“Our adversaries are already in our networks, stealing our data, and attacking our users, the Department, and our country,” said David McKeown, now acting Principal Deputy Chief Information Officer (CIO) and Deputy Department of Defense (DoD) CIO for Cybersecurity and DoD Senior Information Security Officer, highlighting the need for the workforce to familiarize themselves with Zero Trust. “The DoD needs an enhanced cybersecurity framework – built upon Zero Trust principles – to mitigate this risk and prevent it from happening in the future. That future is now, and we must accelerate the adoption of Zero Trust.”
Zero Trust is an approach to online networks that goes beyond simply validating initial access for user. It focuses on protection of data and verification at each step during an online interaction. DoD established five tenets codified in the July 2022 Zero Trust Reference Architecture to promote a security mindset that encourages continual authentication. The tenets include: assume a hostile environment, presume the network or architecture is breached, “never trust, always verify,” explicitly scrutinize interactions, and apply unified analytics to increase security.
DoD continues to build on the Zero Trust efforts. In November 2022, DoD released both the Zero Trust Strategy and the Zero Trust Execution Roadmap. The strategy lays out key principles that will “guide the creation and revision of strategy, policy, design and executive documents.” The principles include: mission-focused, organizational, governance, and technical. The Execution Roadmap lays out multiple courses of actions, defines capabilities, and lays out a timeline.
Zero Trust does more than secure the network perimeter and keep adversaries from penetrating the network. Zero Trust protects the data within those networks and information systems. By assuming users within an information system are hostile and forcing them to be proven otherwise before interacting with data within the system, Zero Trust provides an additional protective barrier.
Zero Trust removes implicit user trust and instead requires the network and systems to conduct multiple, continuous verifications during an interaction. While providing greatly enhanced security, a user should notice minimal impacts to day-to-day tasks and activities. This shift to a Zero Trust, security-focused mindset will change how both security specialists and users understand information systems. Understanding and adapting to these changes is similar to learning how to navigate similar hardware or software updates.
To help bring these new strategic concepts and standards to the DoD, the Zero Trust Portfolio Management Office (PfMO) within the DoD CIO/Cybersecurity and DAU rapidly developed an online course that will improve and expand understanding of Zero Trust within the Defense community. The course is now available to the entire DoD workforce via Joint Knowledge Online (JKO), not just those in the acquisition field. To find the course, sign on to JKO and search for the US003-DOD Zero Trust Awareness Course.
“We believe that all 4.8 million members of the DoD should be reached by these courses,” Colonel Gary Kipe, PfMO, said, highlighting that the follow-on courses would be more narrowly tailored than the initial offering.
The Need for Zero Trust
The Zero Trust Awareness course is the first of a planned suite of courses, workshops, and webinars designed to accelerate Zero Trust adoption across DoD. In May 2021, Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, called for the entire Federal Government to adopt security best practices and advance toward Zero Trust Architecture. The DoD CIO ZT PfMO has drafted a variety of documents, including the Zero Trust Reference Architecture and the DoD Zero Trust Strategy, to prepare DoD stakeholders, including the Defense Industrial Base, for the cultural changes needed for Zero Trust. “Zero Trust training is recognized as a major enabler of this effort,” Kipe said. The ZT Awareness course will serve as the first DoD-wide training in support of this strategy.
Course Details and Future Plans
The ZT PfMO began in January 2022. Tim Denman, DAU Cyber Learning Director, began a rotational assignment in March with the goal of developing three levels of Zero Trust training. The awareness course is now available on JKO and an executive level online course that is expected to follow in February will make up the level 1 training. Level 2 training will include two additional online courses that will be available in the third quarter of FY 2023.
The level 3 course includes a two-day practitioner workshop that has been developed by Dr. Paul Shaw, DAU Cybersecurity Professor. and monthly offerings will begin in March 2023. Two workshop pilots are scheduled in December and January to help gather Zero Trust information from all services, Defense agencies, and industry. Feedback so far from the awareness course and the practitioner workshop has been overwhelmingly positive.
DAU is also working with the PfMO and other stakeholders throughout the DoD to curate and present a webinar series starting in January 2023. These webinars will discuss key Zero Trust concepts for individuals with Zero Trust responsibilities.
For more information on Zero Trust, see Tim Denman’s article in the November-December 2022 issue of the Defense Acquisition Magazine, which includes resources and background on Zero Trust.
In addition to the JKO course (click here to register, CAC required), check out these cybersecurity resources. You can also join Tim Denman on Dec. 15 to discuss the DoD Zero Trust Strategy at a DAU webinar; click here to register.
