U.S. DoD Releases Zero Trust Strategy and Roadmap — November 22, 2022
DoD’s 2022 Zero Trust Strategy mandates 45 capabilities and FY2027 outcomes, requiring components and contractors to align governance, architectures, and outcome metrics across zero trust pillars.
Executive briefing: On 22 November 2022 the U.S. Department of Defense (DoD) released its Zero Trust Strategy and Capability Execution Roadmap, setting a goal to achieve targeted zero trust outcomes by FY2027 across all DoD Information Systems. The strategy defines 45 capabilities across seven pillars—users, devices, networks/environment, applications/workloads, data, visibility and analytics, and automation/orchestration—and outlines capability maturity stages. DoD components and defense industrial base partners must align architectures, governance, and testing to meet mandated outcomes.
Strategic objectives
The strategy seeks to:
- Contain adversary access by moving from perimeter defenses to continuous identity-based access control.
- Improve cyber resilience and incident response by leveraging automation and analytics.
- Enable secure data sharing and mission execution across classified and unclassified environments.
- Ensure accountability for zero trust implementation through metrics and oversight.
The roadmap divides capabilities into “target” and “advanced” levels, specifying outcomes such as continuous multi-factor authentication, dynamic access, microsegmentation, and automated response.
Governance and oversight
DoD components must establish governance structures:
- Zero Trust Portfolio Management Office (PMO): Coordinate implementation, funding, and capability roadmaps.
- Senior leadership accountability: CIOs and Component CISOs must report progress to the DoD Chief Information Officer and Cybersecurity Maturity Model Certification (CMMC) governance bodies.
- Policies and standards: Update DoD Instructions (DoDIs), Security Technical Implementation Guides (STIGs), and component policies to embed zero trust requirements.
- Acquisition alignment: Ensure contracts include zero trust requirements, performance metrics, and reporting obligations.
Outcome testing should measure governance effectiveness, including budget alignment and milestone completion.
Technical capabilities
The strategy emphasises:
- Identity and access management: Continuous authentication, attribute-based access control, and insider threat detection.
- Device security: Device inventory, compliance checks, and automated quarantine.
- Network/environment: Microsegmentation, software-defined perimeters, and encrypted traffic inspection.
- Application and workload security: DevSecOps practices, container security, and runtime protections.
- Data security: Data tagging, attribute-based access, encryption, and data loss prevention.
- Visibility and analytics: Centralised logging, user and entity behavior analytics (UEBA), and threat hunting.
- Automation and orchestration: SOAR tools, policy-as-code, and automated response playbooks.
Implementation requires integrating existing DoD programs like Joint Regional Security Stacks, Cloud One, and Platform One with zero trust capabilities.
Outcome measurement
The roadmap identifies performance metrics such as:
- Percentage of users covered by continuous multi-factor authentication.
- Time to detect and respond to anomalous behavior.
- Coverage of device compliance monitoring across endpoints.
- Number of applications integrated with zero trust policy enforcement points.
- Reduction in lateral movement during red team exercises.
Components must report metrics via the Zero Trust Portfolio Management Office and adjust investments accordingly.
Implementation roadmap
- FY2023: Establish governance, baseline capabilities, and pilot zero trust architectures. Integrate identity, device, and network controls in priority environments.
- FY2024–FY2025: Expand capabilities across data, visibility, and automation pillars. Conduct outcome testing via cyber exercises and continuous monitoring.
- FY2026–FY2027: Achieve target outcomes across the enterprise, integrate advanced capabilities, and transition to continuous improvement.
Defense industrial base contractors supporting DoD programs should align with strategy expectations, leveraging CMMC Level 2/3 controls and zero trust principles.
Sources
- DoD Zero Trust Strategy (2022)
- DoD Zero Trust Capability Execution Roadmap
- OMB M-21-31 (Improving the Federal Government’s Investigative and Remediation Capabilities)
- DoD zero trust public resources
- DoD Digital Modernization Strategy
Zeph Tech assists DoD components and defense contractors in aligning architectures, governance, and analytics with the Zero Trust Strategy, ensuring measurable progress toward FY2027 outcomes.
Budgeting and acquisition planning
Achieving zero trust outcomes requires sustained investment. Components should align Planning, Programming, Budgeting, and Execution (PPBE) cycles with capability gaps identified in the roadmap. Contracting officers need to include zero trust requirements in solicitations, leveraging Other Transaction Authority (OTA) or rapid acquisition pathways where appropriate. Tracking obligations versus capability delivery helps leadership adjust funding priorities.
Outcome testing might include variance analyses between planned and actual spending, as well as metrics tracking procurement cycle times for zero trust technologies.
Training and workforce development
The strategy emphasises workforce readiness. Components should develop training curricula for cybersecurity analysts, network engineers, and mission owners. Certifications such as DoD 8140/8570 baselines, cloud security credentials, and DevSecOps training support capability deployment. Measuring training completion rates, skill assessments, and retention helps ensure personnel can operate zero trust architectures.
Collaboration with mission partners
Zero trust must extend to joint, coalition, and industry partners. Components should establish cross-domain solutions and federation agreements that enforce attribute-based access across partners. Exercises like Cyber Flag and regional tabletop events can validate interoperability. Recording lessons learned and adjusting policies supports continuous improvement.
Metrics governance
Accurate reporting requires a metrics governance framework that defines data sources, calculation methods, and ownership for each zero trust indicator. Components should create a metrics catalogue aligned with the roadmap, assign stewards, and schedule periodic validation. Independent verification by internal audit or third-party assessors can increase confidence in reported progress.
Outcome testing should assess metric accuracy by sampling underlying logs, identity records, or device compliance data. Discrepancies should trigger remediation plans and updates to automation workflows.
Case study insight
A combatant command piloting zero trust integrated identity, endpoint, and network telemetry into a unified data lake. By applying analytics to detect anomalous behaviour, the command reduced incident response times by 40% and cut lateral movement during exercises. Documented lessons—including the need for data normalisation and cross-team collaboration—were shared across the DoD CIO community, demonstrating how iterative delivery supports the FY2027 targets.
Components should also coordinate with the Defense Industrial Base Cybersecurity Program to ensure suppliers adopt compatible zero trust controls, particularly when accessing government networks. Supplier assessments and contract clauses should reference the strategy’s objectives.
Periodic mission rehearsals should incorporate zero trust failure scenarios, such as compromised credentials or degraded telemetry feeds, to validate contingency plans.
Metrics should be shared with mission owners to align cyber investments with operational priorities.
Shared dashboards can help component commanders see cyber dependencies for mission plans.
Publishing success stories across the department encourages adoption and knowledge sharing.
Regular maturity assessments should validate progress against the roadmap’s target and advanced states.
Reporting should flag blockers requiring CIO intervention.
Progress briefings should integrate feedback from cyber mission forces.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.