Five years to zero trust: Pentagon has ‘no choice’ but to sprint toward network goals

DoD CIO participates in cybersecurity virtual forum

Mr. John Sherman, Acting Department of Defense Chief Information Officer participates in a virtual panel with Billington Cybersecurity at the Pentagon, April 15, 2021 (DoD photo by Chad J. McNeeley)

WASHINGTON — The Pentagon’s chief information officer is committed to implementing a zero trust architecture across the entire department in the next five years and will be releasing a new strategy to get there as soon as next month.

“What we’re aiming for is by 2027 to have zero trust deployed across a majority of our enterprise systems in the Department of Defense,” DoD CIO John Sherman said at a FedTalks conference Wednesday. “Five years. That’s an ambitious goal… but the adversary capability we’re facing leaves us no choice but to move at that level of pace.”

To get after its zero trust goals, the Pentagon plans to release a new strategy as soon as next month. The strategy will define DoD’s approach to zero trust between the “main controls” to the most sensitive systems. Sherman said that within the last month, he also hired a new deputy chief information security officer to bolster the office’s efforts.

“I can tell you at DoD, we’re taking this very seriously,” he said. “And we are committed to implementing zero trust at scale for our four-million-person-plus enterprise that we lead.” 

RELATED: Pentagon CIO Hopes CMMC 2.0 Will ‘Raise’ Cybersecurity ‘Waterline’

Cybersecurity remains one of Sherman’s top goals, specifically figuring out how to get after the “technical debt” DoD has accrued over the last 20 years. The Pentagon needs to start thinking of new ways to protect its weapons systems, networks and data and ensure they’re “cyber safe” and secure in a way that it didn’t have to do “staring down the Taliban or ISIS or other adversaries,” he said.

Sherman said cybersecurity can’t be an option, especially when China and other adversaries are trying “to steal our data to put our service members at risk.”

To that end, the Cybersecurity Maturity Model Certification (CMMC) version 2.0, the Pentagon’s major cyber certification program, was moved under Sherman’s purview earlier this year from the office of the undersecretary of defense for acquisition and sustainment. During an AFCEA Space Force IT Day conference in February, Sherman said he wanted to focus on clarifying requirements and increasing engagements with small- to medium-sized companies in hopes of raising the overall “water level” of DoD’s cybersecurity defenses against China and Russia.

“This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage,” he said then.

At the FedtTalks event, Sherman said a new cyber talent strategy will also be released in the next few months. The strategy is in the final stages of coordination and involves people from DoD’s personnel, readiness and policy teams thinking “differently about the environment we’re in,” he said. 

“This is the space race for this generation, if you want to be honest,” he added. “We’ve got to get this right, we need to draw on every bit of talent.”

Leave a Reply

Your email address will not be published. Required fields are marked *