On November 22, 2022, the Department of Defense (DoD) launched its Zero Trust Strategy and Roadmap (view right here). Cisco has been working alongside the DoD over the previous a number of years to assist outline and combine Zero Trust rules as an evolution of the ideas of the protection in depth mindset. Last week, the DoD printed its Zero Trust Strategy and it makes word that “Zero Trust is much more than an IT Solution. Zero Trust may include certain products, but it is not a capability or a device that can be bought.”
Back in August, Randy Resnick, Director of the Zero Trust Portfolio Management Office, instructed the Federal News Network “No single vendor can provide all 90 activities needed for Zero Trust.” Vendors might want to work collectively to attain all 90 actions, and authorizing officers should additionally agree, making this new Zero Trust push align intently with the Risk Management Framework (RMF).[1]
The DoD Zero Trust Strategy notes that the “journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans.” The defense.gov web site notes that each the Defense Information Systems Agency (DISA) and the National Security Agency offered improvement of the Zero Trust Strategy and Roadmap in addition to United States (US) Cyber Command and all of the branches of the US Military.
The timelines outlined within the technique doc additionally reiterates the significance of implementing a Zero Trust structure, with a 5-year plan that must be executed beginning in FY2023 to FY2027 and past.
A path to attain Zero Trust
The DoD Zero Trust Strategy places forth a transparent path in order that it may be achieved and gives a highway map by way of seven DoD Zero Trust Pillars (offering a capabilities-based execution plan) throughout their Non-classified Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNet). It is a significant cultural change and a philosophy shift from legacy authentication and safety mechanisms permitting efficient knowledge sharing in partnered environments.
“The Framework outlines an official blueprint to modernize cybersecurity for the DODIN NIPRNet and SIPRNet.”
The technique has DoD enterprises secured by a “fully implemented” Zero Trust cybersecurity framework by Fiscal Year 2027, decreasing the general assault floor, and shortly containing and remediating unhealthy actors’ actions. The technique doesn’t mandate or prescribe particular applied sciences or potential options. It does, nonetheless, describe all of the Zero Trust capabilities wanted that should be carried out.
The strategic targets and corresponding goals outline what the DoD will do to attain Zero Trust.
- Zero Trust Cultural Adoption: A Zero Trust safety framework and mindset that guides the design, improvement, integration, and deployment of knowledge expertise throughout the DoD Zero Trust Ecosystem.
- DoD Information Systems Secured and Defended: DoD cybersecurity practices incorporate and operationalize Zero Trust to attain enterprise resilience in DoD data programs.
- Technology Acceleration: Zero Trust-based applied sciences deploy at a tempo equal to or exceeding trade developments to stay forward of the altering risk atmosphere.
- Zero Trust Enablement: DoD Zero Trust execution integrates with Department-level and Component-level processes leading to seamless and coordinated Zero Trust execution.
DoD Zero Trust Pillars
The seven pillars of Zero Trust are depicted under and embody Users, Devices, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, Visibility & Analytics.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture gives the underpinnings for the DoD Zero Trust Security Model and the DoD Zero Trust Architecture, with seven key tenets for a perfect Zero Trust implementation. These seven tenets of Zero Trust are:
- All knowledge sources and computing companies are thought-about assets.
- All communication is secured no matter community location.
- Access to particular person enterprise assets is granted on a per-session foundation.
- Access to assets is decided by dynamic coverage.
- The enterprise screens and measures the integrity and safety posture of all owned and related belongings.
- All useful resource authentication and authorization are dynamic and strictly enforced earlier than entry is allowed.
- The enterprise collects as a lot data as doable in regards to the present state of belongings, community infrastructure, and communications and makes use of it to enhance its safety posture.
Within the seven pillars, the DoD has damaged down a subset of 45 separate capabilities. Each functionality breaks down right into a sequence of related actions to offer additional steering across the DoD Zero Trust implementation. DoD Strategy has additionally acknowledged that parts should obtain Zero Trust “Target Level” as quickly as doable (FY2023 and no later than FY2027) and work in direction of an “Advanced” Zero Trust Level after that.
It is necessary to notice that the DoD Strategy states that “reaching an advanced state does not mean an end to maturing Zero Trust; instead, protection of attack surfaces will continue to adapt and refine as the malicious events methods advance and mature.” Implementing a Zero Trust structure is just not a “one-and-done” initiative, however a steady journey in direction of higher safety.
DoD Zero Trust capabilities
The DoD Zero Trust Capabilities are listed under and will probably be mapped to our Cisco Secure merchandise in an upcoming Blog:
- User
- 1 User Inventory
- 2 Conditional User Access
- 3 Multi-Factor Authentication
- 4 Privileged Access Management
- 5 Identity Federation consumer Credentialing
- 6 Behavioral, Contextual ID, and Biometrics
- 7 Least Privileged Access
- 8 Continuous Authentication
- 9 Integrated ICAM Platform
- Device
- 1 Device Inventory
- 2 Device Detection and Compliance
- 3 Device Authorization with Real Time Inspection
- 4 Remote Access
- 5 Partially & Fully Automated Asset, Vulnerability and Patch Management
- 6 Unified Endpoint Management (UEM) & Mobile Device Management (MDM)
- 7 Endpoint & Extended Detection & Response EDR & XDR)
- Application & Workload
- 1 Application Inventory
- 2 Secure Software Development and Integration
- 3 Software Risk Management
- 4 Resource Authorization & Integration
- 5 Continuous Monitoring and Ongoing Authorizations
- Data
-
- 1 Data Catalog Risk Assessment
- 2 DoD Enterprise Data Governance
- 3 Data Labeling and Tagging
- 4 Data Monitoring and Sensing
- 5 Data Encryption & Rights Management
- 6 Data Loss Prevention (DLP)
- 7 Data Access Control
- Network and Environment
- 1 Data Flow Mapping
- 2 Software Defined Networking (SDN)
- 3 Macro Segmentation
- 4 Micro Segmentation
- Automation & Orchestration
-
- 1 Policy Decision Point (PDP) & Policy Orchestration
- 2 Critical Process Automation
- 3 Machine Learning
- 4 Artificial Intelligence
- 5 Security Orchestration Automation & Response (SOAR)
- 6 API Standardization
- 7 Security Operations Center (SOC) & Incident Response (IR)
- Visibility & Analytics
- 1 Log All Traffic (Network, Data, Apps, Users)
- 2 Security Information and Event Management (SIEM)
- 3 Common Security and Risk Analytics
- 4 User and Entity Behavior Analytics
- 5 Threat Intelligence Integration
- 6 Automated Dynamic Policies
In Part 2, we are going to go deeper into the mannequin and the way Cisco capabilities can help any Federal group’s Zero Trust journey. Cisco is trying ahead to persevering with our partnership with the DoD to make Zero Trust a actuality for our nation’s warfighters.
Learn More
[1] https://federalnewsnetwork.com/defense-main/2022/08/dod-to-release-start-implementing-new-zero-trust-strategy-by-oct-1/
Share: