The Pentagon will formally launch a new office dedicated to expediting the adoption of a new zero trust cybersecurity model.

The Department of Defense’s (DoD) chief information security officer (CISO) David McKeown said the office would fall under DoD’s chief information officer and be led by a yet-to-be-named senior executive.

The zero trust architecture eliminates implicit trust in any one element, node, or service. Instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses — allowing users full access but only to the bare minimum they need to perform their jobs. 

“We’ve redoubled our efforts; we’ve fought for dollars internally to get after this problem faster,” McKeown said at C4ISRNET’s CyberCon event. “We’re standing up a portfolio management office that will ... rationalize all network environments out there, prioritize and set each one of them on a path of zero trust over the coming five, six, seven years.”

McKeown added, “We’ve got a lot of attention on this now, and we’ve got senior leadership in the department on board and putting their money where their mouth is and helping us to implement this at a very fast pace.”

The move comes months after the Biden administration released an executive order on bolstering cybersecurity across the federal government after the SolarWinds intrusion. “We feel like zero trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network or this anomalous software that we’ve allowed in,” McKeown said.

This is a step in the right direction by the DoD, says Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions. “However, one thing that must not be overlooked is that the concept of zero trust is not a typical security solution. It is a mindset. There is no standard list of boxes that can be ticked off; it is instead a journey that is unique for every organization based on its distinct infrastructure and business objectives. Zero trust is an approach to operate and adopt security measures that continuously verify authorization.”

Carson adds, “Zero trust is all about reducing risk without increasing friction for users while simultaneously it should be creating as much friction as possible for threat actors. The more difficult it is for them to gain access, the more noise they are likely to make, and the easier it will be to identify and stop them before they cause damage.”