Security

DAFITC 2023: The DOD Is Charting a New Path to Zero Trust

Principal Deputy CIO Leslie Beavers talks security, user experience and networking at the Air Force conference.

Twitter

Elizabeth Neus is the former managing editor of FedTech and the former producer of FedTech's award-winning Feds in the Field video series. The Washington Nationals are her team; 80s Brit pop is her sound.

Defense agencies are on the road to creating zero-trust cybersecurity environments, but they’ll be drawing their own maps as they work toward the 2027 deadline for implementation, says the Defense Department’s principal deputy CIO.

“We’re not prescribing the how,” Leslie Beavers said. “We’re identifying the what.”

Each of the military branches must focus on seven pillars as they build zero-trust capability: user, device, application, data, network, automation and audit. “We as a community in DOD, including our industrial base, need to lean in on those capabilities and figure out how we’re going to do it,” she said.

Beavers spoke at the Department of the Air Force Information Technology and Cyberpower (DAFITC) Education & Training Event, which runs through Wednesday in Montgomery, Ala. More than 4,000 service members, civilian workers and industry representatives are attending the conference.

Zero trust is a major priority for DOD, Beavers said. “The internet was built to be collaborative. Networks are built to be collaborative. We let everyone in, set our defense at the perimeter, and that’s just not working with the advanced and sophisticated threats that we face,” she added.

“At the very least, we need to lock the doors on the house and close the windows.”

Click the banner to access exclusive Insider content on government tech after DAFTIC 2023.

Why Zero-Trust Deployment Requires an Adequate Workforce

The White House has mandated that civilian federal agencies implement zero trust by September 2024. The DOD’s Zero Trust Strategy and Roadmap is set for completion by fiscal year 2027.

New guidelines that can help military branches and defense agencies handle the transition are on their way, Beavers said. The DOD’s Zero Trust Portfolio Management Office is expected to provide guidance on data tagging and labeling by the end of this year, and the National Institute of Standards and Technology’s update of its privacy framework is also due.

“There’s still work to be done as we go into the cloud, figuring out how we do zero trust in the cloud, between a variety of clouds and different security classifications,” she said. DOD is working closely with the National Security Agency on that aspect.

One obstacle to overcome, however, is workforce capabilities. About 225,000 people hold cyber-related jobs in the DOD; the vacancy rate among civilian-held posts alone is 24 percent, “and that’s really high,” Beavers said.

“Our goal is to cut that in half within two years,” she added. “We’re doing that by identifying some creative ways to recruit, partnering in ways that we haven’t done before and working on the retention side.”

EXPLORE: How Backup as a Service fits with agencies’ adoption of zero-trust security.

Service Members Look to Better the User Experience

Beavers wants to focus particularly on user experience within the DOD. As a retired Air Force officer who still serves as a reservist, she’s familiar with the pain points the average service member faces.

“There is no bigger champion of this than me,” she said. “I’ve gone through the growing pains of a variety of IT infrastructure challenges. This is a multiyear, multilayer problem, more than just a technical refresh.”

In addition to the aging hardware — in the midst of being replaced, she said — reservists and National Guard members face further issues because they’re not recognized as readily on non-Air Force networks.

“Active duty, you may not feel the pain as much as your reservist and National Guard brethren — you can end up on Air Force networks, and the Air Force is pretty good about maintaining connectivity,” she added. “But when you’re Guard and Reserve, and you’re at the whims of another service, it gets a little spotty.”

DOD is standing up a user experience portfolio management office, similar to the zero-trust office, to take a broad, long-term approach to fixing the problem, she said.

To learn more about DAFITC 2023, visit our conference page. You can also follow us on X (formerly Twitter) at @FedTechMagazine to see behind-the-scenes moments.