The U.S. Department of Defenseâs zero-trust program office says itâs working on establishing independent, in-house certification of the tools that come through its doors to ensure theyâre actually as cyber-secure as they claim.
Randy Resnick, director of the Zero Trust Portfolio Management Office at the Pentagon, said thereâs a need to independently validate whether vendor products and services are, in fact, up to snuff. And creating a standardized, multistep process for ensuring zero-trust compliance will give the DoD confidence in what it buys.
The evaluation begins with an assessment that will give an overall reading of cybersecurity design and pinpoint areas where developers can address gaps early in the process.
âYou canât really game it because itâs 250 questions, and odds are youâd have to lie on a lot of them to skew the results,â Resnick said at the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore on June 25. âAnd if youâre in design with something and you honestly go through the process … itâs going to tell you your gap between wherever you are and the 91 [minimum] activities. Thatâs a useful thing to know because then you could design or engineer or fix whatever you have to do to get to target.â
The Pentagonâs Chief Information office is pushing 2027 as the year for the department to be fully aligned with zero trust. It has already offered a roadmap for doing this, called the ZT Strategy from 2022 that Resnick said is unlikely to be updated. Instead, the department is focused on finding ways to reliably test its designs for security against vulnerabilities. The department has received ZT plans from the services and other DoD agencies, but it now seeks a more automated, replicable process for evaluating them to free up man hours and keep to aggressive pacing.
After the initial assessment, Resnick said then a tool will go through a simulation that will actually test for weaknesses, providing feedback as many times as needed to fix holes. Then, the tool will need to go through a âpurple teamâ report that summarizes the outcome of defensive and offensive attacks on the system.
âWe are testing for specific ZT outcomes as each part of the step of the test,â said Resnick. âThis is not just a random experiment for red teaming. This is actually very detailed, very specific on what we want the purple team to go after to prove itâs a zero-trust configuration.â
The process is well outlined, but there are some challenges in actualizing it. Resnick said his biggest constraint is the lack of purple-team experts.
âWe donât have enough talent,â he said. âWe donât have enough people. It is a drain. They have other missions that they need to do.â
To accelerate designs through purple teaming, Resnick said he wants to find a way to enlist the help of industry and to test in a neutral environment with minimal costs. He mentioned there has been thought around bringing in multicomponent Reserve or Guard personnel to perform some purple-team duties, but they have to be National Security Agency approved, and thatâs hard to find, he added.
The end goal is to use technology and automation to create repeatable, efficient processes that ultimately result in a department official signing off on a ZT solution that has the backing of a well-informed examination.
âThat would be the gate to allow the components to assuredly procure target or advanced level ZT solutions prior to 2027,â he said. âWe want to allow the department to choose from a menu of solutions … to reduce the risk that what theyâre buying doesnât work.â
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.
Source Agencies
