DoD Zero Trust Strategy Explained (TL;DR Version)

Warfare is no longer limited to the physical battlefield. As government agencies depend more on IT infrastructure – and, increasingly, the cloud – for essential operations, they’re becoming more vulnerable to individual hackers, cyberterrorists, and even state-sanctioned cyber attacks. On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.

The DoD recognizes the persistent threat from known and unknown malicious actors. The People’s Republic of China and other state-sponsored and individual actors have successfully breached the DoD’s cyber-perimeter. Even as recently as February 2023, internal US military emails containing information on special operations were exposed to anyone with internet access. While there is no evidence that these emails were hacked, it does underscore the need to reduce the attack surface and lock down DoD servers.

In January 2022, the DoD established its DoD Zero Trust Portfolio Management Office (ZT PfMO) to implement the DoD Zero Trust Strategy outlined in the official DoD Zero Trust Strategy document and accelerate Zero Trust adoption. The DoD Zero Trust Strategy is the first of its kind for the DoD. The strategy document is not meant to be used as a solution architecture. Instead, it shapes how the DoD and its Components will design, implement, and iterate its Zero Trust architectures to thwart cyber adversaries.

What Is DoD Zero Trust Strategy?

The DoD Zero Trust Strategy is a comprehensive cybersecurity approach requiring the entire DoD to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes. It extends beyond IT and requires DoD Components to address Zero Trust with their staffing, training, and professional development processes. Zero Trust assumes no implicit trust is granted to assets or users based on their physical or network location or asset ownership.

Strategic context

Because warfare requires secure, interoperable information systems, Zero Trust supports and enhances these missions. The outcomes and actions from the DoD Zero Trust Strategy must be applied to all military multi-domain operations, including cyber, space, air, land, and sea, and support and protect business assets. As cyber threats evolve, the DoD is adopting a coordinated, defensive response that is adaptive, flexible, and agile.

DoD Zero Trust Strategic Vision

The DoD Zero Trust Strategy looks five years into the future, where the risk-based Zero Trust Framework it has implemented is preventing increasingly sophisticated attacks. Zero Trust is integrated into the five key cybersecurity functions: Identify, Protect, Detect, Respond, and Recover. Any attempts to deny, degrade, disrupt, deceive, or destroy information systems are mitigated.

DoD Zero Trust Strategic Outcomes

With the DoD Zero Trust Strategy, the DoD realizes several significant benefits. It is better able to execute missions because it can:

• Allow users to access required data from any authorized and authenticated device, fully secured.
• Secure and protect information systems that facilitate the DoD’s evolution into a more agile, mobile, cloud-supported workforce.
• Reduce attack surface risk profiles.
• Remediate threats to cloud, artificial intelligence, and command, control, communications, computers, and intelligence.
• Effectively contain, mitigate, and remediate damage when a device, network, user, or credential is compromised.
• Include consistent, aligned, and effectively resourced capabilities for advanced cybersecurity operations.
• Recover rapidly from attacks.

DoD Zero Trust Approach

To accelerate adoption, the DoD Zero Trust Strategy includes key assumptions, principles, and pillars that guide executing the strategy. The pillars create a framework for the DoD and its components to build a Zero Trust organization and align current and future Zero Trust efforts, investments, and initiatives across the entire DoD.

Strategic assumptions

The DoD Zero Trust Strategy relies on eight core assumptions to drive planning. These are:

• Complex security threats persist and require ongoing corrective action.
• Culture must be addressed, not just technology.
• Modernization requires rethinking how existing infrastructure is utilized.
• Increased global and industry partner collaboration is increasingly important.
• Zero Trust requires concurrent enterprise and mission owner implementation.
• Real-time, risk-based response is imperative as threats become more complex.
• Legacy IT remains a challenge.
• Leadership and operator buy-in are a must for a successful Zero Trust strategy.

Strategic principles

The DoD also lays out strategic principles to serve as guardrails or parameters when leadership makes decisions regarding implementation and execution. These include:

• Mission-oriented to allow for both hybrid work and location-agnostic access to collaborate, work, and execute missions.
• Organizational principles that presume a breach and segment access to limit the “blast radius” and incorporate Zero Trust across all elements of Doctrine, Organization, Training, material, Leadership and Education, Personnel, Facilities, and Policy (DOTmLPF-P).
• Governance to simplify and automate, and to never trust, always verify explicitly before granting access.
• Technical principles that provide the least amount of privilege, scrutinize and analyze behavior, align architecture with Zero Trust design tenets, and reduce complexity.

DoD Zero Trust pillars

The DoD Zero Trust Strategy defines seven pillars that provide the foundation for DoD Zero Trust Security Model and the DoD Zero Trust Architecture. These are:

• Users
• Devices
• Applications and Workloads
• Data
• Network and Environment
• Automation and Orchestration
• Visibility and Analytics

DoD Zero Trust Strategic Goals and Objectives

The goals and objectives defined in the DoD Zero Trust Strategy address the cultural, technological, and environmental requirements for successfully adopting and implementing Zero Trust. They are:

Goal 1: Zero Trust cultural adoption

All DoD personnel know, understand, commit to, and are trained to embrace Zero Trust throughout the organization.

Goal 2: DoD Information systems secured and defended

The DoD and its components apply Zero Trust principles to all new and legacy systems. All components will achieve the target-level outcomes by the end of 2027.

Goal 3: Technology acceleration

Zero Trust-based technologies deploy at the same pace or faster than industry advancements. All DoD systems are secured and defended quickly and effectively with up-to-date technologies.

Goal 4: Zero Trust enablement

Processes, policies, and funding are aligned to ensure the Zero Trust framework is cemented across the DoD. It is sustainable and built into adjacent, complementary, synergistic DoD technology, information security, and budgeting.

DoD Zero Trust Execution Approach

To ensure the DoD Zero Trust Strategy takes hold, the DoD created a multi-pronged approach to address people, processes, resources, governance, risk management, and technology. It is designed to plug solution gaps and implement Zero Trust framework across the entire DoD.

High-Level capability roadmap

The DoD’s Zero Trust Capability Roadmap lays out how the DoD envisions Zero Trust being implemented across the organization and outlines dependencies and interdependencies. It also provides a general timeline to achieve outcomes.

Resourcing & acquisition

Appropriately managing and procuring Zero Trust resources is part of the DoD’s Zero Trust Strategy.

Resourcing

The DoD takes a multi-pronged approach for each organization within the DoD so that they can appropriately identify and prioritize new and existing resources to execute the Zero Trust Strategy. The DoD works with its Components to address shortfalls and guide resource priorities.

Acquisition

The acquisition strategy is meant to align with the DoD’s priority to build a resilient defense ecosystem. The DoD CIO coordinates identifying and determining what assets will be acquired at the enterprise level but leaves overall management and oversight of technology development, acquisition, and product support to individual components.

Measurement and metrics

The DoD plans to use specific, qualitative, and quantitative metrics to measure its progress toward achieving its Zero Trust goals. These help determine the status and effectiveness of the Zero Trust implementation and are used to validate system and network security. Each component is required to contribute data to support the analysis of the systems.

Governance

Zero Trust falls under the existing DoD CIO committee structure. The primary responsibility for technical and strategic direction lies within the DoD Cyber Council.

Quick Summary of the DoD Zero Trust Strategy

Cybersecurity is a moving target, and the DoD Zero Trust Strategy aims to adapt and refine its Strategy to mitigate ever-evolving cyber threats. Coordinated efforts of the entire defense ecosystem are required to achieve the goals and objectives of the Strategy. The DoD must pursue the strategic goals laid out in the DoD Zero Trust Strategy as an enterprise, and it has already made significant inroads in cybersecurity. Ongoing and open communication and coordination, along with proper funding and resourcing, will be key to the success of the strategy.

How StrongDM Helps Organizations Adopt Zero Trust Strategy

Zero Trust requires that organizations shift from reacting to incidents to proactively preventing them. One StrongDM client, Better, could detect suspicious behavior in real-time and respond faster to incidents. Better also achieved peace of mind by logging every query and permission change. If something fishy occurred, such as a user query from an unknown location, the user could immediately be suspended before any real damage could be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

StrongDM helps organizations adopt a Zero Trust architecture in even more ways. To learn more about how you can implement Zero Trust within your own organization, watch our Zero Trust: Access Edition Webinar.