An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

In the News

News | Nov. 29, 2022

DOD Releases Path to Cyber Security Through Zero Trust Architecture

By C. Todd Lopez DOD News

WASHINGTON -- The Defense Department on Tuesday released its Zero Trust Strategy and Roadmap, which spells out how it plans to move beyond traditional network security methods to achieve reduced network attack surfaces, enable risk management and effective data-sharing in partnership environments, and contain and remediate adversary activities over the next five years.

"Zero trust is a framework for moving beyond relying on perimeter-based cybersecurity defense tools alone and basically assuming that breach has occurred within our boundary and responding accordingly," David McKeown, the department's acting chief information officer, said.

McKeown said the department has spent a year now developing the plans to get the department to a zero trust architecture by fiscal year 2027. Included in that effort was development of a Zero Trust Portfolio Management Office, which stood up earlier this year.

"With the publication of this strategy we have articulated the 'how' that can address clear outcomes of how to get to zero trust — and not only accelerated technology adoption, as discussed, but also a culture of zero trust at DOD and an integrated approach at the department and the component levels."

Getting the Defense Department to reach the goals laid out in the Zero Trust Strategy and Roadmap will be an "ambitious undertaking," McKeown said.

Ensuring that work will largely be the responsibility of Randy Resnick, who serves as the director of the Zero Trust Portfolio Management Office.

"With zero trust, we are assuming that a network is already compromised," Resnick said. "And through recurring user authentication and authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited."

Spotlight: Engineering in the DOD

Resnick explained the difference between a zero trust architecture and security on the network today, which assumes a level of trust for anybody already inside the network.
"If we compare this to our home security, we could say that we traditionally lock our windows and doors and that only those with the key can gain access," he said. "With zero trust, we have identified the items of value within the house and we place guards and locks within each one of those items inside the house. This is the level of security that we need to counter sophisticated cyber adversaries."

The Zero Trust Strategy and Roadmap outlines four high-level and integrated strategic goals that define what the department will do to achieve that level of security. These include:

  • Zero Trust Cultural Adoption — All DOD personnel understand and are aware, trained, and committed to a zero trust mindset and culture to support integration of zero trust.
  • DOD information Systems Secured and Defended — Cybersecurity practices incorporate and operationalize zero trust in new and legacy systems.
  • Technology Acceleration — Technologies deploy at a pace equal to or exceeding industry advancements.
  • Zero Trust Enablement — Department- and component-level processes, policies, and funding are synchronized with zero trust principles and approaches.

Resnick said development of the Zero Trust Strategy and Roadmap was done in collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, U.S. Cyber Command and the military services.

The department and its partners worked together to develop a total of 45 capabilities and more than 100 activities derived from those capabilities, many of which the department and components will be expected to be involved in as part of successfully achieving baseline, or "target level" compliance with zero trust architecture within the five-year timeline, Resnick said.

"Each capability, the 45 capabilities, resides either within what we're calling 'target,' or 'advanced' levels of zero trust," he said. "DOD zero trust target level is deemed to be the required minimum set of zero trust capability outcomes and activities necessary to secure and protect the department's data, applications, assets and services, to manage risks from all cyber threats to the Department of Defense."

Across the department, every agency will be expected to comply with the target level implementation outlined in the Zero Trust Strategy and Roadmap. Only a few might be expected to achieve the more advanced level.

"If you're a national security system, we may require the advanced level for those systems," McKeown said. "But advanced really isn't necessary for literally every system out there. We have an aggressive goal getting to 'targeted' by 2027. And we want to encourage those who have a greater need to secure their data to adopt this advanced level."

Resnick said achieving the target level of zero trust isn't equivalent to a lower standard for network security.

"We defined target as that level of ability where we're actually containing, slowing down or stopping the adversary from exploiting our networks," he said. "Compared to today, where an adversary could do an attack and then go laterally through the network, frequently under the noise floor of detection, with zero trust that's not going to be possible."

By 2027, Resnick said, the department will be better poised to prevent adversaries from attacking the DOD network and minimize damage if it does occur.

"The target level of zero trust is going to be that ability to contain the adversary, prevent their freedom of movement, from not only going laterally but being able to even see the network, to enumerate the network, and to even try to exploit the network," he said.

If later on more is needed, he said, the requirements for meeting the target level of compliance can be adjusted.

"Target will always remain that level to which we're seeing and stopping the adversary," he said. "And for the majority of the DOD, that's really our goal."

Social Media Feed

Twitter
Hon. Kirsten Davies, @DeptofWar CIO, highlighted the focus driving enterprise transformation during her testimony at the House Armed Services Committee Cyber, Information Technologies, and Innovation (CITI) subcommittee. This effort will reshape all facets of our programs, https://t.co/uv3wvPVh8L Hon. Kirsten Davies, @DeptofWar CIO, highlighted the focus driving enterprise transformation during her testimony at the House Armed Services Committee Cyber, Information Technologies, and Innovation (CITI) subcommittee. This effort will reshape all facets of our programs, https://t.co/uv3wvPVh8L
Twitter
Last week, at the Cyber Workforce Summit 2.0 (#CWS2.0) portfolio managers from the @DeptofWar CIO’s Workforce Innovation Directorate (WID) led discussions that highlighted the Department’s coordination with private industry. Ms. Chimia Nelson, Talent Management Branch Chief and https://t.co/CHV0Va0mGe Last week, at the Cyber Workforce Summit 2.0 (#CWS2.0) portfolio managers from the @DeptofWar CIO’s Workforce Innovation Directorate (WID) led discussions that highlighted the Department’s coordination with private industry. Ms. Chimia Nelson, Talent Management Branch Chief and https://t.co/CHV0Va0mGe
Twitter
Hon. Kirsten Davies, DoW CIO, testifying before the Senate Armed Services Committee Cybersecurity Subcommittee on March 24th discussing Pillar 2: Agile Digital Capabilities of the @DeptofWar strategy to make our Warfighters the most lethal in the world and support @SecWar https://t.co/1saxyXrsxY Hon. Kirsten Davies, DoW CIO, testifying before the Senate Armed Services Committee Cybersecurity Subcommittee on March 24th discussing Pillar 2: Agile Digital Capabilities of the @DeptofWar strategy to make our Warfighters the most lethal in the world and support @SecWar https://t.co/1saxyXrsxY
Twitter
During her testimony before the Senate Armed Services Committee Cybersecurity Subcommittee on March 24, Hon. Davies, United States Department of War CIO, outlined a strategy for transformation that supports Secretary Hegseth's Arsenal of Freedom and the National Defense Strategy. https://t.co/2olJlWXt44 During her testimony before the Senate Armed Services Committee Cybersecurity Subcommittee on March 24, Hon. Davies, United States Department of War CIO, outlined a strategy for transformation that supports Secretary Hegseth's Arsenal of Freedom and the National Defense Strategy. https://t.co/2olJlWXt44
Twitter
IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in https://t.co/GeajEDVTNM IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in https://t.co/GeajEDVTNM
Twitter
IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in the https://t.co/gahZHfIS7t IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in the https://t.co/gahZHfIS7t
Twitter
IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in https://t.co/JmV8N8nDwj IMPORTANT REMINDER Applications for the 2025-2026 DoW Cyber Workforce Rotational Programs cohort are closing in ONE MONTH on April 24, 2026! Eligibility for this program is open to Department of War civilians, other federal agency civilians, and industry employees in https://t.co/JmV8N8nDwj
Twitter
The @DeptofWar CIO is excited to invite government leaders, technical experts, mission partners, and industry collaborators to the 2026-1 US DOW Mission Partner Environment (MPE) Summit, 14-16 April 2026 in Fort Lauderdale, FL. We’ve partnered with the @DISADOD to host a https://t.co/976mSVptUb The @DeptofWar CIO is excited to invite government leaders, technical experts, mission partners, and industry collaborators to the 2026-1 US DOW Mission Partner Environment (MPE) Summit, 14-16 April 2026 in Fort Lauderdale, FL. We’ve partnered with the @DISADOD to host a https://t.co/976mSVptUb
X
7,001
Follow Us