CHIPS Articles: Flank Speed makes significant strides in DOD Zero Trust Activity alignment (2024)

Flank Speed makes significant strides in DOD Zero Trust Activity alignment

As the Department of Defense continues to aggressively expand upon ways to deliver modern information technology, it is also making significant progress towards enhancing cybersecurity through the introduction of the DOD Zero Trust Strategy and Reference Architecture. The DOD Chief Information Office’s Zero Trust Portfolio Management Office (DOD CIO ZT PfMO) has doubled down on its expectations of Zero Trust by issuing direction for the DOD to align with the 91 Target Activities no later than fiscal year 2027.

This approach has been gaining traction across the various branches of the military, including the Navy, which leveraged its Flank Speed service offering to demonstrate its commitment to Zero Trust alignment by accessing DOD ZT activities in a recent DOD CIO ZT PfMO sanctioned cybersecurity assessment.

Understanding DOD Zero Trust: A Brief Overview

Zero Trust is a cybersecurity strategy that revolves around the principle of “never trust, always verify.” Traditionally, network security relied on the perimeter defense model, assuming that threats were primarily external to the network. Zero Trust, however, assumes threats will originate both externally and internally, and therefore mandates constant verification and authentication for all users, devices and process, regardless of their location.

Navy Flank Speed’s Journey to Zero Trust

Recognizing the changing threat landscape surrounding remote work and cloud hosted services, the Navy has been embarking on a journey toward Zero Trust alignment since the inception of its Flank Speed services in 2020. Flank Speed is one of the many ways the Navy is addressing the expectations defined in the Department of the Navy (DON) Information Superiority Vision (ISV), Implement Zero Trust Major Design Concept and Capstone Design Concepts along with alignment to DOD’s Zero Trust guidance.

Since its creation, the Navy has cumulatively onboarded over 560,000 users globally into the Flank Speed ecosystem of tools and services. The establishment of Flank Speed as a Navy capability required the standup of a greenfield environment where secure collaboration and operation could occur. This environment delivers on a completely new endpoint security approach, where devices follow an internet-first connection model. Authentication capabilities within Flank Speed deliver on the tenants of cloud and zero trust and data rights management solutions ensure data can be securely transported and accessed regardless of location. Flank Speed also integrates a Security Information Event Management (SIEM) and Security, Orchestration, Automation and Response (SOAR) offering that significantly enhances the operator’s ability to both defend and hunt.

As part of the introduction of technologies and services to align with Zero Trust, Navy’s Flank Speed environment has conducted eight National Security Agency (NSA) Certified Red Team assessments (Purple Team events) against its offerings. These ongoing testing efforts are funded and sponsored by the Navy to ensure it is continuously delivering the most secure version of its capability as possible, while also leaning forward on its adoption of the latest capabilities and technologies.

Purple Team assessments against emerging technologies being used in Flank Speed have also proven to be an extremely beneficial approach towards impacting the change of DOD policies through Exceptions to Policy. With the release of the DOD Zero Trust Strategy and Reference Architecture in 2022, the Navy was able to rapidly show alignment with the DOD’s broader cybersecurity objectives beyond what was already underway with Flank Speed delivery of services. This existing momentum put Navy on a perfect path to support the DOD CIO ZT PfMO recent request for Navy’s Flank Speed services to be assessed against the Zero Trust Activities during the summer of 2023.

DOD’s Assessment of Flank Speed for Zero Trust Target Activity Alignment

In August 2023, Director, Operational Test and Evaluation (DOT&E) successfully conducted a two-week Purple Team assessment of the Navy’s Flank Speed Software as a Service (SaaS) environment in cooperation with the Naval Sea Systems Command Red Team (NAVSEA-RT) with augmentation from the Advanced Cyber Operations (ACO) team, Navy Program Executive Office Digital and Enterprise Services (PEO Digital), Navy Cyber Defense Operations Command (NCDOC), Naval Network Warfare Command (NAVNETWARCOM) and Microsoft.

The use of cloud capabilities continues to change the way the DOD develops, deploys, operates and secures systems and services. As cloud adoption grows, the Department can improve decision-making and military advantage in alignment with the Interim Guidance for Implementation of the Department of Defense Cloud Strategy memo, released in June 2020 by then-DOD CIO Dana Deasy. DOT&E, at the request of the DOD CIO ZT PfMO used Purple Teaming Methodologies to assess the effectiveness of the Flank Speed Zero Trust environment in the Azure Cloud Service Provider (CSP). Purple Teaming brings together the skills of both Red Teams and Blue Teams – using a Purple Team construct allowed Blue and Red Teams to collaboratively strengthen cybersecurity posture using the DOT&E Cyber Assessment Program (CAP) “find-fix-verify” approach.

Using their Cyber Assessment Program (CAP), DOT&E was able to verify many of the configurations and defense mechanisms that keep the Navy’s data safely inside their cloud network. This assessment serves to provide leadership confidence in using the Department’s cloud environments to enable rapid military command and control decisions.

The Department of Defense’s Zero Trust approach represents a paradigm shift in cybersecurity, prioritizing continuous verification and strict access controls. The DOD CIO ZT PfMO assessment of Navy’s Flank Speed offering successfully demonstrated the ability to implement Zero Trust activities. Current and future alignment towards additional target and advanced activities within this framework underscores its dedication to securely move any information from anywhere to anywhere while improving operational resilience and customer experience. As technology continues to evolve, the Navy’s proactive approach serves as a model for other branches and organizations seeking to strengthen their cyber defenses in an age of evolving digital threats.

Mr. Darren Turner is the Chief Technologist and Advisor for the Department of Navy’s Chief Technology Office (DON CTO).