WASHINGTON — The Biden administration’s National Cyber Strategy “directly aligns” with what a top Pentagon official said were “dramatic” efforts already underway at the Defense Department to revamp the military’s cyber posture.
“The National Cyber Strategy challenges us to set the agenda on our terms to outpace our adversaries,” DoD CIO John Sherman said in a statement to Breaking Defense this week. “This vision directly aligns with the Department’s cloud and software modernization efforts which aim to drive a resilient, zero-trust based cyber foundation in the cloud. Now is the time to drive the dramatic change necessary to make cyber threats far more difficult and far more costly for our adversaries.”
The White House released its National Cyber Strategy earlier this month, outlining steps the government must take to secure the country’s digital future and defend its digital ecosystem against foreign adversaries like China and Russia. The strategy calls for rebalancing the responsibility of defensive cybersecurity to the “most capable and best positioned actors” in the US, essentially shifting it towards industry.
That’s especially true for the military, which relies on an army of private industry contractors, and Sherman told Breaking Defense that DoD recognizes the fundamental role it plays in collaborating with industry and, ultimately, the success of warfighters.
“Our partners realize that protecting DoD information that resides within the defense industrial base (DIB) and cloud service providers is necessary to maintain the Department’s edge over near-peer competitors,” Sherman said. “To that end, the Department has made it a priority to collaborate with and exchange information with our DIB and IT partners. Our DIB Cybersecurity Program [PDF] spearheads this enduring effort to ensure we are all equipped to meet evolving cybersecurity threats.”
Beyond industry, the national strategy is also well aligned with DoD’s own ongoing cloud and cybersecurity efforts, he said. The Pentagon in its fiscal 2024 request, released on Monday, asked for $13.5 billion in funding for its cyberspace activities. That includes increasing cybersecurity support to the DIB, funding five additional cyber mission force teams and operationalizing DoD’s zero trust framework.
Under the zero-trust concept, no user is ever fully “trusted” to be on the network and is continuously validated through every stage. DoD released its zero-trust strategy last year, setting an ambitious timeline to achieve a “targeted” level of zero trust — a set of minimal requirements DoD and its components need to achieve — across its enterprise by FY27 followed by a more “advanced” level.
Gurpreet Bhatia, DoD’s acting deputy chief information security officer, told Breaking Defense that the zero-trust approach will “ensure a secure DoD information enterprise that enables data-informed decision-making, from the warfighter to our nation’s most senior leaders” and that DoD is continuously addressing cybersecurity risks.
“DoD components must meet those standards by FY27, and we continue to look toward industry leaders for potential solutions to accelerate the DoD’s execution of its [zero trust] strategy,” Bhatia said.
The department is also getting ready to award the first set of task orders under the Joint Warfighting Cloud Capability (JWCC) multi-vendor, multi-cloud contract. Under JWCC, four vendors — Google, Microsoft, Oracle and Amazon Web Services — will compete for individual task orders to build out DoD’s key military cloud computing backbone.
Those task orders are “in the pipeline,” Sharon Woods, director of the Defense Information Systems Agency’s Hosting and Compute Center, said on Tuesday. She added that the vendors will also get an opportunity to bid on secret-level offerings under JWCC “in the coming weeks” followed by top secret-level offerings in the summer.
“That’s a capability we really don’t have in the department, an enterprise top secret cloud environment,” Woods said. “You know, the intelligence community does, but the department…is not able to leverage that contract and so that is one of those capability gaps that JWCC is meeting.”
Deputy DoD CIO Lily Zeleke told Breaking Defense in a statement that through JWCC, DoD “has established a direct relationship with the commercial cloud vendors to deliver, and continuously improve, a modern, resilient computing platform.”
“Building on the commercial cloud platform, collaborative engagement with industry partners, academia, and other government agencies is delivering the secure components and software practices needed for protecting sensitive applications and data from advanced persistent cyber threats,” Zeleke added.