DOD’s Push for Zero-Trust Security Framework
As the Department of Defense (DOD) accelerates its efforts to enhance cyber defenses through zero-trust security architectures by the year 2027, it plans to provide crucial guidance for industry partners on how to implement this framework for Internet of Things (IoT) and operational technology (OT) systems by the close of the fiscal year. Randy Resnick, a senior advisor at the DOD’s Zero Trust Portfolio Management Office, announced this initiative at the GDIT Emerge: Edge Forward event hosted by FedScoop. He indicated that these guidance documents will expand upon the existing 91 baseline “target-level” zero-trust activities previously established for industry compliance.
Detailed Security Controls for Compliance
Resnick outlined that the DOD employs what it calls “fan charts” to define the specific security measures that vendors must incorporate into their zero-trust solutions in order to achieve compliance for military services and defense agencies. There are a total of 152 security controls, with 91 categorized as target-level and 61 deemed advanced, which the DOD claims offer the most robust protection as per their 2024 guidance. He noted that the fan chart for operational technology differs from the one related to the 91 activities required for target-level compliance, although there is significant overlap between the two sets of requirements.
Expanding Target-Level Activities for IoT and OT
For IoT systems, securing them using a zero-trust approach involves the same 91 target-level activities, along with two additional controls. Resnick elaborated on the need for these extra layers for OT and IoT systems, highlighting that incident response methods vary significantly, especially in the realm of operational technology. He emphasized that for OT, the goal is to ensure systems can “fail open” or in a manner that minimizes disruption or damage.
Upcoming Guidance and Future Directions
Once the guidance documents are released in September, only one more directive will remain for the DOD to issue, focusing on zero-trust overlays for weapons systems, according to Resnick. With the 2027 deadline fast approaching, he expressed confidence in their progress, especially since his office was unaffected by recent budget cuts related to the DOD. He noted that the department continues to conduct successful pilot projects with industry partners that meet either target or advanced levels of zero trust.
Implementation Challenges Ahead
As more zero-trust solutions come to fruition, Resnick anticipates that DOD organizations will soon be in a position to “simply purchase, implement, and install” these systems ahead of the 2027 timeline. However, he acknowledged that the real challenge lies in the implementation phase. “We’re talking about professional services and a significant workforce that will likely be needed,” he stated. He also mentioned the necessity of complete system overhauls and new infrastructure, underscoring that this is a complex challenge that he hopes industry partners are adequately preparing for.
