The U.S. Department of Defense’s zero-trust program office says it’s working on establishing independent, in-house certification of the tools that come through its doors to ensure they’re actually as cyber-secure as they claim.
Randy Resnick, director of the Zero Trust Portfolio Management Office at the Pentagon, said there’s a need to independently validate whether vendor products and services are, in fact, up to snuff. And creating a standardized, multistep process for ensuring zero-trust compliance will give the DoD confidence in what it buys.
The evaluation begins with an assessment that will give an overall reading of cybersecurity design and pinpoint areas where developers can address gaps early in the process.
“You can’t really game it because it’s 250 questions, and odds are you’d have to lie on a lot of them to skew the results,” Resnick said at the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore on June 25. “And if you’re in design with something and you honestly go through the process … it’s going to tell you your gap between wherever you are and the 91 [minimum] activities. That’s a useful thing to know because then you could design or engineer or fix whatever you have to do to get to target.”
The Pentagon’s Chief Information office is pushing 2027 as the year for the department to be fully aligned with zero trust. It has already offered a roadmap for doing this, called the ZT Strategy from 2022 that Resnick said is unlikely to be updated. Instead, the department is focused on finding ways to reliably test its designs for security against vulnerabilities. The department has received ZT plans from the services and other DoD agencies, but it now seeks a more automated, replicable process for evaluating them to free up man hours and keep to aggressive pacing.
After the initial assessment, Resnick said then a tool will go through a simulation that will actually test for weaknesses, providing feedback as many times as needed to fix holes. Then, the tool will need to go through a “purple team” report that summarizes the outcome of defensive and offensive attacks on the system.
“We are testing for specific ZT outcomes as each part of the step of the test,” said Resnick. “This is not just a random experiment for red teaming. This is actually very detailed, very specific on what we want the purple team to go after to prove it’s a zero-trust configuration.”
The process is well outlined, but there are some challenges in actualizing it. Resnick said his biggest constraint is the lack of purple-team experts.
“We don’t have enough talent,” he said. “We don’t have enough people. It is a drain. They have other missions that they need to do.”
To accelerate designs through purple teaming, Resnick said he wants to find a way to enlist the help of industry and to test in a neutral environment with minimal costs. He mentioned there has been thought around bringing in multicomponent Reserve or Guard personnel to perform some purple-team duties, but they have to be National Security Agency approved, and that’s hard to find, he added.
The end goal is to use technology and automation to create repeatable, efficient processes that ultimately result in a department official signing off on a ZT solution that has the backing of a well-informed examination.
“That would be the gate to allow the components to assuredly procure target or advanced level ZT solutions prior to 2027,” he said. “We want to allow the department to choose from a menu of solutions … to reduce the risk that what they’re buying doesn’t work.”