The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations.

But first, let’s review this zero trust business.

What is Zero Trust?

Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer.

It’s not about whether a person or device is trusted. It’s really about no longer using trust or distrust as a test for access. In the perimeter-security past, anyone inside the firewall was assumed to be an authorized user using authorized devices. The zero trust model doesn’t privilege users inside firewalls but instead defaults to no access for each user — to applications, API data, servers and more — unless they can authenticate their devices and themselves each time they connect via dynamic policies that use multifaceted contextual data.

Zero trust demands strong identity and access management systems that minimize effort and inconvenience on the part of users. It calls for the micro-segmentation of networks into smaller zones to contain malicious actors who breach the network. And finally, implementing zero trust is a journey, not a destination, demanding real-time monitoring and threat detection (preferably AI-based) to identify and respond to potential security threats. This can involve the use of security analytics tools, machine learning algorithms and other technologies to identify and respond to potential threats in real-time.

Many people contextualize zero trust as a business enterprise architecture. But the Pentagon’s plans are extremely interesting.

DoD Guidelines and Recommendations

The U.S. Department of Defense (DoD) recently rolled out a zero trust strategy and roadmap that directs future cybersecurity investments by the U.S. military and partners over the next five years. The initiative, in a nutshell, requires a full embrace of zero trust over perimeter security.

The DoD’s conception of their new cybersecurity specifies 45 capabilities — 20 of them connected to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA) — organized on seven pillars. The pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.

The roadmap doesn’t specify any product, solution or vendor. It leaves that part up to the agencies and military services to choose. Still undetermined are the details for cross-agency coordination, which is necessary in the world’s largest unified military organization.

Only specific agencies will need to maintain what the Pentagon calls an “advanced” level of cybersecurity — agencies like intelligence agencies, special weapons systems and others.

Crucially, the DoD accompanied the strategy with an execution roadmap designed to provide clear, concrete steps.

The Pentagon is also working on zero trust roadmaps for both a “commercial cloud” and “private cloud” that will enable faster implementation of zero trust.

The DoD will probably test its new security approach with the major U.S. cloud providers.

Four Pillars of Zero Trust Adoption

The DoD revealed four strategic goals for achieving the zero trust timeline:

1. Cultural Adoption

The Pentagon intends to make zero trust training and education mandatory for literally all employees. This will focus not only on knowledge but also support for architecture and its methods.

2. Cybersecurity Software, Hardware, Systems and Services

This part aims to implement the practices and infrastructure for zero trust across all systems, new and legacy. Pentagon departments should begin the deployment of zero trust systems by the end of 2023.

3. Technology Acceleration 

This strategic goal is simple: Never fall behind again. The intent is to stay ahead of industry advancements — or at least keep up with them.

4. Enablement

Complementing training, infrastructure and the goal to stay ahead of security technology trends, the Pentagon also intends to keep pace with policies, processes and funding. Each department must submit zero trust execution plans by late 2023.

How the DoD’s Use of Zero Trust Can Secure Critical Resources

In some ways, the Pentagon is like any business enterprise. It’s got employees working together for a common purpose, communicating, moving around documents, deploying software, provisioning hardware and more. But in others — especially in the cybersecurity requirements behind weapons — it’s totally unlike private businesses. As one extreme example, a cyberattack cannot and must not, under any circumstances, breach weapons systems controlled and maintained by information systems.

Private corporations manufacture all these high-tech weapons systems. And so, the highest levels of security must be deployed at the level of manufacturing, in the supply chain, in transport, in deployment and on an ongoing basis.

This level of security is possible only with total comprehensiveness. Take the example of physical infrastructure that has to be maintained, guarded and moved not by white-collar office workers but by people who work in the field and are on the move. These are the very kinds of people who need training in zero trust security, along with the infrastructure, procedures and policies and all the rest. Every single person involved in critical physical infrastructure has to stay knowledgeable about security.

Another key component of the Pentagon’s plans is the assumption of a radically modernized cloud environment, which the U.S. Army is already implementing. That arm of the military has already moved more than 100 key applications to the cloud, which utilizes zero trust security principles.

The DoD’s zero trust strategy, roadmap and plans will no doubt prove highly valuable not only for offering guidelines and examples for implementation. But it will also drive expertise and new markets for the development of next-generation tools for implementing zero trust.

More from Zero Trust

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…