Cyber Strategy: Pentagon Paves Road Map for Zero Trust by 2027.

• Author: Roaten, Meredith

The Defense Department has finally laid out its plan for protecting its cyber networks after years of pledging to make it a commitment.

The Office of the Chief Information Officer released "The DoD Zero Trust Strategy" in November--which laid out metrics and deadlines for the department to achieve full zero trust adoption by 2027. Cyber-security experts said the government and private sector should work together to leverage resources to successfully enter the new regime.

"Cyber physical threats to critical infrastructure really are one of our biggest national security challenges that we're facing today, and that the landscape that we're dealing with has gotten more complex," Nitin Natarajan, deputy director at the Cybersecurity and Infrastructure Security Agency, said during a MeriTalk event in October.

Cyber attackers have more resources than they have in the past, and it's less expensive to do a lot of damage to an unsecure system, he said. It's not just lone wolf hackers, but nation states and cyber terrorists who can pose a threat.

For example, the 2019 Solar-Winds cyber attack, which swept past the defenses of thousands of organizations, including the federal government, has been linked to Russia-backed operatives.

The new strategy's basic tenet is that treating organizations' security like a moat around a castle doesn't keep out bad actors.

"Mission and system owners, as well as operators, increasingly embrace this view as fact. They also see the journey to [zero trust] as an opportunity to affect positively the mission by addressing technology modernizations, refining security processes and improving operational performance," the document said.

Zero trust culture requires every person within a network to assume that it is already compromised and requires all users to prove their identities at all times.

The strategy lists technologies that can help cultivate a zero trust environment such as continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics and robust auditing.

While these various technologies can be used to implement this basic premise, it essentially means that "users are granted access to only the data they need and when needed."

The strategy revolves around four pillars: accepting the culture of zero trust, operationalizing zero trust practices, accelerating zero trust technology and department-wide integration. The strategy notes that while IT departments across the...