The U.S. Department of Defense (DoD) has released its Zero Trust Strategy and Roadmap, a guiding document designed to aid the department’s implementation of a Zero Trust security architecture by 2027.
According to the department, the strategy “envisions a DoD Information Enterprise secured by a fully implemented, Department-wide Zero Trust cybersecurity framework that will reduce the attack surface, enable risk management and effective data-sharing in partnership environments, and quickly contain and remediate adversary activities.”
The document outlines four high-level and integrated strategic goals that define how the DoD will achieve its vision, including cultural adoption, incorporating and operationalizing Zero Trust, deploying Zero Trust-based technologies equal to or exceeding industry advancements, and integrating with department- and component-level processes, policies and funding.
In the document, the DoD says its IT systems are constantly under wide-scale and persistent attacks from both known and unknown malicious actors, including threat actors supporting China and other U.S. adversaries. The department suggests it needs a more robust cybersecurity framework that facilitates informed, risk-based decisions and eliminates the traditional idea of perimeters and trusted networks, devices, personas or processes.
The document provides guidance for vendors on 45 separate capabilities and 152 total activities, as well as key strategic and execution milestones for each year until 2027.
In a blog, Microsoft applauded the DoD for releasing its formal Zero Trust strategy, saying it comes at a critical time as nation-state attacks increase.
While other U.S. departments and agencies have been embarking on similar Zero Trust initiatives, the DoD’s strategy seeks to unify efforts to achieve a stronger defense posture, says Steve Faehl, federal security chief technology officer at Microsoft, in the blog.
Collaboration on Zero Trust can be challenging because of different implementation methods and technology stacks across organizations, Faehl says.
“However, the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights into cyberspace operations,” Faehl says. “Furthermore, the DoD’s shift from a compliance and controls-based approach to an outcomes-focused methodology—meaning the job is done when the adversary stops, not just when the controls are in place—stands out as a best practice not seen elsewhere to this extent.”