The Department of Defense (DoD) officially approved zero trust implementation plans from all of its components last month, and the agency is now looking to focus on “minimum viable solutions” for the plans by tackling specific security-related issues each year.
The implementation plans stem from the DoD’s Zero Trust Strategy – which DoD released in late 2022 – in which the DoD’s Office of the Chief Information Officer (CIO) asked DoD components to submit their own individual zero trust execution plans.
The execution plans are meant to help the agency reach its goal of fully implementing a department-wide zero trust security framework by 2027.
However, Les Call, who serves as director of the DoD CIO Zero Trust Portfolio Management Office (PfMO), said on Thursday that the move to minimum viable solutions comes as the DoD is looking to “scale back” on the implementation plans this year.
“We had to put literally 30 people into a room for three to four weeks to go through and assess [the implementation plans], and I said, ‘Absolutely, we can’t do that anymore,’” Call explained at the Zscaler Public Sector Summit on April 4. “First of all, we need to work with things that we can pull data from and move on. And secondly, we have to implement because we do have this timeframe.”
DoD’s Zero Trust Strategy outlines a total of 152 zero trust activities, which Call said “are important, but we need to start with zero trust and start with a data-centric environment.”
“So, what we’re doing this year for our implementation plans is we’re scaling back, and we’re focusing on what I call ‘minimum viable solutions,’” Call said. “Each year, we’re going to have a standard that’s going to raise. So, the first year, we want to get after sensoring and making sure that everybody understands what’s in their environment.”
“And then secondly, we want to take the current ICAM solution and we want to make that zero trust, and then we want to tackle the data tagging issue,” he added.
DoD components have until October 2024 to submit version 2.0 of the implementation plans, revised to meet the standards set forth by the department.
While awaiting implementation plans 2.0, DoD will work with its components to solve the challenges they raised during the review process and in various implementation plans, including policy and governance, unverified zero trust solutions, cultural awareness and understanding, and funding — just to name a few.
