The Defense Information Systems Agency (DISA) released version 1.0 of the reference architecture in February but just recently made it public. Former DISA Director Vice Adm. Nancy Norton teased the launch of the document late last year, attributing the move to mass telework during the pandemic as an accelerant for the DOD’s move to zero trust.
It also comes as the Biden administration last week issued an executive order that, among other things, has mandated civilian agencies to create plans for the adoption of zero-trust architectures. The mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.
DISA’s 163-page reference architecture sets out the strategic purpose, principles, associated standards and other technical details for the DOD’s large-scale adoption of zero trust, which shifts from network-based defenses to a data-centric model and doesn’t grant implicit trust to users to prevent potential malicious actors from moving around a network. The department’s adoption of zero trust is based on three foundational guidelines: “Never trust, always verify; assume breach; and verify explicitly.”
“The intent and focus of zero-trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA Security Enablers Portfolio chief engineer, said in a statement.
DISA worked with the DOD Office of the CIO, U.S. Cyber Command and the National Security Agency to develop this initial reference architecture.
“From start to finish, the development of this initial DOD ZT Reference Architecture has been a true team effort,” said Joe Brinker, the DISA Security Enablers Portfolio manager. “The partnership we’ve fostered through this process with our NSA, Cyber Command and DOD CIO mission partners was integral toward the development of a comprehensive reference architecture that was unanimously approved by DOD senior leadership.”
Brinker said that “DISA will continue to partner with DOD components in planning the implementation of [zero trust] across the department and the development of [zero trust]-aligned enterprise capabilities.”
Last month, acting DOD CIO John Sherman revealed that the department is also developing a zero-trust strategy to be released later this year. During remarks at the Billington CyberSecurity Defense Summit, Sherman explained that while zero trust is a cybersecurity and technology model, it more so represents a mindset shift for the DOD.
“This is not about technology, it’s about strategy,” he said.