Zero trust is breaking things at the DIA, and ‘that’s good’: CIO

WASHINGTON — Sometimes, when the Defense Intelligence Agency implements strict zero-trust-aligned protocols, “things just stop working,” according to the agency’s chief information officer.

“And that’s good!” Doug Cossa told an audience here at the Potomac Officers Club Annual Intel Summit on Thursday.

It’s good, he said, because the malfunction means that whatever application or device that was trying to access the agency’s network did not meet the DIA’s new compliance standards. Under what’s known as the “comply-to-connect” paradigm, only applications using approved security measures can hook in.

“If it doesn’t meet [our] standard, it simply won’t connect,” he said.

Cossa suggested the stance was especially helpful in identifying what he described as the scourge of IT professionals at large, old organizations: “shadow IT” in the form of hardware and software that lives “outside the enterprise baseline” unknown to network administrators. (IBM offers the examples in private industry of people using personal devices or cloud accounts to access work networks.)

“Zero trust presents a unique opportunity to comply-to-connect,” he said, and to kick out the interlopers — even if it means some downtime to sort out why something’s not working.

RELATED: DoD finding it ‘hard to orchestrate’ services on zero trust, Resnick says

Zero trust is a major push inside the Pentagon and across the Intelligence Community to, as the name implies, never fully “trust” people or software accessing a system and continually check to make sure they are who they say they are and that they are accessing things they’re supposed to access. That’s opposed to traditional security frameworks that, generally speaking, let a user run mostly free in a network as long as they clear an initial security check.

Beyond that, however, the zero trust initiative can be a bit nebulous. Cossa’s fellow panelist, Intelligence Community Chief Information Officer Adele Merritt, called zero trust a “journey” for the IC, rather than a single technology in a box to be installed or a memo she could sign out and forget. Part of the challenge, she said, was to set and stick to benchmarks to ensure the IC is making the progress it wants to make.

In the Pentagon, the zero trust effort is being led by Randy Resnick, director of a new zero trust portfolio office within the DoD’s chief information office. Earlier this month the DoD CIO, John Sherman, said the Pentagon is getting zero trust strategies from each military service and agency and will begin reviewing them shortly. The idea is for everyone to have reached what the DoD calls a “targeted” level of zero trust by fiscal 2027 as it continues toward the far-future goal of actual zero trust.

Along with the comply-to-connect concept, after a vague apparent reference to the Discord leaks, Cossa suggested Thursday that DIA is already implementing some more human-focused zero trust measures to make sure “not only are you cleared to see the data, but [you’re] in a role where you have the need to see the data.”

“We see tremendous value in zero trust for that,” he said.

If another reminder was necessary, the same day of the panel, the Department of Justice announced espionage charges against a contractor working for the Department of State. In that case an IT professional — authorized to roam the system — allegedly accessed classified information and passed it along to an African nation.

Breaking Defense’s Jaspreet Gill contributed to this report.