Back to Blog

US DoD’s Adoption of Zero Trust Heats Up

by | Sep 1, 2022

The US Department of Defense (DoD) initiative to adopt the Executive Order for Zero Trust is heating up. This week the Pentagon’s CIO,  John Sherman, announced plans to implement a zero trust architecture agency-wide within the next 5 years – by 2027. To support this initiative, he plans to announce a new strategy next month to help meet the ambitious deadline for an agency of over 4 million people.

Growing nation-state cyber threats from adversaries have made it necessary for the DoD and US Government to up their cyber game to protect their systems, networks, and data from theft and sabotage.

It’s not just the DoD that needs to be prepared; the US Defense supply chain also needs to ensure its systems are protected. The Cybersecurity Maturity Model Certification (CMMC) version 2.0 aims to ensure suppliers doing business with the DoD have appropriate cybersecurity in place to protect sensitive defense information in their care. The CMMC v2.0 project was put under Sherman’s team this February with a focus on clarifying requirements and increasing synergy and collaboration across the Defense Industrial Base (DIB) cybersecurity programs.

In his address at this week’s FedTalks Sherman said, “There’s a cost to your IP, there’s a cost to the US government and there’s a benefit to our adversaries if we don’t do something like this.”

How Does Zero Trust Help Secure Unstructured Data?

The zero trust mandate and new CMMC requirements are all part of DoD’s concerted effort to raise the “waterline” of the US’s cybersecurity defenses against national state actors including China and Russia.

How will zero trust help? Simply put, the zero trust approach dictates that you must validate each and every user’s request to access systems, applications and data – each and every time. It’s a highly effective model to continuously validate access. There’s one caveat, traditional zero trust architecture and solutions address network and applications security, not the unstructured data that sits behind them.

Without applying the same strict principles of zero trust to the data behind the network and applications, data is at risk from ‘insider threats’. From spies and moles exfiltrating sensitive information and selling it to the highest bidder, to negligent office workers leaving a laptop on a bus or sharing a sensitive file with the wrong email address, and hackers’ that steal user credentials – data is at risk if not properly secured from the inside out.

The risk ‘trusted insiders’ pose is just as great as the hackers trying to get in. The fact that they have already been let through the network and application gates makes it more challenging to find and mitigate threats to unstructured data in modern collaboration and Cloud file sharing tools like Microsoft 365, Teams and GCC High, and on-premises SharePoint farms.

Applying zero trust principles to file access requests each and every time it is requested is a vital first step to protecting our military secrets and ensuring only the right people have access. But we need to dig even deeper than access protocols. Even if a user is authorized to access a piece of data, to what end? For example, should they be able to download or print a copy? Share it? If so, with whom? To fully embrace zero trust and protect defense information, we need to verify and validate not only what data users can access but what an authorized user can do with that data based on its sensitivity level, each and every time.

The Role of ABAC in Data-Centric Zero Trust

One way to address this security blind spot is by using Attribute-Based Access Control (ABAC). ABAC extends the zero trust security model to the data level. Instead of being able to access a document on a server automatically because you are already authenticated into the system, it will instead determine whether you can access that individual file by evaluating attributes (or characteristics of data, environment and/or users) to determine a given file’s access, usage and sharing rights.

The advantage of a data-centric ABAC-based security approach is that an individual file’s access rights can be dynamically adjusted based on the sensitivity of the file and the user’s context in real-time to evaluate and validate them against defined policies. This includes security classification, permissions and attributes such as security clearance, time of day, location, and device type.

These attributes can be used to determine not only who can access a particular file, but what they can do with it once access is granted. It can allow full usage rights or restrict the ability to edit, download, or share a file based on its sensitivity level or the conditions surrounding the request. For example, if the request is coming from a Chinese IP address, an insecure location or device, then the request can be denied. Like Zero Trust network architecture, ABAC sets the default to deny access unless these attributes can be validated against defined policies governing access and sharing conditions.

A data-centric zero trust approach that utilizes ABAC offers the ability to compartmentalize sensitive information and balance need-to-know principles with the need to share. As the DoD and supply chain look to meet zero trust and CMMC mandates, data-centric zero trust is an essential tool to ensure only the right users have access to the right information at the right time in their Microsoft file sharing environments.


Discover how NC Protect allows Defense and DIBs to take advantage of all the productivity and collaboration capabilities the Microsoft 365, Teams, GCC High and SharePoint Server have to offer with zero trust ABAC powered information security. Learn more.

WHITE PAPER | Zero Trust: A Data-Centric Strategy for Success

Share This