Senate NDAA calls for guidance to implement zero trust for ‘military internet of things’ devices

Senate NDAA calls for guidance to implement zero trust for ‘military internet of things’ devices

In the Defense Department’s sweeping effort to adopt a zero-trust security framework across all of its agencies by 2027, Senate lawmakers are calling for that to include “military internet of things” hardware.

The Senate Armed Services Committee released the following on Monday: full text And report It added a number of zero-trust-related provisions to its version of the National Defense Authorization Act for fiscal year 2025, which includes cybersecurity provisions. Zero trust is a widely recognized, cloud-based concept that assumes an attacker has already gained access to a network and therefore aims to limit further movement internally by requiring constant monitoring and authentication of users and their devices as they move from one part of a network to another.

Chief among these is a requirement that, if passed as is, would require the DOD chief information officer to issue new guidance within 180 days of the bill’s passage that adapts the department’s zero-trust framework for “human-wearable devices, sensors, and other smart technologies” that fall under the so-called military internet of things.

Like traditional IoT hardware, the military IoT typically consists of interconnected, data-rich, sensor-driven devices designed to communicate or share information across a domain in both combat and non-combat environments. While the devices are credited with cheaply improving the military’s ability to perceive and share information (in some cases automatically), they have also led to a proliferation of endpoints that attackers can target for cyberattacks. 2015 Center for Strategic and International Studies report He cited security as “the most significant challenge in implementing IoT across the military.”

The CIO’s guidance will also need details on the role identity, credential, and access management technologies will play in the broader zero trust strategy as applied to the military internet of things.

A Department of Defense strategy signed in 2022 outlines zero trust “target levels,” a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to reach those target levels no later than Sept. 30, 2027, a deadline that the department’s chief information security officer, David McKeown, wants to accelerate.

Senate lawmakers also noted a successful zero-trust pilot called Thunderdome, led by the Defense Information Systems Agency, and the subsequent production contract. In a committee report accompanying the text of the chamber’s 2025 policy bill, the committee urges departmental components to leverage Thunderdome’s success to replace the agency’s previous security model, known as the Joint Regional Security Stack (JRSS), which aims to unify the department’s attack surface by reducing thousands of network stacks globally to about 25. DISA has decided to end that program in 2021.

“The committee is encouraged by the successful prototyping and production engagement for the Thunderdome program, which is expected to scale rapidly across the entire DOD enterprise,” the report said. “To achieve DOD’s stated goals within the stated timelines, the committee believes DOD components should leverage technologies such as Thunderdome that rely on an open supplier selection process and extensive prototyping prior to production. The committee believes such attributes are necessary to ensure upgradability and adaptability over time.”

The provision calls on the DOD CIO and DISA director to brief the congressional armed services committees on progress made with Thunderdome and the transition away from JRSS, “focusing on how the legacy JRSS will include zero-trust compliant continuous trust verification and security auditing regardless of user location or device.”

Written by Billy Mitchell

Billy Mitchell is SVP and Editor-in-Chief of Scoop News Group’s editorial brands. He oversees operations, strategy, and growth for SNG’s award-winning technology publications: FedScoop, StateScoop, CyberScoop, EdScoop, and DefenseScoop. Before joining Scoop News Group in early 2014, Billy spent a year immersed in the Washington, D.C. tech startup scene as a technology reporter at InTheCapital (now known as DC Inno). After earning his degree from Virginia Tech and winning the school’s Excellence in Print Journalism award, Billy earned a master’s degree in magazine writing from New York University while interning at publications like Rolling Stone.