DOD working on continuous assessment process for deployed zero-trust solutions

BALTIMORE — As it begins transitioning to a zero-trust cybersecurity framework, the Defense Department is looking to implement a new process that will continuously assess and validate zero-trust solutions after they are fielded.

The Pentagon’s zero trust portfolio management is moving quickly to assess and validate zero-trust solutions created by industry vendors to reach what it considers “target levels” of zero trust before the end of fiscal 2027. The cybersecurity framework assumes networks at any given time are compromised by adversaries, and therefore the department needs tools to constantly monitor and authenticate users and their devices as they move through a network.

But there is currently no method to continuously assess those solutions after they are fielded to DOD components to assure the architecture works the same as it did when it was first authenticated, according to Randy Resnick, director of the Pentagon’s zero trust portfolio management office.

“What we need is a tool … that is constantly going after [zero trust] infrastructures, that is constantly testing against that configuration that was passed,” Resnick said Tuesday during a presentation at AFCEA’s TechNet Cyber conference. 

Resnick’s office is now formulating a five-step process that will assess and validate a zero-trust solution before it is able to be procured by DOD components, and then use that assessment to independently and continuously test the infrastructure to ensure it is still properly protecting the network, he said.

Much of the Pentagon’s independent assessment process is conducted via purple teaming, a method that tests and analyzes both how adversaries and cyber defenders move and interact in the environment. However, Resnick said there is a “tremendous effort” to reduce the amount of purple teaming done for zero trust implementation.

“We don’t have enough time; we don’t have enough people. It is a drain — they have other missions that they need to do,” he said. “But if we can figure out a way to truly, independently test in a portable way and work in an industry environment, a neutral environment, something that costs extremely little, … that is relatively quick [and] where we could accelerate the number designs to throw into purple teaming — that’s what we’re looking for.”

Prior to going through the process, vendors will be required to tell the department how many zero-trust activities their proposed solution will achieve. The Pentagon’s 2022 zero trust strategy outlined 91 activities that cover minimum data security requirements for target levels of zero trust and an additional 61 activities defined as the full set of capabilities for “advanced levels.”

Vendors would then move through the first three steps of the process, each of which involves multiple assessments and tests of the proposed zero trust solution to validate whether it meets target levels and create a baseline infrastructure that will be used to compare the design against once it’s deployed. 

First, vendors will use a zero trust readiness assessment tool to evaluate their solution to determine if there are any gaps or additional activities it needs to reach, Resnick explained. Then, the solution will go through an automated threat-based cyber assessment in a simulated lab specifically configured to test the environment based on its design and intended threat environment, he said.

In the third step, advanced persistent threat teams would conduct independent “purple team assessments” of the zero-trust solution that test and analyze both how adversaries and cyber defenders move and interact in the environment. Using data from the previous two steps, teams would create a tailored and detailed test plan to complete a robust examination of the zero trust solution and produce a “purple team report,” Resnick said.

If the report determines a vendor’s solution meets zero-trust target levels, “we’ll make a recommendation to the DOD [Chief Information Officer] to give it a thumbs up for the DOD to approve that configuration for employment and procurement,” he said. “That would be the gate to allow the components to assuredly procure target- or advanced-level ZT solution prior to 2027.”

The goal is to create a “menu of solutions” that DOD components can eventually choose from across all three courses of actions outlined in the zero trust strategy’s capability execution roadmap, Resnick noted.

The approved solution would then move into step four, which is the zero trust overlays for the risk management framework, he said. The guidance document describes how to apply security controls across the Defense Department through a phased implementation approach, helping standardize overall zero trust adoption and develop capability gap analysis for officials.

Finally, the Defense Department will use a continuous monitoring assessment tool configured to monitor for configuration drift and other potential issues. Configured with all 152 zero trust activities, the tool will run over 300 attacks a day on the infrastructure and compare it to the baseline created earlier in the approval process, according to a chart shown in the presentation. If a solution strays too far from its known design, officials at Joint Force Headquarters – Department of Defense Information Network will be notified of the breach, Resnick said.

“Conceptually, we believe that this spectrum creates repeatable processes that are independent enough to allow creativity [and] innovation, but it has certain government checkpoints where everybody has to meet, where the output leads into another thing,” he noted. “This way, we think we’re going to get the best designs implemented in the Department of Defense.