Randy Resnick, the boss of the Pentagon’s young Zero Trust Portfolio Management Office, offered a glimpse of what it’s like to sit in his seat and drive some of the most aggressive cybersecurity advances in government.
“So, imagine the [Defense Department] being a really big ship, with the smallest rudder you ever saw in your life trying to try to turn that ship,” he said at the 2024 TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International on Tuesday. “That’s what the Department of Defense is.”
He doesn’t mean it derogatorily. He said it as more a statement of fact than a judgment. And, to the department’s credit, with help from outgoing Chief Information Officer John Sherman and a great deal of documents to keep these offices on the same page, they’ve made progress on the “gargantuan challenge” of getting workforce culture to support cyber security imperatives. But there’s still some work to be done.
Much of the discussion Resnick led at the event in Baltimore centered around the complex technology undergirding zero-trust, which both the military services and civilian agencies are tasked with implementing to some effect in the next few years. The DoD offices has until 2027 to hit almost a hundred different targets for zero trust. Meanwhile, the department’s 2025 budget requested roughly $977 million for zero-trust transition, C4ISRNET previously reported.
Zero-trust is, as Resnick said, just that: nothing is trusted, and as a result, there are behind-the-scenes tests that verify and validate access with, ideally, minimal intrusion on user experience. It’s an access control strategy, but it’s also analytics, automation and data.
Zero-trust is very specific but it’s also seemingly ubiquitous. The White House, even, has made cyber defenses a priority of every federal agency.
“Really, zero-trust is all of us,” said Leslie Beavers, the principal deputy CIO at the Defense Department, on Tuesday.
However, for it to work, zero-trust needs to be defined. And all the players need to be one the same page. That’s something that has happened only recently, said Resnick.
“Industry was all over the map with zero trust,” he said. “Everybody had a ZT solution. Everybody was approaching government employees and purchasers, and people were very, very, very confused in the government.”
So, Resnick’s office put structure around zero-trust. The goal, first and foremost, was to stop adversaries’ exploitation of DoD data, he said. Then, they got to work on a number of foundational documents to lay out goals and plans for achieving them, including the DoD Zero Trust Strategy and Roadmap and the “Overlays” plan.
It was an effort to synchronize the theory and actual approach of zero-trust, but inadvertently, it also influenced other countries’ zero-trust plans and reset industry’s understanding of what DoD needs, Resnick said.
“Without a doubt, I now have conversations with industry that are completely aligned to the DoD zero trust approach,” he said. “We didn’t have this two years ago. It’s a pleasure to have a conversation now, because now we’re all on the same page.”
Now that the level setting has been done, there remains the issue of change management.
The federal workforce, for one, skews older than the private sector. Data from 2022 less than 6% of government IT employees are under the age of 30, and 30% are 55 or older. While officials said the Defense Department often has more reliable and robust funding to go after new technology, federal civilian agencies may not, creating an environment where government is at various stages of adoption, and not always willing to embrace change. The pervasiveness of legacy systems also makes change hard, especially when the skills needed versus the skills available vary.
Resnick said he has seen the spirit of innovation in leadership, but it’s the mid-tier of the workforce that sometimes pushes back — the “permafrost,” as he calls it.
“They feel threatened because they do the old style of cybersecurity,” he said. “I did it myself; I totally understand. But ... if they haven’t learned now, then [they’re] never going to learn. And so I truly believe it’s a generational thing. We’re going to have to wait them out until they retire out.”
That’s not to say training isn’t happening. Resnick said they worked with Defense Acquisition University to get access for CAC-holders to cyber classes that vary in length and intensity.
He said he sees a gap in industry training for zero-trust and urged members to populate that space.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.