Earlier this month the U.S. Department of Defense released its DoD Zero Trust Strategy, which outlines an "enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible as described within this document."
The 37-page document was finalized October 21st and released for public consumption on November 7th.
The DoD's CIO, John B. Sherman, says in the document's foreword:
"This 'never trust, always verify' mindset requires us to take responsibility for the security of our devices, applications, assets, and services; users are granted access to only the data they need and when needed. "We all must play a role in combating our adversaries by acting quickly and correctly to address security threats wherever and whenever they arise."
The document outlines how the Pentagon will incorporate Zero Trust principles across five cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—to create a successful and holistic cybersecurity program.
The DoD specifically calls out the People's Republic of China as its strongest threat, but is mindful of other state-sponsored adversaries motivated to breach systems within and outside of the Department's defensive perimeter.
"Zero Trust uses continuous multi-factor authentication, micro segmentation, advanced encryption, endpoint security, analytics, and robust auditing, among other capabilities, to fortify data, applications, assets, and services to deliver cyber resiliency," the strategy document says. "The Department is evolving to become a more agile, more mobile, cloud-supported workforce, collaborating with the entirety of DoD enterprise, including federal and non-federal organizations and mission partners working on a variety of missions."
The full report breaks down the DoD's vision for a Zero Trust strategy, its approach, flow charts, principles and pillars, measurement and metrics, a detailed road map, and milestones.
This action comes on the heels of the White House's Office of Management and Budget announcement in January 2022 to enact a Federal Zero Trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024.