Den Rise / Shutterstock

'Zero Trust' Lab Will Explore the Future of Pentagon Data Security

Once upon a time, U.S. Cyber Command and DISA could act like no one got past their passwords. Those days are over.

The Defense Information Systems Agency is standing up a lab for researchers to test different strategies for building zero-trust network architectures across the Pentagon.

Located near the agency’s Fort Meade headquarters, the facility will serve as the base of operations for a pilot program run by DISA and U.S. Cyber Command focused on protecting the Pentagon’s IT infrastructure from unauthorized access, according to Jason Martin, acting director of DISA’s cyber directorate. 

Once the lab is up and running, security experts from the defense and intelligence communities will use it to experiment with novel approaches to improving identity and access management on military networks, he said Wednesday during a panel at the FCW Cybersecurity Summit. The intelligence community will also be involved in those efforts, he added.

According to Martin, the program will focus on three key areas: creating a framework for continuously monitoring and checking access on different layers of the network, building out tools to manage identity and access, and pushing out those solutions across the Pentagon. Based on the findings, he said, the Pentagon will likely both adapt existing policies and tools to improve security, and acquire new tech to deploy across the enterprise.

Related: The Pentagon is Trying to Secure Its Networks Against Quantum Codebreakers

Related: Why Trump Cares About the Pentagon’s Mega-Cloud — and Why That Terrifies Those Who Want It

Related: You Have 19 Minutes to React If the Russians Hack Your Network

“[The efforts] will inform what we actually do need to build out, integrate and configure,” he said in a conversation with reporters. “It’s rethinking how we do continuous security.”

According to Martin, the department has already identified funds to support the pilot program in the years ahead.

At its core, zero-trust security is a network architecture that requires verifying the identity of all people and devices before they can access a given system. Last month, the Pentagon listed zero-trust architectures as a key aspect of its digital modernization strategy.

While network security is a critical part of defending against bad actors, panelists warned the Pentagon can’t ignore the other components of security. Weapons systems, physical infrastructure and government contractors all present possible entry points for digital intruders, and “an adversary can move through any one of those spaces to create an issue,” said Defense Department Director of Cyber John Garstka.

“We’re finding that you can [be] really secure in your network space and lose ... because an adversary has figured out they can attack one of those other layers of the stack,” Garstka said during the event. “We’re focusing on what does it mean to secure different levels of the stack, and how do you develop the workforce ... to understand what cyber hygiene means.”