The concept of zero trust has been widely discussed yet enigmatic in recent years; now, as the Department of Defense moves forward with codifying zero trust and putting a strategy for implementation in place, the U.S. Navy is taking a closer look at its own transition to zero trust.
Scott St. Pierre, deputy director for the Navy’s Assured Enterprise Networks and Cybersecurity Division (N2/N6D), said the scope of zero trust is broad, and the Navy is working now to narrow in on the most important elements to focus its work on.
“The guidance put out in the DOD indicates seven pillars, 45 activities and 90 attributes. What’s the right mix of those attributes and activities that will deliver zero trust? The answer is: we don’t know yet,” said St. Pierre at GovCon Wire’s Second Annual Navy: IT Transformation Forum.
“A good part of the work that we’re going to be doing here in the next couple years is to figure out what exactly does zero trust mean technically,” St. Pierre continued.
But zero trust is not something new — the Department of the Navy’s Deputy Chief Technology Officer, Louis Koplin, said the service branch is starting where it stands and focusing on the most important components of zero trust first.
“The two most important aspects of zero trust are really identity and data,” Koplin said. “So that’s where we’re focusing our attention.”
Koplin explained that the service recently stood up Naval Identity Services, or NIS, as its enterprise Identity, Credential and Access Management solution. The Navy is starting to deploy the NIS ICAM solution at scale within its Enterprise Resource Planning and Flank Speed programs.
“Flank Speed has significant zero trust capabilities already built in and is really leading the way across DOD to demonstrate how mature these capabilities already are, and that we don’t have to be ‘big bang.’ We can be incremental and try a little, do a little, learn a little so that we have scalable and sustainable technology modernization,” he said.
Collaboration with industry, other military branches, federal agencies and the larger DOD enterprise is essential in the Navy’s implementation of zero trust, agreed panelists Koplin and Bradley Punch, deputy technical director of the Navy’s Program Executive Office Digital and Enterprise Services.
Punch mentioned that the Navy had an initial session in 2019 with the lead industry partners in zero trust, which provided an important forum for Navy officials to get a better idea of their journeys, mistakes and lessons learned. Additionally, the Navy is working closely with the DOD’s Zero Trust Portfolio Management Office.
“We’re actually sharing a lot of things between Navy and DOD to help inform the definition of success” for zero trust tools, Punch commented.
“It’s really great to see when you attack a hard problem and you attack it as a naval enterprise, and now really working with the DOD to bring together the smartest minds, figure out what’s working best, leverage that, and then also share what doesn’t work so that folks can have those lessons learned,” said Punch.
On par with the importance of collaboration in the Navy’s zero trust implementation is the importance of better understanding the attack surface and adapting to new security principles and methods, explained Sandra Radesky, the deputy command information officer for U.S. Fleet Cyber Command.
“One of the things that we’re focusing on is doing endpoint detection and response and using that data not just for vulnerability state awareness, but also for asset management awareness and understanding where the lines are for the boundaries,” said Radesky.
“Over the last 20 years, we’ve focused on boundaries and firewalls — sensors on the outside of the network and really kind of closing everything in. Now, we’re kind of flipping that script, and we want to see the attributes on the entire network from the outside looking in inside. We want to understand those boundaries so that we understand what the baselines are and how they’re changing,” she explained.
Click here to watch the full panel discussion from GovCon Wire’s Navy: IT Transformation Forum on-demand now.
Learn more about zero trust and the latest cybersecurity advancements in the public sector during the Potomac Officers Club’s Cybersecurity and Infrastructure Security Forum on Oct. 13. Bob Costello, CIO of CISA, is scheduled to keynote. Register here.