The Network Enterprise Technology Command (NETCOM) – Army Department of Defense Information Networks (DoDIN-A) Cybersecurity Strategy uses Zero-Trust principles to protect critical Data, Applications, Assets, and Services (DAAS). (Photo by U.S. Army Network Enterprise Technology Command)
WASHINGTON — The Department of Defense is 14 percent of the way on its goal of having all enterprise networks zero trust compliant by the end of fiscal year 2027, a key official said Wednesday.
“Fourteen percent is a good start, but far from being done,” Col. Gary Kipe, chief of staff of the DoD’s zero trust portfolio management office, said during a panel at a CyberScoop event. He added that the 14 percent constitutes areas specifically where “we could stop adversarial lateral movement within our network.”
Kipe said there are two major deficiencies in the DoD’s zero trust capabilities keeping it from achieving that 100 percent readiness. The first is the lack of identity, credential, and access management (ICAM) tools — which perform constant checks to ensure that users are allowed to access the information they are trying to access. The second is the lack of automated data tagging that helps label and categorize data based on sensitivity, importance and other standards to facilitate better data management and protect the data from unauthorized users.
“We do have an optimistic but reasonable anticipation that we’re going to have both of those by the end of this FY, which is critical,” Kipel said of the deficiencies. “Then we’ll be able to plan around it, resource it, proof of concept it and develop it further until we get to [20]27.”
Kipe particularly harped on the important role data tagging plays in creating data centricity, which ultimately allows the DoD to share information on threats with the broader intelligence community, allies and partners, he explained.
RELATED: Katie Arrington to head back into Pentagon as new CISO
“It’s got to be interoperable between the DoD, [civilians in the federal government], the IC [intelligence community] and Five Eyes and other mission partner environments. We’re not the only target that damn communists are trying to overcome,” Kipe said. “They’re trying to overcome freedom loving people around the world, and all of us are using the same data.”
If such data tagging standards are not implemented, Kipe said “it won’t matter because we will have lost the broader fight, and that is defending liberty around the world.”
John Sahlin, the vice president of cyber solutions at General Dynamics Information Technology, echoed Kipe’s statements on the importance of data tagging leading to data centricity during the panel.
“Zero trust is about enabling a mission, and ultimately, we need to use that data collectively to pursue mission objectives, and those mission objectives include dangerous stuff,” Sahlin said, referencing Kipe’s anecdotes about the risk adversaries poses to democracy.
He added that once the DoD can implement the “basics” of data tagging and implementing zero trust at the enterprise level, it can start to more widely implement zero trust at the tactical edge — something the company demonstrated back in 2023.
“We need to be able to enable the mission commanders with the ability to make changes on the fly under what conditions and with whom we’re sharing data, so that we can execute the mission,” Sahlin said. “That’s where it gets really interesting. If we get the basics right, then we could really do some cool stuff at the tactical edge.”
