The U.S. Department of Defense Information Network – comprised of more than 15,000 unclassified, classified networked and cloud environments – is one of the world’s largest networks of networks. For the U.S., it is arguably the most sensitive conglomeration of networks.
The Defense Information Security Network, the backbone of DoDIN, is also reportedly subjected to nearly 800 million cybersecurity incidents per day, making the advancement of DoD’s cybersecurity strategy a vital and time sensitive priority.
Recent events – such as COVID-19 prompting security requirements to support a surge in virtual work, the evolving ransomware epidemic, and the Russian-Ukrainian clash – has further transformed the way that government has to approach security.
As a result, the zero trust framework has gained broad, if overdue, attention. Due to the complexity of zero trust supplemental guidance is critical to its successful widespread adoption.
For a network as complex and sensitive as the DoDIN, the task becomes all the more challenging. As such, the DoD launched Comply-to-Connect, a comprehensive framework that, unlike its predecessors, demands visibility of all assets (both non-traditional and traditional) across the DoDIN’s extensive enterprise.
Leveraging least privilege
C2C, which leverages zero trust’s least privilege principles to safeguard access to data resources and assets, provides the foundation of the DoD’s zero trust journey through its two main objectives:
— C2C fills existing capability gaps in currently fielded enterprise security solutions through complete device identification, device and user authentication, and security compliance assessment.
— C2C automates routine security administrative functions, remediation of noncompliant devices and incident response through the integration of multiple management and security products and real-time continuous monitoring.
The DoD has begun its journey toward a zero trust environment with C2C as a foundational element, and the impact of the C2C program on DoD operations is already apparent. For example, more bases are getting acceptable scores on their Command Cyber Readiness Inspections, which allows operators to focus on security operations and mission readiness instead of checklist-driven inspection preparation and paperwork.
And as the program’s implementation matures beyond office networks into industrial control systems, logistics systems and other operational technology environments, these scores will continue to improve, raising the cyber readiness of the Department’s entire information network.
In addition, C2C capabilities are making marked difference in the efficiency of daily operations. One Air Force Major command noted that now that they’ve implemented C2C, “simple information gathering tasks that used to take us two to three days to gather and coalesce data now takes us five minutes.”
Other service components are using the orchestration capabilities of C2C to automate patching of endpoints, saving countless admin hours and ensuring the software baseline is consistent across the enterprise, making it easier to identify and respond to anomalous activity.
Increased operator productivity
Ultimately, these efficiency gains enable increased operator productivity — enhancing protection of critical OT systems across logistics, transportation, and other control systems and sensors that need to be monitored to prevent unauthorized cyber access.
In his recent testimony to Congress,John Sherman, the DoD CIO, stated “We have the pieces to make [Zero Trust] work … [including] comply-to-connect.” Much of the faith in this program stems from the basic understanding of what and who are connecting to the network.
Building on this comprehensive visibility will take time, but through C2C, the basis for automated action through the orchestration of policy enforcement points are within reach. The five-step program is phased over four years and parallels the early stages of the DoD’s Zero Trust Strategy that wants to reach it desired end state by 2025.
Ultimately, with C2C as the foundation, the DoD will rapidly move forward in applying zero trust principles and be able to achieve their goal of a zero trust environment across the DoDIN.
Melissa Trace is vice president, global government solutions, at Forescout Technologies, a supplier of cybersecurity products and services.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.