Zero Trust Gets A "Promotion" In The DoD

The U.S. Department of Defense (DoD) Zero Trust Portfolio Management Office (PfMO) will officially become part of the DoD enterprise and will be led by a newly created Chief Zero Trust Officer. The changes are detailed in a new directive-type memo which describes the new organizational structure, as well as roles and responsibilities. The office will be responsible for coordinating, synchronizing, and accelerating the adoption of Zero Trust across each of the services and major commands within the DoD. Although the ultimate responsibility for Zero Trust initiatives and investment remains with the DoD CIO and other Zero Trust-related governance structures are mostly unchanged, the Chief Zero Trust Officer will provide strategic guidance, direct alignment efforts, and make recommendations for resource and funding priorities.

The Upside Of DoD’s Double Down On Zero Trust

Given the changes to various elements of the overall US federal cybersecurity strategy — and the resulting uncertainty, including the scrutiny of existing Zero Trust implementation strategies across other departments — it’s good news that DoD is staying the course. The establishment of the office and the creation of a senior executive service-level position to lead it illustrates that, when the stakes are high(est), Zero Trust remains the best model “to impede malicious threat actors in cyberspace.” The benefits of further formalizing Zero Trust with this new structure include:

Shipping the org chart. Conway’s Law is usually invoked as a critique but, in this instance, it could instead be a catalyst to help DoD achieve its ideal outcome: ZERO TRUST everywhere. By creating an organizational unit with a sweeping purview that reports directly to the CIO, DoD has further codified Zero Trust as an integral part of how it will approach the department’s business of information technology and cybersecurity. Ideally, this centralization and oversight should keep the overall strategy cohesive and eliminate siloed implementations, especially between different DoD components.
Creating an interface for the rest of the federal government. As DoD soldiers on (pun intended) with Zero Trust, the Office of Management and Budget (OMB) is taking a beat to consider “Zero Trust 2.0” for Federal Civilian Executive Branch (FCEB) agencies. Even though the remit of the Chief Zero Trust Officer is confined to DoD, one important authority granted is interfacing with OMB and FCEB agencies. Given the changes in priorities and staffing at the Cybersecurity and Infrastructure Security Agency (CISA), there is an opportunity for the DoD Zero Trust PfMO to take up the mantle of Zero Trust leadership within the government writ large. This coordination should create a channel for the distribution of Zero Trust guidance and lessons learned that are — literally — battle tested. Although departments outside of DoD and the Intelligence Community (IC) may not have the same rigorous requirements, they are still targeted by adversarial foreign governments and DoD implementations should provide a foundation that can be adapted for other environments in the same way Defense Information Systems Agency (DISA) Secure Technology Implementation Guides (STIG’s) often are.

A Portfolio Isn’t Without Pitfalls

It might be easy to treat this announcement as unqualified endorsement for Zero Trust in the U.S. government and Zero Trust writ large. After all, if DoD is betting on Zero Trust as its preeminent cybersecurity strategy in a time when great power competition increasingly manifests in the digital sphere, shouldn’t that mean it’s the right bet for all of us? And if the overall strategy is the right bet, doesn’t it make sense to use the same operational and tactical approach? Like so many things in cybersecurity, the answer is “it depends.”

How effective this new office turns out to be and whether the private sector should attempt to replicate this specific Zero Trust governance structure are still open questions. For security leaders contemplating a similar approach in their organizations, there are reasons for caution, including:

Compliance theater. One potential downside of creating an office whose sole purpose is to scrutinize a wide range of projects for their Zero Trustworthiness™ is that Zero Trust will become performative rather than substantive. Project sponsors and leaders may become overly focused on checkboxes that ostensibly comply with stated Zero Trust goals and objectives but don’t meaningfully implement the principles. That approach may satisfy a gatekeeper so that projects can proceed but, with all due respect to GRC teams everywhere, compliance does not always directly translate to improved security.
Turnover turbulence. The existence of a position is not the same as a person in the position. And a person appointed to a position is not the same as a person with a long tenure in a position. Cybersecurity roles are known for high turnover rates, and leadership changes affect consistency and disrupt momentum. The role of Chief Zero Trust Officer is no different than many other senior federal positions: executing on a vision and successfully managing the portfolio will require a certain amount of longevity. An unexpected vacancy can leave the rest of the team scrambling to make sense of an unfamiliar topic or thrashing after a change in direction.
Governance alternatives. Despite how it’s often described — a product, a platform, a buzzword that should be ignored and forgotten — Zero Trust is best thought of as an architectural philosophy. Like any philosophy, there may be a founder or a champion. But philosophies can also emerge more organically through the work of like-minded individuals in response to prevailing conditions. Zero Trust is a set of tenets for how to think about how things should be built and a set of broad techniques that can be applied during the construction. But even with a common philosophical starting point, the resulting designs and structures will necessarily be different due to the needs and constraints of particular situations. There are stark differences between the needs of military or military-adjacent organizations and the private sector. The threats are different. The stakes are different. The budget, organizational structures, and incentives are different. Perhaps most importantly, the tolerance for friction in the user experience is different. The variety in these factors means that it is not only possible, but potentially desirable to do something other than appoint a Zero Trust “czar.” For example, managing agile software development using scrum involves embedding seasoned “coaches” directly with development teams. These Scrum Masters help teams practice agile principles without centralizing the authority for “faster software development.” Organizations should choose a highly centralized or more decentralized Zero Trust governance approach based on which better aligns with their culture and existing IT portfolio structure.