DOJ's 3-year roadmap to zero trust

The Department of Justice's identity management team has developed a three-year roadmap to push the department towards a zero trust architecture in line with the White House strategy formally issued last month. 

Kevin Cox, deputy chief information officer of the DOJ and former head of the Cybersecurity and Infrastructure Security Agency's Continuous Diagnostics and Mitigation (CDM) program, detailed the six-step process towards achieving an identity-based zero trust architecture at an event hosted by FCW on Feb. 15.

"We're no longer focused on the physical network, so much as looking at the identity of the user," Cox explained, describing the transition to zero trust as a "major effort" throughout the department "to replace the old way of networking … with a more secure approach focused on the individual."

The DOJ has begun working to ensure its organizations are taking steps outlined in the roadmap and federal zero trust strategy, Cox said, from limiting privileged users and monitoring those with privileged access, to ensuring remote and biometric identity proofing.  

One of the final points in the DOJ's six-step plan is to effectively remove the "static perimeter" while continuously monitoring endpoints. Under the White House zero trust strategy, agencies have until the end of fiscal year 2024 to implement specific zero trust security goals, which include beginning to execute "a plan to break down their perimeters into isolated environments" and taking advantage of cloud security services to monitor access to sensitive data.

Cox noted several initiatives remained underway, including expanding data catalog use and capabilities to maximize zero trust Identity, Credential, and Access Management efforts. The deputy CIO also said the department was still working towards developing a data analytics strategy to support the department's mission and increase data sharing and analysis.