Senate NDAA bill calls for zero-trust guidelines for ‘military internet of things’ devices

As the Defense Department moves to implement an enterprise-wide zero-trust security framework by 2027, Senate lawmakers want to make sure “internet of military things” equipment is included.

The Senate Armed Services Committee on Monday released the full text and report of its version of the National Defense Authorization Act for Fiscal Year 2025, which includes a series of cybersecurity provisions related to zero trust — a widely accepted cloud-based concept that assumes an adversary has already gained access to a network and therefore seeks to limit further movement within the network by requiring constant monitoring and authentication of users and their devices as they move from one part of the network to another.

A key element is a requirement that, if adopted in its current form, would require the Defense Department’s chief information officer to issue new guidance adapting the Zero Trust Principles to “wearable devices, sensors, and other intelligent technologies” that make up the so-called Military Internet of Things within 180 days of the bill’s enactment.

Like traditional IoT hardware, the military IoT typically consists of interconnected, data-rich, sensor-driven devices designed to communicate or share information across the domain, both in and out of combat. While these devices are credited with cost-effectively increasing the military’s ability to sense and share information—some of it automated—they have also led to a proliferation of endpoints that adversaries can use to launch cyberattacks. A 2015 Center for Strategic and International Studies report called security “the single most important challenge to military IoT deployment.”

The CIO’s guidance will also require detailed information on the role that identity, authentication, and access management technologies will play in the broader zero trust strategy applied to the military IoT.

The Defense Department’s strategy, signed in 2022, outlines Zero Trust “target levels,” which are a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to achieve those target levels by Sept. 30, 2027, at the latest — a deadline that David McKeown, the department’s chief information security officer, wants to accelerate.

Senate lawmakers also noted a successful zero trust pilot and subsequent production contract led by the Defense Information Systems Agency called Thunderdome. In a committee report accompanying the text of the House version of the fiscal 2025 policy bill, the committee calls on department components to build on the success of Thunderdome to replace the agency’s previous security model known as the Joint Regional Security Stacks (JRSS), which aimed to consolidate the department’s attack surface by reducing thousands of network stacks worldwide to about 25. DISA decided to begin phasing out that program in 2021.

“The committee is encouraged by the successful prototyping and production agreement for the Thunderdome program, which is expected to rapidly scale across the DOD enterprise,” the report states. “To achieve the stated goals within the stated DOD timeframes, the committee believes that DOD components should leverage technologies such as Thunderdome, which are based on an open vendor selection process and comprehensive prototyping prior to production. The committee believes that such attributes are essential to ensure the ability to be updated and adapted over time.”

The rule calls on the Department of Defense CIO and the DISA Director to brief the House Armed Services Committee on the progress of Thunderdome and the transition away from JRSS, “with particular emphasis on how the legacy JRSS will include zero trust for continuous trust verification and security controls, regardless of a user’s location or device.”