Software Engineering Institute

Soldiers in the field, however, cannot always enter a password or scan their fingerprint. They also often operate in denied, disconnected, intermittent, or limited (D-DIL) network environments, making authentication data difficult to pass. The U.S. Army Program Executive Office (PEO), Command, Control, and Communications – Tactical (C3T) approached the SEI in 2023 for help implementing zero trust principles in its tactical networks.

“In a tactical situation, warfighters are used to pushing a button and having things work,” said Tim Morrow, the SEI’s situational awareness technical manager and technical lead on the Army PEO C3T engagement. “Zero trust is about assessing the risk before you take an action.” Any zero trust implementation must balance additional security against rapid capability.

Because zero trust is a set of institutional practices, it cannot be accomplished by a device or even a single cybersecurity vendor. This reality was highlighted at the 2022 SEI event Zero Trust Industry Days, where vendors proposed zero trust solutions to federal government representatives. This event—plus the SEI’s experience in cybersecurity, software engineering, and defense software acquisition—later helped convince Army PEO C3T leaders that the SEI had the right expertise to research and develop their zero trust implementation.

Morrow and his team are partnering with Georgia Tech Research Institute and Johns Hopkins Applied Physics Laboratory to understand the Army’s current and envisioned enterprise and tactical cyber infrastructure and to determine what the Army needs to develop or acquire to implement zero trust principles. Along with documenting the business drivers, technical drivers, and quality attributes of a future Army combined network, the SEI team has initially developed several mission threads to capture the mission environments and what information and services soldiers in tactical environments might need.

A second SEI team is creating a schema to score the risk of different identity and access management techniques since deployed soldiers cannot always authenticate on the network.

The SEI’s mission engineering approach will help the Army develop the contextual awareness it requires to move from virtual-machine-based applications to cloud services, which will enable an improved understanding of the Army’s cybersecurity needs. This shift further complicates zero trust practices in D-DIL environments, especially when cloud services from multiple providers interact, as with combatant commands directing joint and coalition missions. The SEI is setting up a cloud-agnostic cyber testbed to trial different zero trust concepts.

The SEI’s engagement with the Army PEO C3T is just in its first year, but already the program is planning to open the work to other projects in its division.

Photo: U.S. Marines