LOCK IT DOWN: A key pillar of the zero trust initiative is protecting data. (Getty Images)
The Army is moving forward aggressively to implement changes that upend the assumption that everything behind a firewall is safe.
by Ron Lee
The Army calls its unified network plan multidomain operations. It is the ability to operate, compete and, if necessary, fight and win in all domains, which include air, land, sea, space, and the everchanging and dynamic arena of cyberspace. The Army must be ready to address the evolving operational threat environment to transform its capabilities to fight and win in the multidomain operational battlespace. A key component to this lies within transforming the Army’s digital environment as laid out in the Army Digital Transformation Strategy.
Secretary of the Army Christine Wormuth signed The Army Digital Transformation Strategy in October 2021. The strategy establishes the vision and strategic guidance to transform digital technologies and build the workforce required to achieve the overall Army mission. There are three primary objectives:
- A digitally enabled, data-driven Army propelled by digital transformation.
- Organized and mission-aligned digital investments providing greater value to the Army.
- A tech savvy, operationally effective workforce partnered with a robust network of allies, industry and academia.
PROTECTING THE RESOURCES: Zero trust is the term for cybersecurity paradigms that are focused more on data and resources.
ZERO TRUST ENVIRONMENT
These objectives are leading the Army toward a zero trust environment. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms focused more on data and resources. Zero trust does not assume anything. Zero trust leverages “attributes” to determine access to resources, i.e., user, location, device, etc. Christopher Joseph, division chief of the Policy and Risk Governance Division in the Office of the Chief Information Officer, said that a key pillar of the zero trust initiative is to prioritize protecting data, not just networks and servers like in the past.
“The overall purpose is to improve our cybersecurity posture to ensure Army data and systems are available to the warfighter,” Joseph said. “We must do better. The enemy adapts extremely fast in this dynamic technology environment. We have to take it to the next level, and ZT allows us to do that.”
Zero trust is not a single, plug-and-play security solution or something that can be simply purchased off the shelf, according to Joseph. “This new architecture must be carefully phased in and integrated with existing capabilities to avoid disruptions while achieving the goal of improved security.”
The Army is moving forward aggressively to implement zero trust concepts. This effort began with the Army establishing an authoritative source directing the use of these new principles and drafting guidance to organize a working group to provide direction and information exchange across Army zero trust efforts.
The DOD Zero Trust Reference Architecture version 2.0 defines seven “pillars” of zero trust. A pillar is a grouping of capabilities that organize the range of activities necessary to achieve zero trust. The seven pillars are user, device, network/environment, application and workload, data, visibility and analytics, and automation and orchestration.
The Army is assessing existing capabilities for alignment with the DOD Zero Trust Reference Architecture. For example, the user pillar is focused on identifying the people operating within our network. An example of the work involved here is establishing a database of all users and having the capability to properly authenticate who they are when they log in to an IT system. The Army has done much work in this area through its Army’s Identity, Credential and Access Management capability, which includes a directory of users called the Army Master Identity Directory and its Enterprise Access Management Service ‒ Army authentication service used to verify user identities.
Likewise, the application and workload pillar focuses on ensuring enterprise applications are tested internally and externally and can be made available to staff securely over the internet. An example of an Army effort is this pillar is the work being done with its Coding Resources and Transformation Ecosystems (CReATE) cloud environment. CReATE is a development, security, and operations environment that utilizes tools and processes to enable secure software development.
The key is implementing these changes in a secure and approved manner, in accordance with cybersecurity policies. DevSecOps is part of the application and workloads pillar of the DOD zero trust framework. It is imperative that these interoperable capabilities work together to create a manageable enterprise, thus maximizing the Army’s current investments in this space.
CONCLUSION
“Zero trust is a continuous journey,” Joseph said. “Right now, we are following the guidance put out by the Department of Defense CIO Zero Trust Portfolio Management Office. Based on that guidance, we have certain capabilities targeted to be online by FY27. However, we know that it doesn’t stop there, and we will continue to modify and evolve as needed beyond FY27.”
For more information, contact usarmy.pentagon.hqda-cio.list.armyztwg@army.mil.
RON LEE is a 20-year Army veteran of military broadcast journalism and public affairs. Following his time in the military, he earned an MS in public affairs management and a BA in communications. He’s worked as a public affairs specialist for PEO Soldier at Fort Belvoir, Virginia, and the DC National Guard before becoming an instructor of advanced public affairs and strategic communications at the Defense Information School at Ft. Meade, Maryland for two years. He recently worked strategic communications for CECOM SEC and now serves in a similar role with the Office of the Chief Information Officer for the U.S. Army.
