How the Security Enterprise Agreement on GEMSS Secures the Army

Perimeters have disintegrated. Boundaries have blurred. It's hard to say where a network begins and ends – because it doesn't. BYOD, IoT, APIs and a host of other acronyms have changed the way we compute. And the way we defend our computing … well, castle-and-moat cybersecurity doesn't work when there's no moat.

Modern cybersecurity has to be scalable and flexible. This need is codified in Executive Order (EO) 14028, "Improving the Nation's Cybersecurity," which requires agencies to adopt Zero Trust architectures. In response to this EO, the Cybersecurity Infrastructure Security Alliance (CISA) has provided guidance to help government organizations build security architectures that work reliably, even in dynamic networks.

CISA's guidance stresses the need for Zero Trust architecture. Zero Trust is the current gold standard for the defense of a distributed computing environment, so commands seeking to modernize their network architecture should be evaluating Zero Trust solutions as they plan their journey.

What you need to know about Zero Trust

Zero Trust is a network architecture that assumes no user or device can be trusted. Legacy cybersecurity solutions focused solely on controlling access to the network. Defenses were located on the perimeters – but once inside, an entity could move fairly freely.

Bad actors took advantage of this by planning attacks that leveraged lateral movement, where they entered through a weak point, often acquired by stealing credentials from a legitimate user. They then moved deeper into the network in search of valuable information – the payload.

Zero Trust is intended to thwart this technique by wrapping each asset in its own security policy and authenticating every entity before allowing access to the asset. It's similar to visiting the Pentagon. Anyone can get into the lobby, but only some people are badged into the outer offices, fewer into the inner offices, and only the most essential personnel into a SCIF (sensitive compartmented information facility).

What does Zero Trust mean for the Army?

Zero Trust is a high-priority initiative in the Army's Digital Modernization Strategy, intended to support dependable mission execution in an environment of escalating cyber threats. The foundation for Zero Trust is already in place, according to Maj. Gen. Matthew Easley, director for cybersecurity and CISO in the office of the Army CIO, but there is still work to be done. The goal, Easley said, "is to develop the capabilities to improve that [foundation], to really be able to use that technology to increase the way we defend our networks."

Zero Trust supports the Army's mission to overmatch in multi-domain battlespaces. It secures data without eroding accessibility, so warfighters and staff can communicate safely and acquire information when they need it, where they need it. Paul Puckett, principal cloud strategy advisor to the CIO/G-6 and other senior Army leaders, said, "In order for us to compete and fight, we need to be able to share data from the foxhole to the enterprise and back." No other security architecture has been able to reliably provide this critical capability.

Commands seeking direction on prioritizing a Zero Trust implementation should look to CISA for guidance.

The path to Zero Trust maturity

The CISA Zero Trust Maturity model defines a path to achieving Zero Trust and provides the means to periodically assess progress. In broad terms, organizations should constantly be moving toward automating as much network management as possible, integrating security across the pillars, and implementing dynamic security policy enforcement. The order and extent to which these steps are accomplished will be different for different commands. Still, at a high level, CISA defines three categories of maturity: traditional, advanced and optimal.

Traditional is where everyone was a few years ago – manual configurations, static security policies, inflexible policy enforcement, manual incident response, etc. Manual processes are the source of most breaches and are also extremely inefficient, so commands should be striving to automate as much as possible. As of today, most commands have automated some functions but not all.

The advanced level focuses largely on centralizing management. That's why automation is so important: manual processes tend to record data in spreadsheets, which are then stored in discrete repositories. There is no big picture available. Advanced organizations that have automated a majority of their network functions can centralize the management of visibility, identity control, policy enforcement, and more, which means that insights can be captured, threat trends recognized and decisions made with greater speed.

The pinnacle of maturity is the optimal level. At this stage, full automation is achieved. All policy management is automated. Dynamic, open standards are in use, so interoperability between systems is the norm. And visibility is complete enough to capture point-in-time recollection of state, which speeds the process of forensic investigation, incident response, and mitigation.

Achieving optimal CISA maturity through Security EA

In an optimal state of Zero Trust, security is focused on five pillars and how each one accesses information. The five pillars are:

Identity - Identities are continuously validated and subjected to real-time machine learning analysis.
Devices - Devices are constantly monitored and validated.
Network and environments - Networks and environments are set up with micro-perimeters, all traffic is encrypted and machine-enabled threat protection is in effect.
Application workloads - Application workloads are authorized continuously, and security is integrated into each workload.
Data - All data is encrypted.

Building a modern network around these five pillars can seem overwhelming at first glance. But the technology and expertise necessary to improve maturity are available to every command through an innovative, pre-paid contract called the Cisco Security Enterprise Agreement (Security EA).

Security EA provides access to software across tech portfolios. It supports financial predictability through a "not to exceed" pricing guarantee and provides access to new software capabilities as they are released. The Security EA also delivers visibility into all licenses procured, deployed, and up for renewal.

Solutions available through Security EA include:

Cisco Secure Client (formerly AnyConnect) - Secures endpoint access to the enterprise network and apps through multi-factor authentication (MFA), dynamic trust, adaptive authentication, and secure single sign-on (SSO). AnyConnect is managed with other Cisco solutions through a single pane of glass, which supports the CISA advanced maturity level.
Cisco Identity Services Engine (ISE) - A security policy management solution that delivers visibility into who and what is on the network and enables access control across wired, wireless VPN and 5G networks. It also provides contextual data that helps identify potential threats and vulnerabilities and can be fed into any security solution offered by Cisco's technology partners.
Cisco Secure Edge (formerly Umbrella) Roaming - Protects users even when they're off the VPN. This cloud-delivered service provides security without the need to install or manage additional agents. Users are protected from malware, phishing and command-and-control attacks, no matter where they are located.

With Security EA, users get easier budgeting and planning through co-term licensing and usage-based allocation and management. License usage is optimized through the ability to integrate and track sites as renewals arise.

Security EA has a five-year term, a time frame determined by the DoD to be an ambitious pace at which to achieve Zero Trust but a realistic one. John Sherman, DoD CIO, said, "the adversary capability we're facing leaves us no choice but to move at that level of pace."

The Army's Cisco inventory is already strong

The Army already has contracts in place for Cisco hardware and software, as well as access to a deep bench of Cisco support, consulting and training services.

The Army's portfolio of Cisco software includes DNA Advantage SD-WAN, Switching, Wireless and Secure Remote Worker, all of which are essential technologies for the network segmentation and prioritization at the heart of Zero Trust. Other solutions include Cisco Secure Firewall (fomerly Firepower Threat Defense), Secure Network Analytics, Cisco Workload and more. These solutions all work together to support optimal CISA maturity.

Full-time, on-site resources for CONUS and OCONUS, high-touch technical and operations management and triage support are also on tap for Army projects. Army personnel can up their skills through access to Cisco's Digital Learning Library, Cisco Network Academy and Cisco Live.

Helping the Army with security needs

Security EA is available through the Global Enterprise Modernization Software and Services (GEMSS) agreement, which is a procurement vehicle developed to help the Army meet its network transformation goals.

GEMSS expands Army access to technical services, including unlimited software licenses for Cisco routing, switching, wireless technology and other foundational technologies essential to building Zero Trust architectures.

As a DoD prime contractor, WWT helps Army technology leaders understand what is needed, what is already in their environment and how to implement the next level of maturity by administering GEMSS to support Army needs and goals.