January 16, 2023 By Mike Elgan 4 min read

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations.

But first, let’s review this zero trust business.

What is zero trust?

Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer.

It’s not about whether a person or device is trusted. It’s really about no longer using trust or distrust as a test for access. In the perimeter-security past, anyone inside the firewall was assumed to be an authorized user using authorized devices. The zero trust model doesn’t privilege users inside firewalls but instead defaults to no access for each user — to applications, API data, servers and more — unless they can authenticate their devices and themselves each time they connect via dynamic policies that use multifaceted contextual data.

Zero trust demands strong identity and access management systems that minimize effort and inconvenience on the part of users. It calls for the micro-segmentation of networks into smaller zones to contain malicious actors who breach the network. And finally, implementing zero trust is a journey, not a destination, demanding real-time monitoring and threat detection (preferably AI-based) to identify and respond to potential security threats. This can involve the use of security analytics tools, machine learning algorithms and other technologies to identify and respond to potential threats in real-time.

Many people contextualize zero trust as a business enterprise architecture. But the Pentagon’s plans are extremely interesting.

DoD guidelines and recommendations

The U.S. Department of Defense (DoD) recently rolled out a zero trust strategy and roadmap that directs future cybersecurity investments by the U.S. military and partners over the next five years. The initiative, in a nutshell, requires a full embrace of zero trust over perimeter security.

The DoD’s conception of their new cybersecurity specifies 45 capabilities — 20 of them connected to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA) — organized on seven pillars. The pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.

The roadmap doesn’t specify any product, solution or vendor. It leaves that part up to the agencies and military services to choose. Still undetermined are the details for cross-agency coordination, which is necessary in the world’s largest unified military organization.

Only specific agencies will need to maintain what the Pentagon calls an “advanced” level of cybersecurity — agencies like intelligence agencies, special weapons systems and others.

Crucially, the DoD accompanied the strategy with an execution roadmap designed to provide clear, concrete steps.

The Pentagon is also working on zero trust roadmaps for both a “commercial cloud” and “private cloud” that will enable faster implementation of zero trust.

The DoD will probably test its new security approach with the major U.S. cloud providers.

Four pillars of zero trust adoption

The DoD revealed four strategic goals for achieving the zero trust timeline:

1. Cultural adoption

The Pentagon intends to make zero trust training and education mandatory for literally all employees. This will focus not only on knowledge but also support for architecture and its methods.

2. Cybersecurity software, hardware, systems and services

This part aims to implement the practices and infrastructure for zero trust across all systems, new and legacy. Pentagon departments should begin the deployment of zero trust systems by the end of 2023.

3. Technology acceleration 

This strategic goal is simple: Never fall behind again. The intent is to stay ahead of industry advancements — or at least keep up with them.

4. Enablement

Complementing training, infrastructure and the goal to stay ahead of security technology trends, the Pentagon also intends to keep pace with policies, processes and funding. Each department must submit zero trust execution plans by late 2023.

How the DoD’s use of zero trust can secure critical resources

In some ways, the Pentagon is like any business enterprise. It’s got employees working together for a common purpose, communicating, moving around documents, deploying software, provisioning hardware and more. But in others — especially in the cybersecurity requirements behind weapons — it’s totally unlike private businesses. As one extreme example, a cyberattack cannot and must not, under any circumstances, breach weapons systems controlled and maintained by information systems.

Private corporations manufacture all these high-tech weapons systems. And so, the highest levels of security must be deployed at the level of manufacturing, in the supply chain, in transport, in deployment and on an ongoing basis.

This level of security is possible only with total comprehensiveness. Take the example of physical infrastructure that has to be maintained, guarded and moved not by white-collar office workers but by people who work in the field and are on the move. These are the very kinds of people who need training in zero trust security, along with the infrastructure, procedures and policies and all the rest. Every single person involved in critical physical infrastructure has to stay knowledgeable about security.

Another key component of the Pentagon’s plans is the assumption of a radically modernized cloud environment, which the U.S. Army is already implementing. That arm of the military has already moved more than 100 key applications to the cloud, which utilizes zero trust security principles.

The DoD’s zero trust strategy, roadmap and plans will no doubt prove highly valuable not only for offering guidelines and examples for implementation. But it will also drive expertise and new markets for the development of next-generation tools for implementing zero trust.

More from Zero Trust

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today