Zero Trust Identity

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Advanced Computing and Software OBJECTIVE: Determine the level of risk when a person uses a personal device to access Army resources (i.e., Bring Your Own Device (BYOD)) in accordance with Zero Trust principles DESCRIPTION: As per NIST 800-207, one of the basic tenets of Zero Trust is Access to resources is determined by dynamic policy including the observable state of client identity, application/service, and the requesting asset and may include other behavioral and environmental attributes . When the requesting asset is an approved managed device, the security and trustworthiness of the device can be determined using the one of the many agents that are already installed on the asset and are used to control the asset configuration. In a Bring Your Own Device (BYOD) scenario the device is not managed by the Army and the state and trustworthiness of the asset is unknown. Additionally, people are highly reluctant to install monitoring software (e.g., agents) on their personal device to allow the Army to determine the state of the device. Without an understanding of the state of the device, the device is considered untrustworthy and it is prevented from accessing Army resources. This results in the Army having to purchase, provide, manage and maintain equipment (e.g., laptops, mobile phones etc.) for people to access Army resources. This cost grows very large when considering the large quantity and variety of users, such as active-duty military, guard, reserves, civilians and contractors that utilize Army resources. The purpose of this SBIR is to research and develop innovative ways to determine the trustworthiness of a personal device, without requiring software to be installed on the device. A solution to this problem would enable any user to utilize personal devices, such as mobile devices and personal computers, to access Army resources, while still providing the Army with a dynamic risk analysis that help protect Army resources from being accessed from untrustworthy devices. PHASE I: Determine the feasibility of the proposed solution. The solution should describe in detail the approach to be used for determining the trustworthiness of the device without installing software on the device. The solution should also describe the technical challenges, the risks and how they will be mitigated and any dependencies that are required for the solution to work. The approach should be designed with open architecture and industry standards and protocols in mind. PHASE II: Develop the solution outlined in Phase I. A demonstration of the solution determining the trustworthiness of a BYOD (specific device information will be provided after award). The demonstration should include the ability for the observers to determine how the level of trustworthiness for a given device was measured (e.g., what specific device factors were used to determine the level of trustworthiness of the device, any configuration data used in the decision and how that data was mapped to a level of trustworthiness etc.). PHASE III DUAL USE APPLICATIONS: Expand the solution to enable determining trust on additional devices (examples information will be provided after award). The demonstration in Phase II is expected to utilize a small number of trust factors, so in Phase III the solution should be enhanced to include additional trust factors for the types of devices supported in Phase II. REFERENCES: 1. NIST Special Publication 800-207 Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final 2. DOD Zero Trust Reference Architecture v2.0 https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf KEYWORDS: ZERO TRUST, DEVICE, RISK, TRUST, BYOD, CYBERSECURITY