The Department of the Air Force (DAF) Zero Trust (ZT) Functional Management Office (FMO) hosted the “ZT Non-EIT I-Plan 2.0 Summit", “Not-EIT” referring to technologies outside of the Enterprise Information Technology purview, from June 4th to 6th in Arlington, VA. This event brought together 100+ non-EIT stakeholders (in-person and virtually) who have equity in the DAF’s implementation of Zero Trust on Defensive Critical Infrastructure, Weapons Systems, Mission Systems and Operational Technologies.
The DAF ZT FMO shared their recommended approaches to Zero Trust adoption with Mission and Weapons Systems owners and received valuable input to improve these processes. A few of the key takeaways from the categorization exercise were a mindset shift on ownership, continued dialogue within the broader non-EIT communities, and stakeholder feedback on how best to initiate the application of Zero Trust principles to sub implementation plans. In his opening remarks, Director of the ZT FMO, Mr. Justin Stolpman stated the following, “the goal of this Summit is to define an approach for how you would do cybersecurity for your category of system. Let's document that approach on paper so that our PEOs can leverage them as an accelerator to write Zero Trust sub-implementation plans that are system specific.” Over the three-day workshop, attendees separated into breakout sessions to discuss various Zero Trust implementation approaches. Specifically, IP and non-IP based system breakout sessions were hosted each day.
The following organizations were in attendance: 688CW, ACC: (A52K, A6), AETC A6, AF COO, AFAMS/MSR, AFLCMC: (HBMM, HNI), AFMC A6, AFSC/EN, AFSOC A6, AFTAC A6, CROCS, CROWS, Deloitte ZT SME’s, HAF: (A2/6, A10, A3, A4, A8), MIT Lincoln Lab, MITRE, SAF: (AQ/SQ, AA, CA, CN, FM), SCC, SSC and ZTTT/CCC. Moving forward, the DAF ZT FMO will host a monthly I-Plan 2.0 Working Group with the Summit attendees and respective organizations with stake in the effort.
The ZT FMO reinforced the notion of how every stakeholder in the room is “a plank owner,” or a key contributor, to the Zero Trust Implementation Plan 2.0. Pictured below are the 50 in-person “ZT Non-EIT Summit” attendees from across the Defense Critical Infrastructure, Weapon Systems, Mission Systems, and other non-EIT communities. Capt Ryan Fraser, Deputy Director of the ZT FMO, stated, “for the attendees, I hope they are pleasantly surprised by the progress we’ve made and by the efforts that the ZT FMO took to help them write customizable implementation plans, rather than dictate a mandatory approach.” The DAF ZT FMO is not enforcing a specific Zero Trust solution, but rather a broader approach to understand where organizations currently stand in their respective cybersecurity journeys and leaning into their expertise to work together towards DAF Zero Trust readiness. A key resource will be leveraging Authorizing Officials (AOs) to determine within AO boundaries what their priority systems are and what does or does not fit the mold for the recommendations put forth by the ZT FMO. As sub I-Plans are further developed, the ZT FMO will lean on AOs to fully understand acceptable risk, leveraging the tactical knowledge of system owners and operators.
Highlighting the importance of this work, the ZT FMO briefed a recap of the event’s success to Senior Leaders on the virtual “Senior Leader Update Board” at the conclusion of the event. Mr. J. Aaron Bishop, DAF Chief Information Security Officer, provided closing remarks: “I just want to thank everyone for doubling down on the hard work this week,” said Mr. Bishop. “This effort will not only address technical refresh of our infrastructure and delivers new capabilities. It improves the cyber resiliency of our critical infrastructure which we rely on for mission readiness and enables the DAF to provide a more secure and responsive digital environment for our operators.”
Many thanks are owed to the key stakeholders from Weapon Systems, Mission Systems, Defense Critical Infrastructure, Operational Technology, and other non-EIT communities for their engagement and participation during this summit to determine a way forward for the Zero Trust Implementation Plan 2.0. Congress has dictated that components shall provide implementation plans annually signed at the Secretary-level, thus a focal point of the Summit was to gain momentum on the I-Plan 2.0. A draft I-Plan 2.0 is due to DoD CIO on 30 September 2024, and a Secretary of the Air Force’s signature on the document is targeted for January 2025.