

BEAVERS: This change in our security posture and the change in the threat are also driving a level of professionalism and specialization in our cyber workforce. We have adopted a workforce strategy that was released earlier this year, and now we’ve got the implementation plan out. It’s a metrics-based approach; we defined cybersecurity roles and the skill sets associated with those roles.

We’re pretty excited about the reception so far. Our lead for that, Mark Gorak, was talking to a group in Hawaii, and he got some really excited feedback from the Army folks in the audience about the roles all the way down to the junior enlisted. They were so grateful to have those cyber roles defined, and know what skills they needed to have to apply for and get work with us in these areas. It gives me some insight into the types of recruiting we need to be doing as well.

Photography by Gary Landsman
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.