The Department of Defense is drafting cloud deployment security guidance rooted in zero trust for agencies that will eventually move to the Joint Enterprise Defense Infrastructure cloud.
Though DOD’s $10 billion JEDI contract is currently under review by Secretary Mark Esper and the Pentagon’s inspector general, Paul Jacob, a cybersecurity architect in the DOD CIO’s office, said the department is pushing forward with the cloud security guidance so it will be ready to go when an award is issued.
“When we were asked to put together the cloud security guidance, the thought was zero trust is a good basis to determine the requirements,” Jacob told FedScoop after the event. “And then to use that in socializing with leadership to say, ‘We’ve applied zero trust to cloud.’”
Zero trust refers to the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources. In moving to the cloud, DOD is assuming it’s a hostile environment — no safer than living on legacy networks, Jacob said during the briefing.
If and when a JEDI award is made, DOD will include an addendum to its guidance with vendor specifics. For instance, the draft requirements talk generally about using cloud-native telemetry in defensive cyber-operations, but once the cloud vendor is known, a precise telemetry will be recommended, Jacob said.
“We’re hoping this helps develop the narrative for zero trust, but it also will force folks to look very hard at their systems in terms of operating safely in the cloud,” he said.
Much of zero trust is the responsibility of mission system owners, Jacob said. The guidance will help agencies like the Defense Information Systems Agency determine which systems, like its Defense Enterprise Computing Centers, it wants to forklift to the cloud.
Often agencies overlook cryptography in making such determinations — another area the guidance addresses, Jacob said.
“Do you really want to move into a cloud a 10-year-old version of an Oracle database server that you haven’t updated because you didn’t buy the sustainment contract — that doesn’t encrypt its data at rest?” he asked.
Systems must comply with DOD algorithm and key-size policies, as well as identity, credential and access management requirements, he added.
What remains unclear is whether the guidance will be for official use only or released publicly.
“The executive committee that commissioned it would have to make that determination,” Jacob told FedScoop.