The U.S. Army has embarked on a three-phase zero trust journey to ensure it meets the Department of Defense’s (DoD) Zero Trust goal to implement a department-wide framework by 2027.
During an Aug. 29 webinar hosted by Gov Exec, Maj. Gen. Jan C. Norris, the deputy chief information officer for the U.S. Army Reserve, explained that DoD’s zero trust plan outlines 90 target capabilities, and how the service branch is devising its own plan to reach them.
Phase one, which the Army is currently operating in, is all about setting the foundation for zero trust, he said. This includes implementing four foundational capabilities – identity, credential, and access management; network visibility; endpoint security; and incident response. The Army has a target date of 2024 to accomplish this phase.
Phase two, which will take place between 2025 to 2027, will focus on enhancements. According to Norris, the Army’s focus in this phase will “be on streamlining identity services … taking [them] to the next level with automated identity management, automating the identity verification, implementing data loss prevention, reducing insider threat, and then building out scalable network resources.”
Phase three focuses on adopting and assessing continuous monitoring and improvements, going beyond the DoD’s 2027 goal.
“Implementing phase three and going beyond the 2027 goal ensures that we are an agile force that can adapt to ever-evolving threats,” Norris said.
Norris explained that meeting the target capabilities set forth by the department sets the foundation for implementing a zero trust framework, but that zero trust is a journey with no end point in sight. Therefore, continuous monitoring is critical.
“Protecting our data, which ultimately protects our mission, is critical. And as we become more data-centric at the DoD this becomes increasingly important,” Norris said.
However, implementing a zero trust framework does not come without some challenges.
One challenge that the Army faces is integrating its infrastructure into a zero trust framework while maintaining its operational mission. This becomes especially challenging when considering the amount of time, resources, and money already invested in services that do not align with a zero trust framework.
“When you just say stop what you’re doing, we know we’ve invested significant resources in this, but this is not the future. So, let’s just stop that. And let’s, let’s move this now … all while maintaining your operational position with whatever service you’re providing,” Norris said.
While the technology is important, the Army also needs to ensure that it has the resources and talent necessary to get zero trust done right. This is especially challenging as the DoD faces a cyber workforce retention challenge. The Pentagon’s cyber workforce spans at least 150,000 military and civilian positions but currently suffers from a 25 percent vacancy rate.
The DoD has released the cyber workforce implementation plan, which outlines a foundation for the DoD to successfully execute the objectives and initiatives aligned with the Cyber Workforce Strategy, which the DoD released back in March.
“While we can get close to it … it will never be perfect because that cyber landscape is always changing and technology is always evolving,” Norris said of the zero trust effort.