Zero trust architecture

DOD Official Sees Potential for Accelerated Implementation of Zero Trust at Agency

Randy Resnick, director of the Zero Trust Portfolio Management Office at the Department of Defense, said during CyberScoop’s Zero Trust Summit on Thursday that the agency could implement a zero trust architecture in a year instead of five years if the pilot program with the Joint Warfighting Cloud Capability contractors is successful. The four JWCC contractors are Amazon Web Services, Oracle, Microsoft and Google.

According to Resnick, the DOD could enable zero trust in the cloud with one, some or all JWCC contractors. Being able to do so automatically speeds up adoption, DefenseScoop reported Thursday.

Resnick said the DOD is working with the contractors to determine if zero trust for the cloud can be done. He shared that the Pentagon and the contractors will test the capability in the field and said data could be available by the end of fiscal year 2023.

The director pointed out that zero trust security is beneficial because officials could patch and update systems from a centralized location with added protection.

One challenge that Resnick foresees is with identity, credentialing and access management. According to the director, the DOD has programs and projects for ICAM that the Defense Information Systems Agency and the National Security Agency fully fund.

Resnick’s team is also identifying what the National Institute of Standards and Technology 800-53 controls for risk management should be implemented for zero trust.

The DISA launched its Thunderdome zero trust security and network and architecture program in mid-February. Thunderdome is meant to be a replacement for the Joint Regional Security Stacks, which helps the Pentagon improve cyber defenses by reducing the number of vulnerable network entry points.