The U.S. Department of the Navy’s Approach to Zero Trust: Key Takeaways From the 2022 DON IT Conference
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
The U.S. Navy and Marine Corps are grappling with the multi-headed hydra that is cybersecurity. At the Department of Navy (DON) IT Conference 2022, the emphasis on cybersecurity was pervasive with extensive talk about plans to improve cybersecurity through compliance with the cyber executive order, adoption of zero trust and its strategy around cloud adoption.
Zero trust came up often across the various panels and keynotes. The DON wants systems to implement multi-factor authentication (MFA) to the greatest extent possible to include requiring admins to use MFA to login. The appeal of zero trust to the both the U.S. Navy and Marine Corps is that it allows them to go faster. Identity lends visibility into documents and devices. The DON wants data derived from analytics stored in their arsenal that's providing vital security information. They also want to know whether intent can be deduced from behaviors being calculated and monitored from end-user devices. One of the primary benefits of embracing the enabling technologies underlying zero trust is the ability to speed up in the direction they are already headed.
The DOD's strategy in adopting zero trust architecture also serves as the DON’s zero trust framework. The DOD zero trust model consists of seven pillars: User, Devices, Network/Environment, Automation, & Orchestration, Visibility and Analytics, Data and Application/Workflow.
The DOD Zero Trust Pillars
The basic tenet the pillars follow is one adopted by the wider DOD enterprise and that is to assume a hostile environment, vigorously pursue breaches and never trust, always verify. That is made more complicated given the global nature of naval operations, the differences between afloat and ashore environments, and the ongoing integration of the U.S. Navy and Marine Corps.
One of the key takeaways from the conference is how the path toward zero trust maturity requires these five elements: Adoption, Enablement, Orchestration, Transparency, and Maturation. Here are some areas where industry can help the Navy and Marine Corps accomplish these goals.
- Adoption – How can the IT industry help the DON understand the considerations and capabilities needed for zero trust adoption to be successful?
- Enablement – What support can technology vendors give their naval customers to assist them moving from a network to a data centric architecture? What can make zero trust adoption less cumbersome?
- Orchestration – How is zero trust implementation going to happen? Are there existing U.S. public sector case studies to model? What should a pilot look like in terms of demonstrating certain capabilities?
- Transparency – What are the quantifiable goals and objective metrics to follow? How can industry help the DON determine where it is with respect to trends and capabilities?
- Maturation – What needs to be cut or deduplicated? What does implementation of zero trust mean for the evolution of other tools and technologies in the DON’s IT environment?
DON program managers and IT leaders at the conference repeated the often-heard notion of baking security in from the start, that is, incorporating security into the lifecycle of a project or new capability, from its requirements development through the testing phases and on to acquisition and sustainment. A key part of the DevSecOps approach to application development. Naval leaders also emphasized how important it is to understand fluctuating risk levels through those aforementioned stages. As changes to the cyber threat environment occur, and as the blueprint to a system or capability evolves, the impact on risk needs to be clearly understood and articulated. These factors are areas where technology vendors can play a part.
Automation within the context of zero trust and cybersecurity stood out as well. DON IT leaders cited automation as their biggest capability gap within the context of security since that’s what ties together the technology and capability that already exists and what they are acquiring. They mentioned that once they’ve procured the correct automation tools, they can begin implementing zero trust. They’ll leverage automation, whether it's endpoint or heuristic-based, to shut off access automatically because something's wrong.
Another key takeaway was the goal of full automation of all zero trust capabilities across the DON. Given the rolling 5-year budget planning process that happens every year, it’s never too late to begin conversations with your U.S. Navy and Marine Corps customer around how you can help them not only strengthen their cybersecurity arsenal, but better integrate cybersecurity across their enterprise.
To get more DLT Market Insight content, please visit our Market Intelligence microsite.
About the Authors: Toan Le is a senior analyst on the DLT Market Insights team covering the Department of Defense and intelligence community.
Lloyd McCoy Jr., is the director of Market Intelligence at DLT.