In a world where digital infrastructure has no clear boundaries, ensuring robust security is more challenging than ever. Recognizing this, Executive Order 14028 mandates federal agencies to adopt the Zero Trust Model, a revolutionary approach to cybersecurity. The Department of Defense (DoD) is at the forefront of this transformation, implementing Zero Trust to secure its operations without compromising functionality.
The Shift to Zero Trust
Zero Trust is a cybersecurity model that operates under the assumption that threats are already within the network. Unlike traditional security models that rely on well-defined perimeters, zero trust requires continuous verification of every entity attempting to access resources. This model prioritizes least privilege access, only granting permissions necessary for tasks, thereby minimizing potential damage from breaches.
For the DoD, this shift represents a major cultural and operational change. Legacy authentication and security mechanisms are being overhauled to focus on multiple attributes and multi-checkpoint-based confidence levels. This transition involves designing a consolidated, more secure architecture that doesn't impede military operations.
The Necessity for Zero Trust
EO 14028 emphasizes that modern infrastructure lacks a clearly defined perimeter, allowing attackers to free rein once inside. Historically, federal agencies have relied on perimeter defense, granting authenticated subjects broad access within the internal network. This approach has failed to prevent lateral movement by authorized entities, posing significant security risks. To address this, EO 14028 mandates the adoption of Zero Trust, and assesses the security posture of each access request.
Zero Trust in National Security
National Security Memorandum (NSM)-8 extends EO 14028's requirements to national security systems (NSS), the Department of Defense (DoD), and the Intelligence Community (IC). This extension emphasizes the critical importance of implementing Zero Trust principles in these sensitive environments. Zero Trust is particularly relevant in national security contexts where the stakes of a breach are exceptionally high. In line with NSM-8, agencies handling classified information must now apply Zero Trust concepts to protect against threats. This approach involves implementing granular access controls, continuous monitoring, and data protection measures tailored to the unique needs of national security systems.
Implementing Zero Trust in the DoD
The DoD's adoption of Zero Trust involves leveraging existing policies to create a secure, integrated architecture. The classic perimeter defense model has shown its limitations against sophisticated adversaries, necessitating a shift toward Zero Trust, which provides additional safeguards. This model transitions from a trust-based network environment to one of least privileged access, employing multi-checkpoint-based authentication and authorization as well as the need to validate and verify the systems, devices, and applications are, in fact, operating with a certain level of trust and integrity.
Zero Trust Overlays: Purpose and Scope
Zero Trust Overlays serve as a guide for implementing, assessing, monitoring, and maintaining security controls within the DoD. These overlays are part of the Risk Management Framework (RMF) and are tailored to meet the specific security needs of information and systems. By refining security controls to align with the DoD's mission and business objectives, the overlays ensure standardized security and privacy capabilities, consistent control implementation, and cost-effective solutions.
Guiding Principles and Tenets of Zero Trust
NIST has defined seven basic tenets for Zero Trust, which serve as a foundation for organizations to develop their own principles. These include:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
The DoD has adapted these seven tenets into five major principles:
- Assume a Hostile Environment: Treat all entities as untrusted.
- Presume Breach: Operate with the assumption that adversaries are already present.
- Never Trust, Always Verify: Deny access by default and authenticate all entities.
- Scrutinize Explicitly: Use multiple attributes to ensure secure access.
- Apply Unified Analytics: Continuously monitor and analyze data, applications, and services.
Structure of Zero Trust Overlays
Based on the DoD Zero Trust Reference Architecture Version 2.0 and the Zero Trust Capability Execution Roadmap, these overlays detail the pillars, capabilities, enablers, and supporting activities of Zero Trust. They draw on guidance from the Committee on National Security Systems (CNSS) Instruction No. 1253 and NIST SP 800-53, Revision 5. Each overlay corresponds to a specific Zero Trust Pillar or Execution Enabler, with controls implemented at the organizational level and inherited by individual systems.
Based on the Department of Defense Zero Trust Overlays v1, there are 152 discrete controls that map directly to the control families and individual controls outlined in 800-53.
Conclusion
The shift to Zero Trust represents a fundamental change in cybersecurity, moving away from perimeter-based defenses to a model that assumes persistent threats and requires continuous verification and minimal access. For the DoD and other federal agencies, this approach not only enhances security but also aligns with broader strategies and policies aimed at safeguarding critical infrastructure in an evolving threat landscape. By adopting Zero Trust Overlays, organizations can achieve a higher standard of security and resilience against cyber threats.
.png?width=50&height=50&name=Mark%20%20(3).png)
