<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Want to meet StrongDM in person at the Gartner IAM Summit in London? 🎡 Book your meeting today!

Search
Close icon
Search bar icon

DoD Zero Trust Strategy Explained (TL;DR Version)

Warfare is no longer limited to the physical battlefield. As government agencies depend more on IT infrastructure – and, increasingly, the cloud – for essential operations, they’re becoming more vulnerable to individual hackers, cyberterrorists, and even state-sanctioned cyber attacks. On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.

The DoD recognizes the persistent threat from known and unknown malicious actors. The People’s Republic of China and other state-sponsored and individual actors have successfully breached the DoD’s cyber-perimeter. Even as recently as February 2023, internal US military emails containing information on special operations were exposed to anyone with internet access. While there is no evidence that these emails were hacked, it does underscore the need to reduce the attack surface and lock down DoD servers.

In January 2022, the DoD established its DoD Zero Trust Portfolio Management Office (ZT PfMO) to implement the DoD Zero Trust Strategy outlined in the official DoD Zero Trust Strategy document and accelerate Zero Trust adoption. The DoD Zero Trust Strategy is the first of its kind for the DoD. The strategy document is not meant to be used as a solution architecture. Instead, it shapes how the DoD and its Components will design, implement, and iterate its Zero Trust architectures to thwart cyber adversaries.

What Is DoD Zero Trust Strategy?

The DoD Zero Trust Strategy is a comprehensive cybersecurity approach requiring the entire DoD to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes. It extends beyond IT and requires DoD Components to address Zero Trust with their staffing, training, and professional development processes. Zero Trust assumes no implicit trust is granted to assets or users based on their physical or network location or asset ownership.

Strategic context

Because warfare requires secure, interoperable information systems, Zero Trust supports and enhances these missions. The outcomes and actions from the DoD Zero Trust Strategy must be applied to all military multi-domain operations, including cyber, space, air, land, and sea, and support and protect business assets. As cyber threats evolve, the DoD is adopting a coordinated, defensive response that is adaptive, flexible, and agile.

DoD Zero Trust Strategic Vision

The DoD Zero Trust Strategy looks five years into the future, where the risk-based Zero Trust Framework it has implemented is preventing increasingly sophisticated attacks. Zero Trust is integrated into the five key cybersecurity functions: Identify, Protect, Detect, Respond, and Recover. Any attempts to deny, degrade, disrupt, deceive, or destroy information systems are mitigated.

DoD Zero Trust Strategic Outcomes

With the DoD Zero Trust Strategy, the DoD realizes several significant benefits. It is better able to execute missions because it can:

  • Allow users to access required data from any authorized and authenticated device, fully secured.
  • Secure and protect information systems that facilitate the DoD’s evolution into a more agile, mobile, cloud-supported workforce.
  • Reduce attack surface risk profiles.
  • Remediate threats to cloud, artificial intelligence, and command, control, communications, computers, and intelligence.
  • Effectively contain, mitigate, and remediate damage when a device, network, user, or credential is compromised.
  • Include consistent, aligned, and effectively resourced capabilities for advanced cybersecurity operations.
  • Recover rapidly from attacks.

DoD Zero Trust Approach

To accelerate adoption, the DoD Zero Trust Strategy includes key assumptions, principles, and pillars that guide executing the strategy. The pillars create a framework for the DoD and its components to build a Zero Trust organization and align current and future Zero Trust efforts, investments, and initiatives across the entire DoD.

Strategic assumptions

The DoD Zero Trust Strategy relies on eight core assumptions to drive planning. These are:

  • Complex security threats persist and require ongoing corrective action.
  • Culture must be addressed, not just technology.
  • Modernization requires rethinking how existing infrastructure is utilized.
  • Increased global and industry partner collaboration is increasingly important.
  • Zero Trust requires concurrent enterprise and mission owner implementation.
  • Real-time, risk-based response is imperative as threats become more complex.
  • Legacy IT remains a challenge.
  • Leadership and operator buy-in are a must for a successful Zero Trust strategy.

Strategic principles

The DoD also lays out strategic principles to serve as guardrails or parameters when leadership makes decisions regarding implementation and execution. These include:

  • Mission-oriented to allow for both hybrid work and location-agnostic access to collaborate, work, and execute missions.
  • Organizational principles that presume a breach and segment access to limit the “blast radius” and incorporate Zero Trust across all elements of Doctrine, Organization, Training, material, Leadership and Education, Personnel, Facilities, and Policy (DOTmLPF-P).
  • Governance to simplify and automate, and to never trust, always verify explicitly before granting access.
  • Technical principles that provide the least amount of privilege, scrutinize and analyze behavior, align architecture with Zero Trust design tenets, and reduce complexity.

DoD Zero Trust pillars

The DoD Zero Trust Strategy defines seven pillars that provide the foundation for DoD Zero Trust Security Model and the DoD Zero Trust Architecture. These are:

  • Users
  • Devices
  • Applications and Workloads
  • Data
  • Network and Environment
  • Automation and Orchestration
  • Visibility and Analytics

DoD Zero Trust Strategic Goals and Objectives

The goals and objectives defined in the DoD Zero Trust Strategy address the cultural, technological, and environmental requirements for successfully adopting and implementing Zero Trust. They are:

Goal 1: Zero Trust cultural adoption

All DoD personnel know, understand, commit to, and are trained to embrace Zero Trust throughout the organization.

Goal 2: DoD Information systems secured and defended

The DoD and its components apply Zero Trust principles to all new and legacy systems. All components will achieve the target-level outcomes by the end of 2027.

Goal 3: Technology acceleration

Zero Trust-based technologies deploy at the same pace or faster than industry advancements. All DoD systems are secured and defended quickly and effectively with up-to-date technologies.

Goal 4: Zero Trust enablement

Processes, policies, and funding are aligned to ensure the Zero Trust framework is cemented across the DoD. It is sustainable and built into adjacent, complementary, synergistic DoD technology, information security, and budgeting.

DoD Zero Trust Execution Approach

To ensure the DoD Zero Trust Strategy takes hold, the DoD created a multi-pronged approach to address people, processes, resources, governance, risk management, and technology. It is designed to plug solution gaps and implement Zero Trust framework across the entire DoD.

High-Level capability roadmap

The DoD’s Zero Trust Capability Roadmap lays out how the DoD envisions Zero Trust being implemented across the organization and outlines dependencies and interdependencies. It also provides a general timeline to achieve outcomes.

Resourcing & acquisition

Appropriately managing and procuring Zero Trust resources is part of the DoD’s Zero Trust Strategy.

Resourcing

The DoD takes a multi-pronged approach for each organization within the DoD so that they can appropriately identify and prioritize new and existing resources to execute the Zero Trust Strategy. The DoD works with its Components to address shortfalls and guide resource priorities.

Acquisition

The acquisition strategy is meant to align with the DoD’s priority to build a resilient defense ecosystem. The DoD CIO coordinates identifying and determining what assets will be acquired at the enterprise level but leaves overall management and oversight of technology development, acquisition, and product support to individual components.

Measurement and metrics

The DoD plans to use specific, qualitative, and quantitative metrics to measure its progress toward achieving its Zero Trust goals. These help determine the status and effectiveness of the Zero Trust implementation and are used to validate system and network security. Each component is required to contribute data to support the analysis of the systems.

Governance

Zero Trust falls under the existing DoD CIO committee structure. The primary responsibility for technical and strategic direction lies within the DoD Cyber Council.

Quick Summary of the DoD Zero Trust Strategy

Cybersecurity is a moving target, and the DoD Zero Trust Strategy aims to adapt and refine its Strategy to mitigate ever-evolving cyber threats. Coordinated efforts of the entire defense ecosystem are required to achieve the goals and objectives of the Strategy. The DoD must pursue the strategic goals laid out in the DoD Zero Trust Strategy as an enterprise, and it has already made significant inroads in cybersecurity. Ongoing and open communication and coordination, along with proper funding and resourcing, will be key to the success of the strategy.

How StrongDM Helps Organizations Adopt Zero Trust Strategy

Zero Trust requires that organizations shift from reacting to incidents to proactively preventing them. One StrongDM client, Better, could detect suspicious behavior in real-time and respond faster to incidents. Better also achieved peace of mind by logging every query and permission change. If something fishy occurred, such as a user query from an unknown location, the user could immediately be suspended before any real damage could be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

StrongDM helps organizations adopt a Zero Trust architecture in even more ways. To learn more about how you can implement Zero Trust within your own organization, watch our Zero Trust: Access Edition Webinar.


About the Author

, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

How to Prevent Man-in-the-Middle Attacks: 10 Techniques
How to Prevent Man-in-the-Middle Attacks: 10 Techniques
It’s difficult to detect MITM attacks, and attackers can target anyone online. Hackers can capture user credentials from customers by attacking sites or apps that require login authentication. They may also target businesses with sites or apps that store customer or financial information.Want to know how to prevent man-in-the-middle attacks? Follow these 10 proven strategies.
Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Cozy Bear specializes in targeting governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the U.S. and Europe. These state-sponsored groups aim to clandestinely gather strategic and sensitive information for Russia, maintaining prolonged access without raising suspicions.
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
The way that people work continues to evolve, and as a result, so do the ways that they must authenticate into their organization’s resources and systems. Where once you simply had to be hardwired into the local office network, now you must expand your perimeter to include remote and hybrid workforces, on-prem and cloud environments, and take into account a growing list of factors that impact how and where people access critical company resources.
The Importance of Continuous Zero Trust Authorization
Never Done: The Importance of Continuous Zero Trust Authorization
Adherents to the Zero Trust security model, live according to a policy of “never trust, always verify.” It requires all devices and users to be authenticated, authorized, and regularly validated before being granted access, regardless of whether they are inside or outside an organization's network. But the catch is that authentication and authorization don’t just happen at the first touch.
How to Implement Zero Trust
How to Implement Zero Trust [10-Step Plan]
In this blog, we’ll offer a blueprint for how to implement Zero Trust security effectively to help your organization initiate and manage access management for all your users, devices, and resources.