DoD ZTExecutionRoadmap

DoD Zero Trust Capability
Execution Roadmap (COA 1)

15 November 2022
There is one destination (ZT) with many
paths (COAs) – COA 1 will be the focus
Focus of this Briefing Under Development
COA 1 COA 2 COA 3

ZT Baseline Commercial Cloud Private Cloud
▪ Leverages current infrastructure and ▪ Relies on commercial provider(s) to develop ZT ▪ Government Owned/Operated high-
environment using Brownfield approach compliant cloud environments using Greenfield performance Native ZT Cloud (NZTC) using
▪ Zero Trust “on the ground” modernization: ~ 5+ approach Greenfield approach
yr. (FYDP beginning FY23) Implementation ▪ Achieves DoD ZT quicker than COA-1 ▪ Achieves DoD ZT quicker than COA-1
Plan
▪ Mandate would be to achieve DoD ZT “Target” ▪ Achieves immediate DoD ZT “Advanced” level
▪ Establishes set capabilities and activities level, at a minimum by design, which needs to be independently
needed to achieve Target and Advanced-levels
of Zero Trust ▪ Provides standardized tools and capabilities to validated
support ZT execution
▪ No constraints on tools or methods to
accomplish ZT
2
Zero Trust by 2027
Over the last several months, the ZT Portfolio Management Office (PfMO) has worked to establish the capabilities
necessary to successfully accomplish Zero Trust, and laid them out on a roadmap for execution across the DoD
with the following method:
Define Understand and Develop and Refine
Contextualize
Producing a common lexicon

on capability descriptions,
outcomes, and impact statements,
activity outcomes, and providing Multiple iterations resulted in
Realizing the relationships and
appropriate references were the one primary COA, opportunities
dependencies helped to drive
necessary first steps for acceleration with cloud, and
timeline development
other considerations supporting
an executable plan
The resulting plan supports the execution of Zero Trust across the DoD to the required level by FY2027
3
The Concept of COA 1
This stage was primarily about defining “WHAT” the DoD needed to do execute ZT – agnostic of COAs
ser
Device
A lication and
or load
Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics
Target evel ZT Advanced ZT
With this methodology, one iteration emerged What follows are layers of analysis and
as the final timeline explanation to support the detailed execution of
the plan over time
*Timelines and activity durations did account for high-level research-based considerations around these critical elements
Other Considerations – More to Come*

Limited development could be done in these areas until ZT capabilities were defined and mapped out
Budget and Acquisition – Capabilities were spread out over time with these concerns in mind, but will require much deeper considerations at the
capability and activity level
Technical Implementation – Defines “how” to accom lish ZT – COA 1 is about allowing organizations to choose their own methods. COA 2 /3 will
better address this. More guidance is coming on controls associated with capabilities, and implementation strategies
4
Table of Contents
1 COA 1: Recommendations and Other Relevant Timelines

2 Timeline Development and Methodology
3 Key Communications
Appendices
Appendix A: COA 1 Timeline Details (DoD Baseline)

Appendix B: Accelerated DoD Baseline Timeline Details
Appendix C: Capability Definitions
5
COA 1
Recommendations
and Other Relevant
Timelines
6
After multiple iterations, this timeline is
now “COA 1 (DoD Baseline)”
ser
Device
A lication and
or load
Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics
Balances an aggressive a roach to achieving “Target evel ZT” b FY27 with the DoD Budget C cle
by distributing activities over the FYDP and setting Department-Wide expectations
See Appendix A for methodology 7

Other timelines provide amplifying points
and support additional PfMO analysis
ser
Device
A lication and
or load
Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics
DoD Accelerated Baseline:

see s to achieve “Advanced ZT” more quic l Forward/backward Pass Projections:
with a more aggressive approach that pushes assess the likely achievement date of Target
start dates to the left as much as possible; this and Advanced ZT levels based on risk,
accelerated approach is included as an duration standard deviations, and cloud
example for organizations seeking to achieve employment
“advanced ZT” more quic l
See Appendix B for methodology
8
Timeline
Development and
Methodology
Note: “Execution Enablers” as referenced in the following slides are cross-cutting, non-technical capabilities and activities that address culture, governance, and elements of DOTmLPF-P (e.g., ZT Training, etc.) that
support the design, development and deployment of the ZT Capabilities required to achieve the DoD Target and Advanced Levels. Details regarding supporting enablers will be further refined and integrated into next
versions of the DoD ZT Capability Roadmap and addressed in implementation plans. Enablers identified to-date include: ZT Awareness & Culture, Adaptive Implementation Governance, ZT Policy Framework, ZT
Training, and others.
9
Note: Click on each Capability Title for details
DoD Zero Trust Capabilities

Device Application & Network & Automation & Visibility &
User Data
Workload Environment Orchestration Analytics
1.1 User Inventory 4.1 Data Catalog Risk 6.1 Policy Decision Point 7.1 Log All Traffic (Network,
2.1 Device Inventory 3.1 Application Inventory 5.1 Data Flow Mapping
Assessment (PDP) & Policy Orchestration Data, Apps, Users)
1.2 Conditional User 2.2 Device Detection and 3.2 Secure Software 4.2 DoD Enterprise Data 5.2 Software Defined 6.2 Critical Process 7.2 Security Information and
Access Compliance Development & Integration Governance Networking (SDN) Automation Event Management (SIEM)
1.3 Multi-Factor 2.3 Device Authorization with 3.3 Software Risk 4.3 Data Labeling and 7.3 Common Security and
Authentication Real Time Inspection Tagging 5.3 Macro Segmentation 6.3 Machine Learning
Management Risk Analytics
1.4 Privileged Access 3.4 Resource Authorization & 4.4 Data Monitoring and 7.4 User and Entity Behavior
2.4 Remote Access 5.4 Micro Segmentation 6.4 Artificial Intelligence
Management Integration Sensing Analytics
1.5 Identity Federation & 2.5 Partially & Fully Automated 3.5 Continuous Monitoring 4.5 Data Encryption & Rights 6.5 Security Orchestration, 7.5 Threat Intelligence
User Credentialing Asset, Vulnerability and Patch and Ongoing Authorizations Management Automation & Response Integration
Management (SOAR)
2.6 Unified Endpoint
1.6 Behavioral, Contextual 4.6 Data Loss Prevention 7.6 Automated Dynamic
Management (UEM) & Mobile 6.6 API Standardization
ID, and Biometrics (DLP) Policies
Device Management (MDM)
1.7 Least Privileged 2.7 Endpoint & Extended 6.7 Security Operations
Access Detection & Response (EDR & 4.7 Data Access Control Center (SOC) & Incident
XDR) Response (IR)
1.8 Continuous
Authentication
1.9 Integrated ICAM

Platform
EXECUTION Leadership &

Doctrine Organization Training Material Personnel Facilities Policy
ENABLERS Education
V1.0 as of 10/04/2022 10
Capabilities, Activities, and their dependencies
were identified and aligned to ZT Levels
Capabilities Activities and Level Predecessor and Successor
Conditional User Access
Relationships
1.1 User Inventory Activity Level
1.2.1 App Based
ZT Target
Permissions per Enterprise
1.2 Conditional User
1.2.2 Rule Based Dynamic
Access ZT Target
Access Pt1
1.2.3 Rule Based Dynamic
1.3 Multi-Factor Advanced ZT
Access Pt2
Authentication 1.2.4 Enterprise Gov't roles
Advanced ZT
and Permissions Pt1
1.4 Privileged Access 1.2.5 Enterprise Gov't roles
Advanced ZT
Management and Permissions Pt2
Cross-pillar Capability
Capabilities break down into activities with associated ZT Levels to Dependencies
better support appropriate sequencing and recognize predecessor,
successor relationships
Pillar and Cross-Pillar Activity
Dependencies
ZT Target Level = All DoD organizations must achieve this level

Advanced ZT = Certain organizations must reach this level based on system and information sensitivity
11
Timelines were developed by fixing the
activities to a set starting point
All DoD organizations are expected to achieve ZT Target Level by 2027
Set Starting Point – If capabilities are laid out over time

starting at 2023 and with all Target levels completed by 2027
Activities & Durations – Each activity has time duration
assigned. Durations were calculated using a DELPHI method
employing three teams to determine the required level of
effort. The durations were laid out over time based on the
dependency relationships established
12
Multiple timelines were generated for
analysis
1 .
The capabilities and activities, plus their associated durations, ZT Target designations,
and sequencing dependencies were entered into an MS Project File (attached)
The initial outcomes were mapped to visualize

when pillars would achieve the ZT Target levels
MS Project File
2
Activity dependencies were re-evaluated, resulting

in an updated timeline to achieve ZT Target Levels
3 ser
Device
Dates are calculated start and finish from the activity A lication and
or load
level through the pillar level Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics
Leveling activity distribution over FYs resulted in

COA 1 and supported further acceleration efforts
13
Each pillar has an associated timeline
broken down into activities
Pillar-Capability Timelines
MS Project File
Each Pillar-Capability Timeline is structured based on the dependency relationships (at the
activity level) and ZT execution levels as detailed in the attached MS Project document
Activity dates are recommendations and not intended to serve as a formal requirement
14
Key Communications
15
Note: Click on each Capability Title for details
DoD Zero Trust Capabilities

Device Application & Network & Automation & Visibility &
User Data
Workload Environment Orchestration Analytics
1.1 User Inventory 4.1 Data Catalog Risk 6.1 Policy Decision Point 7.1 Log All Traffic (Network,
2.1 Device Inventory 3.1 Application Inventory 5.1 Data Flow Mapping
Assessment (PDP) & Policy Orchestration Data, Apps, Users)
1.2 Conditional User 2.2 Device Detection and 3.2 Secure Software 4.2 DoD Enterprise Data 5.2 Software Defined 6.2 Critical Process 7.2 Security Information and
Access Compliance Development & Integration Governance Networking (SDN) Automation Event Management (SIEM)
1.3 Multi-Factor 2.3 Device Authorization with 3.3 Software Risk 4.3 Data Labeling and 7.3 Common Security and
Authentication Real Time Inspection Tagging 5.3 Macro Segmentation 6.3 Machine Learning
Management Risk Analytics
1.4 Privileged Access 3.4 Resource Authorization & 4.4 Data Monitoring and 7.4 User and Entity Behavior
2.4 Remote Access 5.4 Micro Segmentation 6.4 Artificial Intelligence
Management Integration Sensing Analytics
1.5 Identity Federation & 2.5 Partially & Fully Automated 3.5 Continuous Monitoring 4.5 Data Encryption & Rights 6.5 Security Orchestration, 7.5 Threat Intelligence
User Credentialing Asset, Vulnerability and Patch and Ongoing Authorizations Management Automation & Response Integration
Management (SOAR)
1.6 Behavioral, Contextual 4.6 Data Loss Prevention 7.6 Automated Dynamic
Management (UEM) & Mobile 6.6 API Standardization
ID, and Biometrics (DLP) Policies
Device Management (MDM)
1.7 Least Privileged 2.7 Endpoint & Extended 6.7 Security Operations
Access Detection & Response (EDR & 4.7 Data Access Control Center (SOC) & Incident
XDR) Response (IR)
1.8 Continuous
Authentication
1.9 Integrated ICAM

Platform
EXECUTION Leadership &

Doctrine Organization Training Material Personnel Facilities Policy
ENABLERS Education
V1.0 as of 10/04/2022 16
The 45 Capabilities support Target Level
and Advanced ZT
Many capabilities have multiple activities that span from target to advanced – Accomplishment of “ZT Target
Level” and “Advanced ZT” will be determined at the Activity level
17
Zero Trust Target evel Advanced Zero Trust
ser nventor
octrine 7 east rivileged Access
rganization
raining
ateriel
eadershi ducation
ersonnel 2 5 artiall Full Automated Asset
acilities ulnerabilit and atch Mgmt
olic
2 nified nd oint Management M Mobile
Device Management MDM
A lication nventor
7 og Data Catalog oftw are is

All is Alignment Management
Traffic
5 Data
Machine Flow 2 DoD nter rise
7 Common earning Ma ing Data overnance
ecurit is
Anal tics
5 Macro
7 5 Threat egmentation
ntelligence
ntegration A tandardization
5 Continuous Monitoring and

ngoing Authorizations
7
Automated
D namic Artificial
olicies ntelligence
ZT Ca abilities in bold font and dis la ed on the ZT Target

line contain activities s anning both Target and Advanced ZT
as of 2 22
18
Zero Trust Target evel Advanced Zero Trust
A Based ermission ule Based D namic Access
m lement stem and Mitigate t 2 nter rise oles and
ser nventor ule Based D namic Access t rivileged sers t 2 ermissions t 2
nter rise oles and
rganizational MFA D
ermissions t Alternative Fle ible MFA t 2
octrine m lement stem and Mitigate rivileged sers t nter rise dentit ife
C cle
Alternative Fle ible MFA
rganization rganization dentit ife
C cle Management Management t eal Time A rovals
t
Device el Tool a T A Anal tics t 2
raining Den ser b Default olic eal Time A rovals T A
Anal sis m lement BA Tooling
ateriel ntegrate e t en ingle Authentication Anal tics t nter rise dentit ife
C cle
eadershi ducation A Tools with C2C nter rise dentit ife
C cle Management t
Device eriodic Authentication Management t 2
ersonnel nder Management
ser Activit Monitoring t ser Activit Monitoring t 2
acilities Data Den Device b Default olic nter rise D t
olic Anal sis m lement DM or equivalent tools Continuous Authentication t
D nter rise D t 2
nforcement oint nter rise Device Management t Continuous Authentication t 2
olic m lement D Tools ntegrate w C2C nter rise D t
Define ogging and nter rise D t
nventor
ranular Anal sis D M m lement Asset ulnerabilit and atch Management Tools m lement C2C Com liance Based
Develo ment
Control Access nforcement etwor Authorization t
cale Tas ules oint ogging A lication Code nter rise D t 2
ConsiderationsAutomation Anal sis olicies t m lement A Control F M Tools
and Anal sis dentification m lement C2C Com liance Based
es onse Define esource Authorization t Managed and imited BY D T u ort etwor Authorization t 2
Automation Anal sis D A s BuildDev ec s oftware Factor t
nter rise Device Management t 2 ntit Activit Monitoring t
Tool Com liance Define Data Tagging A roved Binaries Code
Anal sis tandards m lement D Tools ntegrate w C2C t Full ntegrate Device ecurit tac w C2C
ulnerabilit Management rogram t ntit Activit Monitoring
m lement Data Tagging
Define ranular DC esource Authorization t nter rise t t 2
og arsing Classification Tools
rganization Access Control Access ules esource Authorization t 2
olicies t 2 File Activit Monitoring t Managed and Full BY D T u ort t
Asset D Alert rofile m lement D M and Build Dev ec s oftware m lement D Tools ntegrate w C2C t 2
Correlation m lement A Tools m lement D rotection Tools t Factor t 2 nter rise t 2
Threat Alerting tandardized A Calls rogramable nfrastructure m lement nforcement oints Automate A lication ecurit
t chemas t Datacenter Macro Code emediation t
egmentation ulnerabilit Management
m lement or flow nrichment t ntero erabilit tandards Managed and Full
m lement Micro egmentation rogram t 2
Anal tics Tools Develo D olic BY D T u ort t 2
Continual alidation
Manual Data Tagging t nrich Attributes for esource
C ber Threat DC esource Authorization
File Activit Monitoring t 2 Authorization t
ntelligence rogram t t2
m lement D M and rotection Tools t 2 nrich Attributes for esource
D nforcement via Data Tags and Anal tics t Authorization t 2
Automate A lication
ntegrate DAA Access w D olic t Continuous Authorization to erate
og Anal sis egment Flows into Control ecurit Code
D M nforcement via Data Tags and Anal tics t AT t emediation t 2
nter rise ecurit Management and Data lanes
Threat Alerting t 2 ntegrate D olution s Manual Data
rofile t
ser Device Baselines BC Macro egmentation olic w nter rise D t Tagging t 2
nter rise ntegration or flow DatabaseActivit Monitoring T A Micro egments
stablish ser Baseline rovisioning t Automated Data Tagging u ort t
A lication Device Micro egmentation D M nforcement via Data Tags and Anal tics t 2
Behavior m lement Data Tagging D nforcement via Data Tags and Anal tics t 2 Continuous Authorization to
Baseline rofiling t Classification M Tools rotect Data n Transit ntegrate DAA Access wD olic t 2 erate AT t 2
C ber Threat tandardized A Calls chemas t 2 ntegrate D olution s olic w
etwor Asset nter rise D t 2
ntelligence rogram t 2 or flow nrichment t 2 Discover timization ntegrate D Tool and or integrate with Automated Data
eal Time Access D M Tool t Tagging u ort t 2
Decisions Com rehensiveData Activit Monitoring
rocess Micro D M nforcement via Data Tags and Anal tics t
Threat Alerting t
nter rise ecurit rofile t 2 segmentation D nforcement via Data Tags and Anal tics t
Baseline rofiling t 2
nter rise ntegration or flow ntegrate DAA Access wD olic t
BA Baseline u ort t
BA Baseline u ort t 2
rovisioning t 2
m lement A Automation Tool
ntegrate D Tool and or
integrate with D M Tool t 2
Once capabilities are broken out into
or flow nrichment t
activities, ZT Target Level and
A driven b Anal tics decides A modifications
Advanced ZT provide a much more
A enabled etwor Access m lement la boo s definitive path to execution.
A enabled D namic Access Control Automated or flows
ZT Activities are grou ed as either Target or Advanced

ersion As of 2 22
19
COA 1 (DoD Baseline) achieves Target
Level ZT by the end of FY27
▪ Assumes a start date of FY23;

▪ It provides a baseline roadmap
ser
for a stakeholder who has not
yet commenced efforts in
Device
developing ZT;
▪ Stakeholders who have
A lication and
or load achieved activities on the
roadma can “move ahead”;
Data ▪ Does not proscribe specific
solutions to achieving the
etwor and activities required;
nvironment
▪ It allows for some buffer in
Automation Target ZT achievement date to
rchestration the stated goal (end of FY27) if
delays occur.
isibilit
Anal tics
20
Appendix A: COA 1
Timeline Details (DoD
Baseline)
Note 1: The timeline depicted is meant to show how activities may be sequenced to achieve Target Level ZT by the end of FY27 as proscribed in the DoD Zero Trust Strategy; these activity durations are meant to serve as
estimates for planning purposes only
Note 2: The DoD Zero Trust Capability Roadmap described in the High-Level Capability Roadmap section below provides a guide to follow for the DoD baseline course of action (COA). Additionally, to accelerate Zero
Trust adoption, the Department is considering several additional complementary COAs including commercial and Government-owned cloud-based enterprise services
Back to Table of Contents 21

COA 1 (DoD Baseline) Timeline Estimates
ser
Device
A lication and
or load
Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics
V1.0 as of 10/04/2022 = Target Level ZT = Advanced ZT

22
User (1 of 2) – COA 1
Capability FY23 FY24 FY25 FY26 FY27 FY28 FY29 FY30 FY31 FY32
1.1 User Inventory Inventory Users
App-Based Permission
Per Enterprise
Rule Based Dynamic Access
Pt. 1
Rule Based Dynamic
1.2 Conditional User Access Access Pt. 2
Enterprise Roles and Permissions Pt. 1
Organizational MFA/IDP
1.3 Multifactor Authentication Alternative Flexible MFA
1.0 User
(MFA) Pt. 1
Alternative Flexible
MFA Pt. 2
Implement System and Mitigate Privileged Users Pt. 1
1.4 Privileged Access Implement System and Mitigate Privileged Users Pt. 2
Management (PAM) Real time Approvals & JIT/JEA Analytics Pt. 1
Real time Approvals & JIT/JEA Analytics Pt. 2
Organization Identity Life-cycle Management
1.5 Identify Federation & User Enterprise Identity Life-cycle Management Pt. 1
Credentialing Enterprise Identity Life-cycle Management Pt. 2
Enterprise Identity Life-cycle Management Pt. 3
Implement UEBA and UAM Tooling

1.6 Behavioral, Contextual ID, User Activity Monitoring Pt. 1
and Biometrics
User Activity Monitoring Pt. 2
= Target Level ZT = Advanced ZT

23
User (2 of 2) – COA 1
1.7 Least Privileged Access Deny User by Default Policy

1.0 User
Single Authentication
Periodic Authentication
1.8 Continuous Authentication Continuous
Authentication Pt. 1
Continuous
Enterprise PKI/IDP Pt. 1
1.9 Integrated ICAM Platform Enterprise PKI/IDP Pt. 2


24
Device (1 of 2) – COA 1
Device Health Tool Gap Analysis

NPE/PKI Device Under
Management
2.1 Device Inventory Enterprise IDP Pt.
1
Enterprise
IDP Pt. 2
2.2 Device Detection and Implement C2C/Compliance Based Network Authorization Pt. 1
Compliance Implement C2C/Compliance Based Network Authorization Pt. 2
Integrate Next Gen AV
Tools with C2C
Implement Application
2.0 Device
Control & FIM Tools

Entity Activity Monitoring
Pt. 1
2.3 Device Authorization w/ Real Entity Activity Monitoring
Time Inspection Pt. 2
Fully Integrate Device Security Stack w/ C2C as appropriate
Enterprise PKI Pt. 1

Enterprise PKI
Pt. 2
Deny Device by
Default Policy
Managed and Limited BYOD & IOT Support
2.4 Remote Access
Managed and Full BYOD & IOT Support Pt. 1
Managed and Full BYOD & IOT
Support Pt. 2
2.5 Partially & Fully Automated
Asset, Vulnerability and Patch Implement Asset, Vulnerability and Patch Management Tools
Management

25
Device (2 of 2) – COA 1
2.0 Device
Implement UEDM or equivalent Tools

Management (UEM) & Mobile Enterprise Device Management Pt. 1
Device Management (MDM) Enterprise Device Management Pt. 2
2.7 Endpoint & Extended Implement Endpoint Detection & Response (EDR) Tools & Integrate w / C2C
Detection & Response (EDR & Implement Extended Detection & Response (XDR) & Integrate w / C2C Pt. 1
XDR) Implement Extended Detection & Response (XDR) & Integrate w / C2C Pt. 2

26
Application and Workload – COA 1
Application / Code Identification

3.1 Application Inventory Resource Authorization Pt. 1
Resource Authorization Pt. 2
3.0 Application and Workload
Build DevSecOps Software Factory Pt. 1
3.2 Secure Software Build DevSecOps Software Factory Pt. 2

Development & Integration Automate Application Security & Code Remediation Pt. 1
Automate Application Security & Code Remediation Pt. 2
Approved Binaries / Code
Vulnerability Management Program Pt. 1

3.3 Software Risk Management
Continual Validation
SDC Resource Authorization Pt. 1

3.4 Resource Authorization &
Enrich Attributes for Resource Authorization Pt. 1
Integration
REST API Micro-Segments
3.5 Continuous Monitoring and Continuous Authorization to Operate (ATO) Pt. 1

Ongoing Authorizations Continuous Authorization to Operate (ATO) Pt. 2

27
Data (1 of 2) – COA 1
4.1 Data Catalog Risk Alignment Data Analysis
Define Data Tagging Standards

4.2 DoD Enterprise Data
Interoperability Standards
Governance
Develop Software Defined Storage (SDS) Policy
Implement Data Tagging & Classification Tools
Manual Data Tagging Pt. 1

Manual Data Tagging
4.3 Data Labeling and Tagging Pt. 2
Automated Data Tagging & Support Pt. 1
4.0 Data
DLP Enforcement Point Logging and Analysis

DRM Enforcement Point Logging and Analysis
File Activity Monitoring Pt. 1
4.4 Data Monitoring and Sensing
Database Activity Monitoring
Comprehensive Data Activity Monitoring
Implement DRM and Protection Tools Pt. 1

4.5 Data Encryption & Rights DRM Enforcement via Data Tags and Analytics Pt. 1
Management
DRM Enforcement via Data Tags and Analytics Pt. 2

28
Data (2 of 2) – COA 1
Implement Enforcement Points
DLP Enforcement via Data Tags and Analytics Pt. 1

4.6 Data Loss Prevention (DLP)
4.0 Data
Integrate DAAS Access w/SDS Policy Pt. 1

4.7 Data Access Control Integrate SDS Solution(s) and Policy with Enterprise IDP Pt. 1
Integrate SDS Solution(s) and Policy with Enterprise IDP Pt. 2
Implement SDS Tool and/or integrate with DRM Tool Pt. 1

29
Network and Environment – COA 1
Define Granular Control Access Rules & Policies Pt. 1

5.1 Data Flow Mapping
5.0 Network & Environment
Define SDN APIs
Implement SDN Programmable Infrastructure

5.2 Software Defined Networking Segment Flows into Control, Management, and Data Planes
(SDN)
Network Asset Discovery & Optimization
Real-Time Access
Decisions
Datacenter Macro Segmentation
5.3 Macro Segmentation
B/C/P/S Macro Segmentation
Implement Micro segmentation

Application & Device Micro segmentation
5.4 Micro Segmentation
Process Micro segmentation
Protect Data In Transit

30
Automation & Orchestration – COA 1
Policy Inventory & Development
6.1 Policy Decision Point (PDP) Organization Access Profile
& Policy Orchestration Enterprise Security Profile Pt. 1

Enterprise Security Profile Pt. 2
6.0 Automation & Orchestration
Task Automation Analysis
6.2 Critical Process Automation Enterprise Integration & Workflow Provisioning Pt. 1
Enterprise Integration & Workflow Provisioning Pt. 2
6.3 Machine Learning Implement Data Tagging & Classification ML Tools
Implement AI Automation Tools

6.4 Artificial Intelligence
AI Driven by Analytics decides A&O Modifications
Response Automation Analysis

6.5 Security Orchestration,
Implement SOAR Tools
Automation & Response (SOAR)
Implement Playbooks
Tool Compliance Analysis
6.6 API Standardization Standardized API Calls & Schemas Pt. 1

Standardized API Calls & Schemas Pt. 2
Workflow Enrichment Pt. 1
6.7 Security Operation Center Workflow Enrichment Pt. 2
(SOC) & Incident Response (IR) Workflow Enrichment Pt. 3
Automated Workflow

31
Visibility & Analytics – COA 1
Scale Considerations
7.1 Log All Traffic (Network, Log Parsing
Data, Apps, Users)
Log Analysis
Asset ID & Asset Correlation

7.0 Visibility & Analytics
Threat Alerting Pt. 1

7.2 Security Information and Threat Alerting Pt. 2
Event Management (SIEM)
User/Device Baselines
7.3 Common Security and Risk Implement Analytics Tools
Analytics Establish User Baseline Behavior
Baseline & Profiling Pt. 1
7.4 User and Entity Behavior Baseline & Profiling Pt. 2
Analytics (UEBA) UEBA Baseline Support Pt. 1
UEBA Baseline Support Pt. 2
7.5 Threat Intelligence Cyber Threat Intelligence Program Pt. 1

Integration Cyber Threat Intelligence Program Pt. 2
AI-enabled Network Access

7.6 Automated Dynamic Policies AI-enabled Dynamic Access Control

32
Appendix B:
Accelerated DoD
Baseline Timeline
Details

Accelerated COA 1 Timeline Estimates
ser
Device
A lication and
or load
Data
etwor and
nvironment
Automation
rchestration
isibilit
Anal tics

34
Aggressively shifting activity start dates to
FY23 accelerates ZT achievement dates
Shifting Target and Advanced ZT dates left as much as

possible (e.g., when not limited by predecessor activities)
significantly reduces the overall timeline to ZT
ser
accomplishment
o change to Device ZT
Device Target Date This timeline serves as a model for those stakeholders who
o change to A lication
have the desire (and capacity) to achieve Advanced ZT
A lication and
or load
and or load ZT Target more quickly than the recommended baseline COA 1
Date
Data
o change to Data ZT Left-shifting Activities:
Target Date
✔ Reduces the time to achieving Target Level ZT
etwor and o change to etwor ✔ May result in increased financial and personnel
and nvironment ZT
nvironment Target Date resourcing in the near term due to increased
Automation
requirements
rchestration ✔ Due to shifting priorities to the left, reduces the risk that
other priorities supersede Zero Trust in future years
isibilit
Anal tics
X Stakeholders may view this timeline as unrealistic
X May result in misprioritization of activity accomplishment
(e.g., by focusing on advanced activities too soon)
35
User (1 of 2) - Accelerated
1.1 User Inventory User Inventory
App-Based Permission
Per Enterprise
Rule Based Dynamic Access
Pt. 1
Rule Based Dynamic
1.2 Conditional User Access Access Pt. 2

Organizational MFA/IDP
1.3 Multifactor Authentication Alternative Flexible MFA
1.0 User
(MFA) Pt. 1
Alternative Flexible
MFA Pt. 2
Implement System and Mitigate Privileged Users Pt. 1
1.4 Privileged Access Implement System and Mitigate Privileged Users Pt. 2
Management (PAM) Real time Approvals & JIT/JEA Analytics Pt. 1
Real time Approvals & JIT/JEA Analytics Pt. 2
Organization Identity Life-cycle Management
1.5 Identify Federation & User Enterprise Identity Life-cycle Management Pt. 1
Credentialing Enterprise Identity Life-cycle Management Pt. 2
Enterprise Identity Life-cycle Management Pt. 3
Implement UEBA and UAM Tooling

1.6 Behavioral, Contextual ID, User Activity
Monitoring Pt. 1
and Biometrics User Activity
Monitoring Pt. 2

36
User (2 of 2) - Accelerated
1.7 Least Privileged Access Deny User by Default Policy

1.0 User
Single Authentication
Periodic Authentication
1.8 Continuous Authentication Continuous
Continuous
Enterprise PKI/IDP
Pt. 1
1.9 Integrated ICAM Platform Enterprise PKI/IDP Pt. 2

37
Device (1 of 2) - Accelerated
Device Health Tool Gap Analysis

NPE/PKI Device Under
Management
2.1 Device Inventory Enterprise IDP Pt.
1
Enterprise
IDP Pt. 2
2.2 Device Detection and Implement C2C/Compliance Based Network Authorization Pt. 1
Compliance Implement C2C/Compliance Based Network Authorization Pt. 2
Integrate Next Gen AV
Tools with C2C
Implement Application
2.0 Device
Control & FIM Tools

Entity Activity Monitoring
Pt. 1
2.3 Device Authorization w/ Real Entity Activity Monitoring
Time Inspection Pt. 2
Fully Integrate Device Security Stack w/ C2C as appropriate
Enterprise PKI Pt. 1

Enterprise PKI
Pt. 2
Deny Device by
Default Policy
Managed and Limited BYOD & IOT Support
2.4 Remote Access Managed and Full BYOD & IOT
Support Pt. 1
Managed and Full BYOD & IOT
Support Pt. 2
2.5 Partially & Fully Automated
Asset, Vulnerability and Patch Implement Asset, Vulnerability and Patch Management Tools
Management

38
Device (2 of 2) - Accelerated
2.0 Device
Implement UEDM or equivalent Tools

Management (UEM) & Mobile Enterprise Device Management Pt. 1
Device Management (MDM) Enterprise Device Management Pt. 2
2.7 Endpoint & Extended Implement Endpoint Detection & Response (EDR) Tools & Integrate w / C2C
Detection & Response (EDR & Implement Extended Detection & Response (XDR) & Integrate w / C2C Pt. 1
XDR) Implement Extended Detection & Response (XDR) & Integrate w / C2C Pt. 2

39
Application and Workload - Accelerated
Application / Code
Identification
3.1 Application Inventory Resource Authorization Pt. 1
Resource Authorization Pt. 2
3.0 Application and Workload
Build DevSecOps Software Factory Pt. 1
3.2 Secure Software Build DevSecOps Software Factory Pt. 2
Development & Integration Automate Application Security & Code Remediation Pt. 1
Automate Application Security & Code Remediation Pt. 2
Approved Binaries / Code

3.3 Software Risk Management Vulnerability Management Program Pt. 2
Continual Validation

SDC Resource Authorization
Pt. 2
3.4 Resource Authorization & Enrich Attributes for Resource Authorization Pt. 1
Integration
REST API Micro-Segments
3.5 Continuous Monitoring and Continuous Authorization to Operate (ATO) Pt. 1
Ongoing Authorizations Continuous Authorization to Operate (ATO) Pt. 2

40
Data (1 of 2) - Accelerated
4.1 Data Catalog Risk Alignment Data Analysis
Define Data Tagging Standards

4.2 DoD Enterprise Data
Interoperability Standards
Governance
Develop Software Defined Storage (SDS) Policy
Implement Data Tagging & Classification Tools
Manual Data Tagging Pt. 1

Manual Data Tagging
4.3 Data Labeling and Tagging Pt. 2
4.0 Data
DLP Enforcement Point Logging and Analysis

DRM Enforcement Point Logging and Analysis
4.4 Data Monitoring and Sensing
Database Activity Monitoring
Comprehensive Data Activity Monitoring

4.5 Data Encryption & Rights DRM Enforcement via Data Tags and Analytics Pt. 1
Management

41
Data (2 of 2) - Accelerated
Implement Enforcement Points

4.6 Data Loss Prevention (DLP)
4.0 Data
4.7 Data Access Control Integrate Solution & Policy with Enterprise IDP Pt. 1
Integrate Solution & Policy with Enterprise IDP Pt. 2

42
Network and Environment - Accelerated

5.1 Data Flow Mapping
5.0 Network & Environment
Define SDN APIs
Implement SDN Programmable Infrastructure

5.2 Software Defined Networking Segment Flows into Control, Management, and Data Planes
(SDN)
Network Asset Discovery & Optimization
Real-Time Access
Decisions
Datacenter Macro Segmentation
5.3 Macro Segmentation
B/C/P/S Macro Segmentation
Implement Micro segmentation

Application & Device Micro segmentation
5.4 Micro Segmentation
Process Micro segmentation
Protect Data In Transit

43
Automation & Orchestration - Accelerated
Policy Inventory & Development
6.1 Policy Decision Point (PDP) Organization Access Profile
& Policy Orchestration Enterprise Security Profile Pt. 1

Enterprise Security Profile Pt. 2
6.0 Automation & Orchestration
Task Automation Analysis
6.2 Critical Process Automation Enterprise Integration & Workflow Provisioning Pt. 1
Enterprise Integration & Workflow Provisioning Pt. 2
6.3 Machine Learning Implement Data Tagging & Classification ML Tools
Implement AI Automation Tools

6.4 Artificial Intelligence
AI Driven by Analytics decides A&O Modifications
Response Automation Analysis

6.5 Security Orchestration,
Implement SOAR Tools
Automation & Response (SOAR)
Implement Playbooks
Tool Compliance Analysis
6.6 API Standardization Standardized API Calls & Schemas Pt. 1

Standardized API Calls & Schemas Pt. 2
Workflow Enrichment Pt. 1
6.7 Security Operation Center Workflow Enrichment Pt. 2
(SOC) & Incident Response (IR) Workflow Enrichment Pt. 3
Automated Workflows

44
Visibility & Analytics - Accelerated
Scale Considerations
7.1 Log All Traffic (Network, Log Parsing
Data, Apps, Users)
Log Analysis
Asset ID & Asset Correlation

7.0 Visibility & Analytics

7.2 Security Information and Threat Alerting Pt. 2
Event Management (SIEM)
User/Device Baselines
7.3 Common Security and Risk Implement Analytics Tools
Analytics Establish User Baseline Behavior
Baseline & Profiling Pt. 1
7.4 User and Entity Behavior Baseline & Profiling Pt. 2
Analytics (UEBA) UEBA Baseline Support Pt. 1
UEBA Baseline Support Pt. 2
7.5 Threat Intelligence Cyber Threat Intelligence Program Pt. 1

Integration Cyber Threat Intelligence Program Pt. 2
AI-enabled Network Access

7.6 Automated Dynamic Policies
AI-enabled Dynamic Access Control

45
Appendix C:
Capability Definitions
Note: There are 45 capabilities and 152 activities. Each capability is defined in the subsequent slides and aligned with activities.
Activit utcome descri tions are rovided in the e cel s readsheet titled “ DoD ZT Ca abilities and Activities”

ID # Capability Pillar Capability Description Capability Outcome Impact to ZT Activities

Regular and Privileged users are identified and
integrated into an inventory supporting regular System owners have control (visibility and
Users not on the authorized user list
1.1 User Inventory 1 - User modifications. Applications, software and administrative rights) of all authorized and * Inventory User
will be denied access by policy
services that have local users are all part of the authenticated users on the network
inventory and highlighted.
Through maturity levels Conditional Access

* Implement App Based Permissions per
works to create a dynamic level of access for Eventually, organizations control user, device, Users not known to the system and
Enterprise
users in the environment. This starts with and non-user entity DAAS access through users who present an unacceptable
Conditional User * Rule Based Dynamic Access Pt1
1.2 1 - User traditional role-based access controls across a dynamically changing user risk profiles and degree of risk will be denied access
Access * Rule Based Dynamic Access Pt2
federate ICAM, expands to be application fine-grained access control to include the use with greater accuracy
* Enterprise Gov't roles and Permissions Pt1
focused roles and ultimately utilizes enterprise of user risk assessments
* Enterprise Gov't roles and Permissions Pt2
attributes to provide dynamic access rules.
This capability initially focuses on developing

an organization focused MFA provider and
DoD organizations require users and non-user
Identity Provider to enable the centralization of
entities to authenticate using at least two of
Multi-Factor users. Retirement of local and/or built-in Users not presenting multiple forms * Organizational MFA/IDP
the following three attributes: knowledge (user
1.3 Authentication 1 - User accounts and groups is a critical piece to this of authentication will be denied * Alternative Flexible MFA Pt1
ID/password), possession (CAC/token), or
(MFA) capability. At the later maturity levels access to DAAS system and resources * Alternative Flexible MFA Pt2
something you are (inherence, e.g.,
alternative and flexible MFA tokens can be
iris/fingerprints), in order to access DAAS
used to provide access for standard and
external users.
The capability focuses on removal of
permanent administrator/elevated privileges
* Implement System and Migrate Privileged
by first creating a Privileged Account
DoD organizations control, monitor, secure, Critical assets and applications Users Pt1
Privileged Access Management (PAM) system and migrating
and audit privileged identities (e.g., through secured, controlled, monitored and * Implement System and Migrate Privileged
1.4 Management 1 - User privileged users to it. The capability is then
password vaulting, JIT/JEA with PAWS) across managed through limits on admin Users Pt2
(PAM) expanded upon by using automation with
their IT environments access * Real time Approvals & JIT/JEA Analytics Pt1
privilege escalation approvals and feeding
* Real time Approvals & JIT/JEA Analytics Pt2
analytics into the system for anomaly
detection.
Return to Capability Overview 47


The initial scope of this capability focuses on DoD organizations manually issue, manage, and
standardizing the Identity Lifecycle Management
Visibility and accuracy of user * Organizational Identity Life-Cycle
revoke credentials bound to DoD person,
(ILM) processes and integrating with the standard device, and NPE identities. Identity information authentication information is Management
organizational IDP/IDM solution. Once completed is developed and shared across entitles and increased, to include DoD users and * Enterprise Identity Life-Cycle Management
Identity Federation
the capability shifts to establishing an Enterprise users managed by other agencies. Pt1
1.5 & User 1 - User trust domains providing “single sign-on”
ILM process/solution either through a single Users lacking sufficient credentials * Enterprise Identity Life-Cycle Management
Credentialing convenience and efficiencies to identified
solution or identity federation. are denied access according to Pt2
(authenticated and authorized) users and
established policies. * Enterprise Identity Life-Cycle Management
devices.
Pt3
Utilizing the Enterprise IDP, user and entity
behavioral analytics (UEBA) are enabled with * Implement User & Entity Behavior Activity
basic user attributes. Once completed this is DoD organizations utilize behavioral,
Behavioral, (UEBA) and User Activity Monitoring (UAM)
expanded into Organizational specific attributes contextual, and biometric telemetry to Behavioral, contextual, and biometric
1.6 Contextual ID, and 1 - User Tooling
using Organizational IDPs as available. Finally enhance risk-based authentication and access telemetry enhances MFA with
Biometrics UEBA are integrated with the PAM and JIT/JEA
* User Activity Monitoring Pt1
controls
systems to better detect anomalous and * User Activity Monitoring Pt2
malicious activities.
DoD organizations govern access to DAAS using
the absolute minimum access required to
perform routine, legitimate tasks or activities. Users on the network only have
DoD organizations govern access to DAAS using
Least Privileged DoD Application Owners identify the necessary access to the DAAS for which they are
1.7 1 - User the absolute minimum access required to * Deny User by Default Policy
Access roles and attributes for standard and privileged authorized and authenticated over a
user access. Privileged access for all DoD perform routine, legitimate tasks or activities
specific timeframe
organization DAAS is audited and removed when
unneeded.
The DoD organizations and overall enterprise will
methodically move towards continuous attribute
based authentication. Initially the capability
focuses on standardizing legacy single Users not continuously presenting * Single Authentication
authentication to a organizationally approved IDP DoD organizations continuously authenticate
Continuous multiple forms of authentication will * Periodic Authentication
1.8 1 - User with users and groups. The second stages adds in and authorize users' access to DAAS within and
Authentication be denied access to DAAS system and * Continuous Authentication Pt1
based rule based (time) authentication and across sessions using MFA
resources * Continuous Authentication Pt2
ultimately matures to Continuous Authentication
based on the application/software activities and
privileges requested.


DoD organizations and overall enterprise
employ enterprise-level identity management
and public key infrastructure (PKI) systems to
DoD organizations employ enterprise-level
track user, administrator and NPE identities
identity management systems to track user and
across the network and ensure access is limited
NPE identities across the network and ensure
to only those who have the need and the right Identities of users and NPE are
access is limited to only those who have the * Enterprise PKI/IDP Pt1
Integrated ICAM to know. Organizations can verify they need centrally managed to ensure
1.9 1 - User need and the right to know; organizations can * Enterprise PKI/IDP Pt2
Platform and have the right to access via credential authorized and authenticated access
verify they need and have the right to access * Enterprise PKI/IDP Pt3
management systems, identity governance and to DAAS resources across platforms
via credential management systems, identity
administration tools, and an access
governance and administration tools, and an
management tool. PKI systems can be
access management tool
federated but must either trust a central root
certificate authority (CA) and/or cross-sign
standardized organizational CA’s.
DoD organizations establish and maintain an
approved inventory list of all devices
authorized to access the network and enroll all By default policy, devices will be
DoD organizations establish and maintain a * Device Health Tool Gap Analysis
devices on the network prior to network denied network access; the only
trusted inventory list of all devices authorized * NPE/PKI, Device under Management
2.1 Device Inventory 2 - Device connection. Device attributes will include devices permitted access to the
to access the network and enroll all devices on * Enterprise IDP Pt1
technical details such as the PKI (802.1x) network shall be known, authorized,
the network prior to network connection * Enterprise IDP Pt2
machine certificate, device object, and listed in the device inventory
patch/vulnerability status and others to enable
successor activities.
DoD organizations employ asset management DoD organizations employ asset management
Any device attempting to connect to
systems for user devices to maintain and report systems for user devices to maintain and report
the network will be detected; only * Implement C2C/Compliance Based Network
on IT and Cybersecurity compliance. Managed on IT compliance. Any device (including mobile,
Device Detection those devices that are compliant (e.g., Authorization Pt1
2.2 2 - Device devices (enterprise and mobile) attempting to IOT, managed, and unmanaged) attempting to
and Compliance anti-virus is up to date, approved * Implement C2C/Compliance Based Network
connect to a DoD network or access a DAAS connect to a DoD network or access a DAAS
configuration) will receive access to Authorization Pt2
resource is detected and has its compliance resource is detected and has its compliance
requested DAAS
status confirmed (via C2C) status confirmed (via C2C)


DoD organizations establish processes (e.g.,
Components can use policies to deny * Entity Activity Monitoring Pt1
DoD Organizations conduct foundational and Enterprise PKI) and utilize tools to identify any
devices by default and explicitly allow * Entity Activity Monitoring Pt2
extended device tooling (NextGen AV, device (including unmanaged devices,
access to DAAS resources only by * Implement Application Control & File Integrity
Device AppControl, File Integrity Monitoring (FIM), etc.) infrastructure devices, and endpoint devices)
devices that meet mandated Monitoring (FIM) Tools
Authorization w/ integration to better understand the risk posture. attempting to access the network, and make a
2.3 2 - Device configuration standards. Security * Integrate NextGen AV Tools with C2C
Real Time Organizational PKI systems are integrated to determination if the device should be authorized
threats identified are remediated faster * Fully Integrate Device Security stack with C2C as
Inspection expand the existing Enterprise PKI to devices as to access the network. Maturation of this
through continuous activity inspection appropriate
well. Lastly Entity Activity Monitoring is also capability monitoring and detection of this
enables faster remediation of security * Enterprise PKI Pt1
integrated to identify anomalous activities. activity on endpoints and IT infrastructure in real
threats * Enterprise PKI Pt2
time
DoD organizations audit existing device access
processes and tooling to set a least privilege
baseline. In phase 2 this access is expanded to DoD organizations establish policies to allow * Deny Device by Default Policy
Enables properly authorized and
cover basic BYOD and IOT support using the authorized users and devices access to the * Managed and Limited BYOD & IOT Support
2.4 Remote Access 2 - Device authenticated users and NPEs to access
Enterprise IDP for approved applications. The network or a device from a geographical distance * Managed and Full BYOD & IOT Support Pt1
DAAS from remote locations
final phases expand coverage to include all through a network connection * Managed and Full BYOD & IOT Support Pt2
BYOD and IOT devices for services using the
approved set of device attributes.
Partially & Fully DoD organizations establish processes to
DoD organizations establish processes to
Automated Asset, automatically test and deploy vendor patches Risk is minimized by automatically
automatically test and deploy vendor patches for * Implement Asset, Vulnerability and Patch
2.5 Vulnerability and 2 - Device for connected devices; hybrid patch deploying vendor patches to all
connected devices; hybrid patch management Management Tools
Patch management (both human and automated) is network devices
(both human and automated) is employed
Management employed
DAAS resources are protected through

agent and agentless management, IT is
DoD organizations establish a centralized UEM
Unified Endpoint able to manage, secure, and deploy
solution that provides the choices of agent DoD organizations establish a centralized UEM
Management resources and applications on any
and/or agentless management of computer tool that provides the choices of agent and/or device from a single console to provide * Implement UEDM or equivalent Tools
(UEM) & Mobile
2.6 2 - Device and mobile devices to a single console agentless management of computer and mobile redress of cybersecurity threats. * Enterprise Device Management Pt1
Device
regardless of device location. DoD-issued devices to a single console. DoD-issued mobile Security vulnerabilities are mitigated, * Enterprise Device Management Pt2
Management devices are remotely managed and security
devices can be remotely managed and security and policy enforcement measures are
(MDM) policies are enforced.
policies are enforced. received through IT remote
management of DoD-issued mobile
devices


Threats originating from network-
DoD organizations use endpoint detection and connected endpoints are initially
* Implement Endpoint Detection & Response
Endpoint & response (EDR) tooling to monitor, detect, and DoD organizations use EDR tools to monitor, reduced through active investigation
(EDR) Tools and Integrate with C2C
Extended remediate malicious activity on endpoints. detect, and remediate malicious activity on and response. Maturation focuses on
* Implement Extended Detection & Response
2.7 Detection & 2 - Device Expanding the capability to include XDR tooling endpoints as a baseline. Upgrading to XDR tools forensics and faster threat detection
(XDR) Tools and Integrate with C2C Pt1
Response (EDR & allows organizations to account for activity allows organizations to account for activity and remediation are enabled by
beyond the endpoints such as cloud and network beyond the endpoints. * Implement Extended Detection & Response
XDR) correlating data across multiple
as well. (XDR) Tools and Integrate with C2C Pt2
security layers (e.g., email, cloud,
endpoint)
System owners ensure that all applications and System owners ensure that all applications and
application components are identified and application components are identified and
Unauthorized applications and
Application 3 - Applications inventoried; only applications and application inventoried; only applications and application
3.1 application components are not used * Application/Code Identification
Inventory and Workloads components that have been authorized by the components that have been authorized by the
appropriate authorizing official/CISO/CIO shall be appropriate authorizing official/CISO/CIO shall be on or within the system
utilized within the system owner's purview utilized within the system owner's purview
Organization-defined security controls and Zero Trust security concepts,
practices are integrated, to include Zero Trust processes, and capabilities are
Foundational software and application security security controls and virtualization, into the * Build DevSecOps Software Factory Pt1
accepted and integrated across the
processes and infrastructure are established software development lifecycle and DevOps * Build DevSecOps Software Factory Pt2
Secure Software DevOps toolchain, to include static
3 - Applications following Zero Trust principles and best practices. toolchain. Custom software development teams * Automate Application Security & Code
3.2 Development & and dynamic application security
and Workloads Controls such as code review, runtime protection, use DevSecOps to integrate static and dynamic Remediation Pt1
Integration secure API gateways, container and serverless application security testing into software delivery
testing necessary for the discovery of
* Automate Application Security & Code
security are integrated and automated. workflows in accordance with the organization's weaknesses and vulnerabilities during
Remediation Pt2
requirements (policies, technologies, and application development
processes).
DoD establishes policies and procedures to secure
DoD organizations establish software/application supply chain cybersecurity for code components
risk management program. Foundational controls within DoD and DIB systems by evaluating and
include Bill of Materials risk management, identifying supplier sourcing risk for approved
Code used in DAAS and associated * Approved Binaries/Code
Supplier Risk Management, approved repositories sources, creating
Software Risk 3 - Applications components of the supply chain is * Vulnerability Management Program Pt1
3.3 and update channels, and vulnerability repositories and update channels for use by
Management and Workloads secure, vulnerabilities are reduced, * Vulnerability Management Program Pt2
management program. Additional controls development teams, creating Bill of Materials for
include Continual validation within the CI/CD applications to identify source, supportability and and DoD is aware of potential risks * Continual Validation
pipelines and vulnerability maturation with risk posture, and establishing industry standard
external sources. (DIB) and approved vulnerability databases for
use in DevSecOps


DoD establishes a standardized resource
authorization gateway for authorizations via * Resource Authorization Pt1
the CI/CD pipelines in a risk approach that * Resource Authorization Pt2
Resource authorization enables the
reviews the User, Device and Data security * SDC Resource Authorization Pt1
DoD establishes a standard approach managing ability for limited access to those
Resource posture. Authorizations utilize a programmatic * SDC Resource Authorization Pt2
3 - Applications the authorizations of resources in a risk resources and in a programmatic way
3.4 Authorization & (e.g., Software Defined) approach in a * Enrich Attributes for Resource Authorization
and Workloads approach that reviews the User, Device and in later stages. This improvise the
Integration live/production environment. Attributes are Pt1
Data security posture. ability to remove access when it is not
enriched utilizing other pillar activities and the * Enrich Attributes for Resource Authorization
needed.
API and Authorization gateway. Approved Pt2
enterprise APIs are micro-segmented using * REST API Micro-Segments
authorizations.
Continuous DoD organizations employ automated tools * Continuous Authorization to Operate (cATO)
DoD organizations employ automated tools and Near real time visibility into the
Monitoring and 3 - Applications and processes to continuously monitor Pt1
3.5 processes to continuously monitor applications effectiveness of deployed security
Ongoing and Workloads applications and assess their authorization to * Continuous Authorization to Operate (cATO)
and assess their authorization to operate controls
Authorizations operate Pt2
Data owners ensure that data is identified and Data owners ensure that data is identified and
Data assets are known and can
inventoried and any changes to the data inventoried and any changes to the data
therefore be collected, tagged, and
landscape are automatically detected and landscape are automatically detected and
Data Catalog Risk protected according to risk levels in
4.1 4 - Data included within the catalog. The data landscape included within the catalog. The data landscape * Data Analysis
Alignment alignment with a prioritization
must then be reviewed to identify potential must then be reviewed to identify potential
framework, and encrypted for
risks related to data loss, attack, or any other risks related to data loss, attack, or any other
protection
unauthorized alteration and/or access unauthorized alteration and/or access
DoD establishes enterprise data
Decision rights and accountability
labeling/tagging and DAAS access DoD establishes enterprise data * Define Data Tagging Standards
framework ensure appropriate
DoD Enterprise control/sharing policies (e.g., SDS policy) that labeling/tagging and DAAS access * Interoperability Standards
4.2 4 - Data behavior in the valuation, creation,
Data Governance are enforceable. Developed enterprise control/sharing policies (e.g., SDS policy) that * Develop Software Defined Storage (SDS)
consumption, and control of data and
standards ensure an appropriate level of are enforceable at the field level Policy
analytics
interoperability between DoD Organizations.
* Implement Data Tagging & Classification
Data owners label and tag data in compliance Establishing machine enforceable
Tools
with DoD enterprise governance on Data owners label and tag data in compliance data access controls, risk assessment,
Data Labeling and * Manual Data Tagging Pt1
4.3 4 - Data labeling/tagging policy. As phases advance with DoD enterprise governance on and situational awareness require
Tagging * Manual Data Tagging Pt2
automation is used to meet scaling demands labeling/tagging policy consistently and correctly labeled and
* Automated Data Tagging & Support Pt1
and provide better accuracy. tagged data
* Automated Data Tagging & Support Pt2


Data owners will capture active metadata that
includes information about the access, sharing,
transformation, and use of their data assets. Data * DLP Enforcement Point Logging and Analysis
Loss Prevention (DLP) and Data Rights * DRM Enforcement Point Logging and Analysis
Data owners will capture active metadata that
Data Monitoring Management (DRM) enforcement point analysis is Data in all states are detectable and * File Activity Monitoring Pt1
4.4 4 - Data includes information about the access, sharing,
and Sensing conducted to determine where tooling will be observable * File Activity Monitoring Pt2
deployed. Data outside of DLP and DRM scope transformation, and use of their data assets
* Database Activity Monitoring
such as File Shares and Databases is actively * Comprehensive Data Activity Monitoring
monitored for anomalous and malicious activity
using alternative tooling.
* Implement DRM and Protection Tools Pt1
DoD organizations establish and implement a * Implement DRM and Protection Tools Pt2
strategy for encrypting data at rest and in transit * DRM Enforcement via Data Tags and
Data Encryption & DoD organizations establish and implement a Encrypting data in all states reduces
using Data Rights Management (DRM) tooling. Analytics Pt1
4.5 Rights 4 - Data strategy for encrypting data at rest and in the risk of unauthorized data access
The DRM solution utilizes data tags to determine * DRM Enforcement via Data Tags and
Management protection and lastly integrates with ML and AI to transit and improves data security
Analytics Pt2
automate protection * DRM Enforcement via Data Tags and
Analytics Pt3
DoD organizations utilize the identified * Implement Enforcement Points
enforcement points to deploy approved DLP tools * DLP Enforcement via Data Tags and Analytics
and integrate tagged data attributes with DLP. DoD organizations have identified enforcement
Data breaches and data exfiltration Pt1
Data Loss Initially the DLP solution is put into a "monitor- points, deployed approved DLP tools at those
4.6 4 - Data transmissions are detected and * DLP Enforcement via Data Tags and Analytics
Prevention (DLP) only" mode to limit business impact and later enforcement points, and integrate tagged data
using analytics is put into a "prevent" mode. mitigated Pt2
attributes with DLP
Extended data tag attributes are used to feed the * DLP Enforcement via Data Tags and Analytics
DLP solution and lastly integrate with ML and AI. Pt3
* Integrate DAAS Access w/ SDS Policy Pt1
* Integrate DAAS Access w/ SDS Policy Pt2
DoD organizations ensure appropriate access to * Integrate DAAS Access w/ SDS Policy Pt3
Unauthorized entities, or any entity
and use of data based on the data and * Integrate Solution(s) and Policy with
on an unauthorized device cannot
user/NPE/device properties. Software Defined DoD organizations ensure appropriate access to Enterprise IDP Pt1
Data Access access data; Zero Trust cybersecurity
4.7 4 - Data Storage (SDS) is utilized to scale manage and use of data based on the data and * Integrate Solution(s) and Policy with
Control will be sufficiently strong to separate
permissions to DAAS. Lastly the SDS solution(s) is user/NPE/device properties Enterprise IDP Pt2
integrated with DRM tooling improving community of interest data access for
* Implement SDS Tool and/or integrate with
protections. data in the same classification
DRM Tool Pt1
* Implement SDS Tool and/or integrate with
DRM Tool Pt2

DoD organizations reconcile data flows by
DoD organizations reconcile data flows by
gathering, mapping, and visualizing network Sets the foundation for network * Define Granular Control Access Rules &
5 - Network gathering, mapping, and visualizing network
Data Flow traffic data flows and patterns to ensure segmentation and tighter access Policies Pt1
5.1 and traffic data flows and patterns to ensure
Mapping authorized access and protection for network control by understanding data traffic * Define Granular Control Access Rules &
Environment authorized access and protection for network
and DAAS resources specifically tagging on the network Policies Pt2
and DAAS resources
programmatic (e.g., API) access when possible.
DoD organizations define API decision points
and implement SDN programmable
infrastructure to separate the control and data * Define SDN APIs* Implement SDN
DoD organizations define API decision points
planes and centrally manage and control the Enables the control of packets to a Programable Infrastructure
5 - Network and implement SDN programmable
Software Defined elements in the data plane. Integrations are centralized server, provides * Segment Flows into Control, Management,
5.2 and infrastructure to separate the control and data
Networking (SDN) conducted with decision points and additional visibility into the network, and Data Planes
Environment planes and centrally manage and control the
segmentation gateway to accomplish the plane and enables integration requirements * Network Asset Discovery & Optimization
elements in the data plane
separation. Analytics are then integrated to * Real-Time Access Decisions
real time decision making for access to
resources.
DoD organizations establish network DoD organizations establish network

boundaries and provide security against perimeters and provide security against Network segmentation is defined by a
5 - Network
Macro networked assets located within an devices located within an environment by large perimeter to enable resource * Datacenter Macro segmentation
5.3 and
Segmentation environment by validating the device, user, or validating the device, user, or NPE on each segmentation by function and user * B/C/P/S Macro segmentation
Environment
NPE on each attempt of accessing a remote attempt of accessing a remote resource prior type
resource prior to connection. to connection
Network segmentation enabled by

narrower and specific segmentation
DoD organizations define and document
in a virtualized environment via
network segmentation based on identity and /
identity and / or application access,
or application access in their virtualized and/or DoD organizations define and document * Implement Micro segmentation
5 - Network allowing for improved protection of
Micro cloud environments. Automation is used to network segmentation based on identity and / * Application & Device Micro segmentation
5.4 and data in transit as it crosses system
Segmentation apply policy changes through programmatic or application access in their virtualized cloud * Process Micro segmentation
Environment boundaries (e.g., in a coalition
(e.g., API) approaches. Lastly where possible environments * Protect Data In Transit
environment, system high
organizations will utilize host-level process
boundaries) and supported dynamic,
micro segmentation.
real-time access decisions and policy
changes


DoD organizations initially collect and DoD organizations initially collect and
document all rule-based policies to orchestrate document all rule-based policies to orchestrate
across the security stack for effective across the security stack for effective
automation; DAAS access procedures and automation; DAAS access procedures and
PDPs and PEPs ensure proper
Policy Decision policies will be defined, implemented, and policies will be defined, implemented, and * Policy Inventory & Development
6 - Automation implementation of DAAS access
Point (PDP) & updated. Organizations mature this capability updated. Organizations mature this capability * Organization Access Profile
6.1 and policies to users or endpoints that are
Policy by establishing PDPs and PEPs (including the by establishing PDPs and PEPs (including the * Enterprise Security Profile Pt1
Orchestration properly connected (or denied access)
Orchestration Next Generation Firewall) to make DAAS Next Generation Firewall) to make DAAS * Enterprise Security Profile Pt2
to requested resources
resource determinations and enable, monitor, resource determinations and enable, monitor,
and terminate connections between a and terminate connections between a
user/device and DAAS resources according to user/device and DAAS resources according to
predefined policy. predefined policy
DoD organizations employ automation DoD organizations employ automation

* Task Automation Analysis
methods, such as RPA, to address repetitive, methods, such as RPA, to address repetitive, Response time and capability is
6 - Automation * Enterprise Integration & Workflow
Critical Process predictable tasks for critical functions such as predictable tasks for critical functions such as increased with orchestrated
6.2 and Provisioning Pt1
Automation data enrichment, security controls, and data enrichment, security controls, and workflows and risk management
Orchestration * Enterprise Integration & Workflow
incident response workflows according to incident response workflows according to processes
Provisioning Pt2
system security engineering principles. system security engineering principles
DoD organizations employ ML to execute (and DoD organizations employ ML to execute (and Response time and capability is
6 - Automation
enhance execution of) critical functions such as enhance execution of) critical functions such as increased with orchestrated * Implement Data Tagging & Classification ML
6.3 Machine Learning and
incident response, anomaly detection, user incident response, anomaly detection, user workflows and risk management Tools
Orchestration
baselining, and data tagging. baselining, and data tagging processes
DoD organizations employ AI to execute (and DoD organizations employ AI to execute (and Response time and capability is
6 - Automation * Implement AI automation tools
Artificial enhance execution of) critical functions - enhance execution of) critical functions - increased with orchestrated
6.4 and * AI Driven by Analytics decides A&O
Intelligence particularly risk and access determinations and particularly risk and access determinations and workflows and risk management
Orchestration modifications
environmental analysis. environmental analysis processes


DoD organizations achieve initial operational DoD organizations achieve IOC of security
capability of security technologies to technologies to orchestrate and automate
Pre-defined playbooks from collection
Security orchestrate and automate policies (e.g., PEPs policies (e.g., PEPs and PDPs) and rulesets to
6 - Automation to incident response and triage * Response Automation Analysis
Orchestration, and PDPs) and rulesets to improve security improve security operations, threat and
6.5 and enables initial process automation * Implement SOAR Tools
Automation & operations, threat and vulnerability vulnerability management, and security
Orchestration that accelerates a security team's * Implement Playbooks
Response (SOAR) management, and security incident response incident response by ingesting alert data,
decision and response speed
by ingesting alert data, triggering playbooks for triggering playbooks for automated response
automated response and remediation. and remediation
DoD establishes and enforces enterprise-wide Standardizing APIs across the

DoD establishes and enforces enterprise-wide * Tool Compliance Analysis
API 6 - Applications programmatic interface (e.g., API ) standards; department improves application
6.6 API standards; all non-compliant APIs are * Standardized API Calls & Schemas Pt1
Standardization and Workloads all non-compliant APIs are identified and interfaces, enabling orchestration,
identified and replaced * Standardized API Calls & Schemas Pt2
replaced. and enhancing interoperability
In the event a computer network defense

service provider (CNDSP) does not exist, DoD
organizations define and stand up security
In the event a CNDSP does not exist, DoD
operations centers (SOC) to deploy, operate,
7 - Visibility organizations define and stand up SOCs to
Security and maintain security monitoring, protections * Workflow Enrichment Pt1
and Analytics 6 deploy, operate, and maintain security Standardized, coordinated, and
Operations Center and response for DAAS; SOCs provide security * Workflow Enrichment Pt2
6.7 - Automation monitoring, protections and response for accelerated incident response and
(SOC) & Incident management visibility for status (upward * Workflow Enrichment Pt3
and DAAS; SOCs provide security management investigative efforts
Response (IR) visibility) and tactical implementation * Automated Workflow
Orchestration visibility for status (upward visibility) and
(downward visibility). Workflows within the
tactical implementation (downward visibility)
SOC are automated using automation tooling
and enrichment occurs between service
providers and technologies.
DoD organizations collect and process all logs
including network, data, application, device,
DoD organizations collect and process all logs
and user logs and make those logs available to
Log All Traffic including network, data, application, device, Foundational to the development of * Scale Considerations
7 - Visibility the appropriate Computer Network Defense
7.1 (Network, Data, and user logs and make those logs available to automated hunt and incident * Log Parsing
and Analytics Service Provider (CNDSP) or security operations
Apps, Users) the appropriate Computer Network Defense response playbooks * Log Analysis
center (SOC). Logs and events follow a
Service Provider (CNDSP) or SOC
standardized format and rules/analytics are
developed as needed.


Computer Network Defense Service Provider
(CNDSP) or security operations centers (SOC)
monitor, detect, and analyze data logged into a Processing and exploiting data in the
Security * Threat Alerting Pt1
security information and event management SIEM enables effective security
Information and CNDSPs/SOCs monitor, detect, and analyze * Threat Alerting Pt2
7 - Visibility (SIEM) tool. User and device baselines are analysis of anomalous user behavior,
7.2 Event data logged into a security information and * Threat Alerting Pt3
and Analytics created using security controls and integrated alerting, and automation of relevant
Management event management (SIEM) tool * Asset ID & Alert Correlation
with the SIEM. Alerting within the SIEM is incident response to common threat
(SIEM) * User/Device Baselines
matured over the phases to support more events
advanced data points (e.g., Cyber Threat Intel,
Baselines, etc.)
CNDSPs/SOCs employ big data tools across
(CNDSP) or security operations centers (SOC) Analysis integrated across multiple
Common Security 7 - Visibility their enterprises for multiple data types to * Implement Analytics Tools
7.3 employ data tools across their enterprises for data types to examine event,
and Risk Analytics and Analytics unify data collection and examine events, * Establish User Baseline Behavior
multiple data types to unify data collection and activities, and behaviors
activities, and behaviors
examine events, activities, and behaviors.
DoD organizations initially employ analytics to
profile and baseline activity of users and DoD organizations initially employ analytics to
entities and to correlate user activities and profile and baseline activity of users and
behaviors and detect anomalies. Computer entities and to correlate user activities and
* Baseline & Profiling Pt1
Network Defense Service Provider (CNDSP) or behaviors and detect anomalies. CNDSPs/SOCs Advanced analytics support detection
User and Entity 7 - Visibility * Baseline & Profiling Pt2
7.4 security operations centers (SOC) mature this mature this capability through the employment of anomalous users, devices, and NPE
Behavior Analytics and Analytics * UEBA Baseline Support Pt1
capability through the employment of of advanced analytics to profile and baseline actions and advanced threats
* UEBA Baseline Support Pt2
advanced analytics to profile and baseline activity of users and entities and to correlate
activity of users and entities and to correlate user activities and behaviors, and detect
user activities and behaviors, and detect anomalies
anomalies.
(CNDSP) or security operations centers (SOC) CNDSPs/SOCs integrate threat intelligence
integrate threat intelligence information and information and streams about identities, Integrating threat intelligence into
Threat Intelligence 7 - Visibility * Cyber Threat Intelligence Program Pt1
7.5 streams about identities, motivations, motivations, characteristics, and tactics, other SIEM data enhances monitoring
Integration and Analytics * Cyber Threat Intelligence Program Pt2
characteristics, and tactics, techniques and techniques and procedures (TTPs) with data efforts and incident response
procedures (TTPs) with data collected in the collected in the SIEM
SIEM.


DoD Organization ML & AI solutions
CNDSPs/SOCs dynamically and automatically Users and NPEs are denied access
dynamically and automatically update security
update security profiles and device based on automated, real-time
Automated 7 - Visibility profiles and device configuration through * AI-enabled Network Access
7.6 configuration through continuous security security profiles based on external
Dynamic Policies and Analytics continuous security posture monitoring, risk * AI-enabled Dynamic Access Control
posture monitoring, risk and confidence conditions and evolving risk and
and confidence scoring, and automated patch
scoring, and automated patch management confidence scores
management.

DoD ZTExecutionRoadmap

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DoD ZTExecutionRoadmap

Uploaded by

Copyright:

Available Formats

DoD Zero Trust Capability

Execution Roadmap (COA 1)

COA 1 COA 2 COA 3

Producing a common lexicon

Target evel ZT Advanced ZT

Other Considerations – More to Come*

1 COA 1: Recommendations and Other Relevant Timelines

Appendix A: COA 1 Timeline Details (DoD Baseline)

Target evel ZT Advanced ZT

See Appendix A for methodology 7

DoD Accelerated Baseline:

DoD Zero Trust Capabilities

1.9 Integrated ICAM

EXECUTION Leadership &

ZT Target Level = All DoD organizations must achieve this level

All DoD organizations are expected to achieve ZT Target Level by 2027

Set Starting Point – If capabilities are laid out over time

The initial outcomes were mapped to visualize

Activity dependencies were re-evaluated, resulting

level through the pillar level Data

Leveling activity distribution over FYs resulted in

DoD Zero Trust Capabilities

1.9 Integrated ICAM

EXECUTION Leadership &

7 og Data Catalog oftw are is

5 Continuous Monitoring and

ZT Ca abilities in bold font and dis la ed on the ZT Target

ZT Activities are grou ed as either Target or Advanced

▪ Assumes a start date of FY23;

Target evel ZT Advanced ZT

Back to Table of Contents 21

V1.0 as of 10/04/2022 = Target Level ZT = Advanced ZT

1.1 User Inventory Inventory Users

Enterprise Roles and Permissions Pt. 2

Management (PAM) Real time Approvals & JIT/JEA Analytics Pt. 1

Real time Approvals & JIT/JEA Analytics Pt. 2

Organization Identity Life-cycle Management

Enterprise Identity Life-cycle Management Pt. 3

Implement UEBA and UAM Tooling

= Target Level ZT = Advanced ZT

1.7 Least Privileged Access Deny User by Default Policy

1.9 Integrated ICAM Platform Enterprise PKI/IDP Pt. 2

= Target Level ZT = Advanced ZT

Device Health Tool Gap Analysis

Control & FIM Tools

Enterprise PKI Pt. 1

= Target Level ZT = Advanced ZT

Implement UEDM or equivalent Tools

= Target Level ZT = Advanced ZT

Application / Code Identification

Build DevSecOps Software Factory Pt. 1

3.2 Secure Software Build DevSecOps Software Factory Pt. 2

Approved Binaries / Code

Vulnerability Management Program Pt. 1

SDC Resource Authorization Pt. 1

SDC Resource Authorization Pt. 2

3.5 Continuous Monitoring and Continuous Authorization to Operate (ATO) Pt. 1

= Target Level ZT = Advanced ZT

4.1 Data Catalog Risk Alignment Data Analysis

Define Data Tagging Standards

Implement Data Tagging & Classification Tools

Manual Data Tagging Pt. 1