The Department of Defense (DoD) has provided strategic guidance for all DoD Components to adopt a Zero Trust (ZT) strategic approach in the DoD CIO’s recently published DoD Zero Trust Strategy. Building upon the seven pillars in the reference architecture, the DoD CIO provides a clear vision and approach along with very precise goals, objectives, and outcomes desired for DoD Components to evaluate and adopt specific “DoD Zero Trust Capabilities” described as “Target” and “Advanced” levels in a DoD Component’s journey to continually enhance and implement a more comprehensive state of cyber defense (See Blog Part #1 “A Peek into the Newly Released DoD Zero Trust Strategy” for an Overview).
In the seven-pillar reference architecture, DoD ZT RA, V2.0, published in July of 2022, the DoD built upon the work by CISA and NIST 800-207 to define how each pillar created an opportunity to enforce policy and enhance security. The Zero Trust Strategy goes one step further and identifies 91 capabilities and activities that are necessary to implement the ZT model effectively for the DODIN as it evolves with current technologies. The new DoD Zero Trust Strategy and the DoD ZT RA, V2.0, both call out the intended result of all seven pillars working together:
“All capabilities within the Pillars must work together in an integrated fashion to secure effectively the Data Pillar, which is central to the model.”
Inter-relationship of Seven Pillars – NSA ZTA Model2
Each pillar provides an opportunity to enforce policy, based on a continually evolving set of information. Some challenges to applying this model in operational contexts is twofold: one, there is an ever-increasing set of tools that create decision points, and two, the threat landscape also increases the number of enforcement points necessary to secure an organization’s data. A recent report by Momentum Cyber reminds us of the expanding and evolving landscape of tools that today’s cyber security engineers, analysts, and leaders are asked to integrate and support.3
Major shifts in security technology focus, like IoT, software supply chain, and blockchain, have heightened our awareness to attack surfaces that were overlooked before – creating another multitude of tools to learn and integrate. Taking a strategic approach enables organizations to efficiently create and enforce effective policy decisions and enforcement points that simplify operations and frustrate attackers, not users and administrators. A Security Architecture is needed (for more information see Cisco Blog: “Achieving Authorization to Operate With Less Complexity Utilizing the Cisco Security Architecture.”)
From a Cisco perspective, the capabilities across the breadth of Cisco’s open-standards-based networking and security portfolio that naturally integrates process and people – while complimenting existing DoD capabilities – all support the essential outcomes described in the strategy set forth by the DoD CIO. It is well recognized that no single vendor can deliver all the capabilities required in any zero trust implementation. As noted in the strategy, “Zero Trust may include certain products but is not a capability or device that may be bought.1” For DoD Components, the Zero Trust journey requires a multi-layered approach to adopt and integrate Zero Trust capabilities, technologies, and solutions – while uniting their people and processes across their architectures that takes a strategic integrated platform approach.
Cisco solutions are aligned to zero trust principles across targeted technology domains, and we help our customers implement zero trust by providing the ability to do the following.
- Establish trust for users, devices and applications trying to access an environment.
- Enforce trust-based access based on the principle of least privilege, only granting access to applications and data that users/devices explicitly need.
- Continuously verify trust to detect any change in risk even after initial access is granted.
- Respond to changes in trust by investigating and orchestrating response to potential incidents.
Cisco and Zero Trust
Adopting technologies that enhance these processes helps an organization develop the muscle memory to operate with a Zero Trust mindset and is essential as discussed in this paper, Security Resilience for Defense and Government. The similarity between the DoD, CISA, and NSA Zero Trust models exemplifies the need to frame continuous defensive posture and make risk-based access decisions to networks and sensitive data. In addition, overlaying common cyber security initiatives into the ZT pillars also helps to rationalize spending against the ZT Strategy.
When looking across the Cisco portfolio, solutions can be mapped to the capabilities and activities needed to meet the updated Zero Trust strategy. While not comprehensive, working through the Cisco portfolio creates the opportunity for customers to consolidate vendors as much as possible, to simplify network and security operations, and expedite adoption of Zero Trust principles.
Mapping of Cisco Solutions to DoD Zero Trust Strategy Capabilities
The overall value of the Cisco portfolio is the ability to bring solutions to the environment that complement the broader set of tools needed to deliver the secure outcomes for the DoD and the government. Enabling mission-focused operations by ensuring secure access to sensitive information across a globally deployed workforce – operating over the span of hybrid cloud environments, tactically deployed systems, enterprise, and industrial control systems – is the type of challenge to which Cisco delivers solutions to our global customers, and especially alongside the government. We are confident that our solutions, integrated with the power of our partners’ offerings and existing DoD capabilities, enabled via open standards-based APIs, will create the secure outcomes envisioned in the DoD Zero Trust Strategy.
The Cisco Secure Platform
Cisco’s zero trust architecture is powered by the Cisco Secure platform, which includes Cisco’s integrated networking portfolio. Our platform enables organizations to mature capabilities and processes from any starting point. Across all pillars of the environment, contextual awareness, visibility, and analytics enable the platform to establish trust, while applying automated, unified policy-based verification and orchestration to empower consistent enforcement of trust-based access. That knowledge and understanding enables the platform to continually adapt trust levels based on changing risk and enables automated threat response across networks, devices, and applications to respond faster in the event of a change in trust. Backed by threat intelligence from Cisco Talos, the platform can see and stop more threats, enabling more rapid and precise response.
- Zero Trust Security
- Cisco Zero Trust Frameworks Architecture Guide
- Security Resilience for Defense and Government
- Reimagine Government
(1) Nov 7, 2022. DoD Zero Trust Strategy.
(2) March 2022. Applying Zero Trust Principles to Enterprise Mobility.
(3) October 2022. Momentum Cyber. Cybersecurity Market Review.