UNCLASSIFIED

DEPARTMENT OF THE NAVY CHIEF

INFORMATION OFFICER (DON CIO)

DON Chief Technology Officer

September 2023

Version: 1.0

Limited distribution controls: NONE.

Publicly releasable AFTER review

MODERNIZE INNOVATE DEFEND

UNCLASSIFIED
 UNCLASSIFIED

DEPARTMENT OF THE NAVY MAJOR DESIGN CONCEPT:

IMPLEMENT ZERO TRUST

DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICE

WASHINGTON DC 20350-10

FOREWORD

In September 2022, DON CIO published the Capstone Design Concept for Information Superiority,
providing top level direction to modernize the DON Information Environment, consisting of:

• One Goal: To securely move any information from anywhere, to anywhere

• Two Outcomes: Customer Experience (CX) and Operational Resilience (OR)
• Three Objectives: Optimize the DON Information Environment for Cloud; Adopt Enterprise Services;
Implement Zero Trust
• Four attributes: Customer-Focused; Best-Value Cost; Dynamic; Confidence-Inspiring

This Major Design Concept establishes our direction to achieve our third major modernization objective:
Implement Zero Trust.

Our objective is to establish identity driven perimeters that enhance information security through dynamic,
conditions-based access to data, assets, applications and services. We will do this by:

• Enabling dynamic user access and resource visibility

• Providing secure/broad access across network/devices
• Conditionally authorizing access to multiple categories of information
• Unifying & automating cyber defense/network operations

Zero Trust updates our framework for cybersecurity for the software-defined era by recognizing that our
data, assets, applications, and services (resources) are what must be protected, that identity (of people
and autonomous sensors/systems) is the boundary, and through data tagging/analysis and automated
policy orchestration it is possible to dynamically provide conditional access to specific identities on certain
infrastructures to specific data and workloads. In this view, the network and its firewalls still exist, but as
an attribute of the terrain rather than the terrain itself. This allows us to securely make any information
available from virtually anywhere, improving both customer experience and operational resilience.

Technology patterns and practices along these lines will continue to evolve, and so must our guidance.
The DON Chief Technology Officer will directly publish updates to this Major Design Concept, and
welcomes anyone and everyone working within this space to author Topical Design Concepts in areas of
their expertise. We will quickly review and publish as many as we find necessary and useful.

We must all continue to work together to drive innovation at the scale and pace needed to realize the
premise of the DON Information Superiority Vision, that information is combat power. Successful
completion of our mission to modernize, innovate, and defend our information to achieve a digital edge
that no adversary can match depends on our ability to design, develop, and deploy the best technology
solutions. We have the watch, and we must think and act differently to achieve Information Superiority.

JANE O. RATHBUN
Chief Information Officer (Acting)
Department of the Navy

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Table of Contents
Modernization objective .................................................................................................................. 1
zero trust: A shift in our cybersecurity approach ........................................................................ 1
Network-centric security .......................................................................................................... 1
Data-centric security ................................................................................................................ 2
What is “zero trust ”? ................................................................................................................... 3
DON Implementation of Zero-Trust ............................................................................................ 5
Design Patterns and Approaches ................................................................................................... 6
Design activities to achieve zero trust ........................................................................................ 6
Enabling dynamic user access and resource visibility ............................................................. 10
Providing secure/broad access across network/devices .......................................................... 11
Conditionally authorizing access to multiple categories of information .................................... 13
Unifying & automating cyber defense/network operations ....................................................... 14
Measuring success ....................................................................................................................... 17
Doing the right thing: Outcomes ............................................................................................... 17
Doing Things The Right Way: Attributes .................................................................................. 18
Moving forward ............................................................................................................................. 19

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Modernization objective

Establish dynamic identity perimeters that enhance information security and

the data/application access experience.

ZERO TRUST: A SHIFT IN OUR CYBERSECURITY APPROACH

Zero trust is a fundamental shift in the way we think about and practice cybersecurity.
Understanding that shift requires us to examine how we thought about and practiced
cybersecurity before zero trust, so that we can appreciate why we must implement zero trust.

Network-centric security
The concepts of network-centric security represent the best practices and principles of
cybersecurity that evolved in the late 20th and early 21st centuries. Under a network-centric
security paradigm, one can think of a network like a castle, and the job of cybersecurity as the
defense of the castle. The objective, in a network-centric security model, is to keep bad actors
out of the network. Defenders focus mainly on the perimeters of the network, relying on multiple,
complex layers of security measures to prevent, detect, and respond to a network intrusion in
much the same way that a castle is protected by moats, ramparts, and turrets.

Figure 1: Network-centric security (a conceptual overview)

Because security is afforded by the network in this model, anyone needing access must be
inside of the network to be considered secure. This means that the network must be extended
anywhere that secure access is required—leading to the rise of Virtual Private Networks (VPNs)
as a means of extending the blanket of cybersecurity around endpoints from other networks.
This also means that anything that must be externally accessible (such as a public web site)
must be in a ‘demilitarized zone (DMZ)’—a gray area that is not fully protected because, like a
gate house with a drawbridge, it must be accessible from the outside to fulfill its basic purpose.
A network-centric security approach:

• Assumes that bad actors come mostly or entirely from outside of the network, and that
the basic role of cybersecurity is to prevent, detect, and respond to network intrusion.
• Assumes that keeping the network perimeter secure keeps the organization’s resources
(data, assets, applications, and services) secure.
• Allows or denies access to resources mostly by allowing or denying access to networks
(network access includes access to many or most organizational resources by default).

Page 1

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Data-centric security
For more than a decade, cybersecurity practitioners have recognized serious flaws in the
assumptions, practices, and principles informing a traditional network-centric security approach.
Data-centric security represents current thinking and evolving best practices in cybersecurity.
A data-centric security approach:

• Assumes that bad actors have already breached the network or that a breach of the
network is inevitable.
• Protects the organization’s resources (data, assets, applications, and services) directly,
instead of focusing primarily on network perimeter defense.
• Allows or denies access to organizational resources based on a combination of factors,
including identity, device, network, policy, threat intelligence, and patterns of behavior.
Practicing data-centric security does not mean giving up the boundary-focused defenses that
characterize a network-centric security architecture, but it does mean that we no longer see the
primary role of cybersecurity as protecting the network from intrusion. In a data-centric security
model, the primary role of cybersecurity is to protect the organization’s resources (data, assets,
applications, and services). A data-centric security approach does not have ‘trusted’ zones and
does not assume that boundary defenses will keep the organization’s resources safe. In fact,
data centric security proceeds from the assumption that any given network is already breached.

Figure 2: Logical components of a zero-trust architecture

Defending a castle after its walls have been breached is very different from defending a castle
prior to that point. The most important assets—people and property—need to be moved into a
keep (a smaller, more defensible area). Defenders can no longer assume that anyone inside the
castle is really an ally, even if they appear to be one of the defenders. Anyone approaching the
keep must be challenged—and context (not only who approaches, but how, when, and why they
are seeking access) becomes critical in determining whether to allow access.
The same concepts apply in a data-centric security model. Micro-segmentation separates
resources into smaller, more defensible groups. Every request for a resource is treated as
potentially malicious. A policy decision point (PDP) analyzes the device, network, and identity
of the subject (person or non-person entity making the request), and applies policy settings,
threat intelligence, and patterns of activity to determine whether to grant access to the resource.
This process of granting access is applied in a continuous manner, constantly evaluating
requests to resources. A policy enforcement point (PEP) manages requests and controls
access to resources.

Page 2

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

WHAT IS “ZERO TRUST ”?
According to Executive Order (EO) 14028, “The term ‘Zero Trust Architecture’ refers to a
security model, a set of system design principles, and a coordinated cybersecurity and system
management strategy based on an acknowledgement that threats exist both inside and outside
traditional network boundaries. The zero trust security model eliminates implicit trust in any one
element, node, or service and instead requires continuous verification of the operational picture
via real-time information from multiple sources to determine access and other system
responses.”

Figure 3: DoD Zero Trust Capability Pillars

The Department of Defense (DoD) CIO published the DoD Zero Trust Strategy required by the
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022 section 1528. The
strategy further defines zero trust by establishing capability pillars for Users, Devices,
Application & Workload, Data, Network & Environment, Automation & Orchestration, and
Visibility & Analytics. The capabilities are broken down into a set of enabling activities that
specify Target and Advanced zero trust levels. The DoD Zero Trust Capability Execution
Roadmap provides greater zero trust definition to support program and project implementation.
Zero trust provides a data-centric security model that applies the principle of least-privilege to
every access decision, thus allowing users access to only the resources required to perform
their duties. The concept also implements granular, risk-based access controls and assumes
that a breach is inevitable or has already occurred. The DoD Zero Trust Reference Architecture
embeds comprehensive security monitoring technologies to employ anomalous or malicious
activity detection and considers who, what, when, where, and how as critical factors for correctly
allowing or denying access to resources. Target Level is the minimum set of zero trust capability
functions technical baselines must achieve to secure and protect the DON’s data, applications,
assets and services (DAAS). While the DoD zero trust framework will mature and adapt over
time, the current strategic context dictates an immediate focus on expediting investments in
core zero trust capabilities and technologies. The DON and Services must achieve Target Level
zero trust as soon as possible.

Page 3

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Figure 4: Zero Trust RA Target Environment (OV-1)

The target architecture continues to evolve operational capabilities with the adoption of new
technology such as Software Defined Perimeters (SDP), Robotic Process Automation (RPA),
Remote Procedure Call (RPC) enabled AI, integration with enterprise Identity Credential and
Access Management (ICAM) services, data protections, and robust risk-based analytics.
The integration of enterprise Naval Identity Services (NIS) ICAM services ensures the same
identity and attributes are leveraged throughout authorization decisions and provide identity
federation for each zero trust implementation across the naval enterprise. Adoption of SDP
provides an additional abstraction layer to the DoDIN as inspection and segmentation are
performed prior to user/device connecting the resource. SDP combined with data tagging,
protections such as data loss prevention and data rights management provide strong protection
against data exfiltration. Each of these security capabilities ensures the visibility necessary to
perform the analytics required to develop risk scores used in authorization decisions.
The NDAA for FY22 also requires DoD components to develop zero trust implementation plans
within one year of DoD’s publication of zero trust architecture, strategy, and principles. Zero
trust implementation plans must include the DoD Information Network (DoDIN), including
classified network, operational technology (control systems that operate critical industrial
equipment and assets), and weapon systems.

Page 4

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

DON IMPLEMENTATION OF ZERO-TRUST

Figure 5: DON Zero-Trust View

The DON zero trust view depicted above provides a high-level overview of zero trust concepts,
and some essential enabling technology patterns for each of the capability pillars. This view
begins to show how the DON implements zero trust principles in practice.

• Devices include any type of device that may access data. This includes computers of
any type, size, or form factor. Devices may be managed (owned/operated by the DON)
or unmanaged (owned and operated by others).
• Networks include both DoD-owned and operated network infrastructure, and any other
network infrastructure that the DON may use, in any setting (in garrison, deployed, at
home or on travel, etc.).
• Users are both any persons (any DON-affiliated person) and any non-person entities
(automated processes or services) that require access to resources.
• Applications are the computer programs used by users (persons and non-person
entities) to either generate or gain access to data.
• Data is the center of the zero trust enterprise; it is what we are seeking to understand,
protect, and deliver securely.
• Visibility and analytics provide the tooling necessary to see, gather, and analyze what
is happening across all our devices, networks, users, applications, and data.
• Automation and orchestration provide the tooling necessary to take or trigger actions
based on the patterns of behavior we observe through visibility and analytics.
Zero trust authorization decisions consider users, networks, and devices, as well as patterns of
behavior exposed through visibility and analytics. A zero trust enterprise assumes a breach is
inevitable and applies protective measures directly around resources.

Page 5

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Figure 6: DOD Maturity Model

The DOD Maturity Model provides a high-level view of the capabilities and activities required to
achieve Target Level. The detailed descriptions, outcomes, and updates are provided in the
DOD Zero Trust Strategy Appendix A-D; includes basic and intermediate zero trust maturity as
defined by the Zero Trust RA. The DoD Zero Trust Portfolio Management Office (ZT PfMO)
defines target level zero trust as both basic and intermediate capabilities.

Design Patterns and Approaches

The task of implementing zero trust can be broken down into four subordinate objectives:

1. Enabling dynamic user access and resource visibility.

2. Providing secure/broad access across network/devices.

3. Conditionally authorizing access to multiple categories of information.

4. Unifying & automating cyber defense/network operations.

DESIGN ACTIVITIES TO ACHIEVE ZERO TRUST

Designing for zero trust follows a repeatable process with reusable tools for any system in any
environment.

• Identify what you want to protect

• Define Mission Outcomes under the assumption of a hostile environment and
presumption of breach
• Map transaction flows

Page 6

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

o Determine means of User, Device and Network access
• Design Architecture
o Architect from the inside out
o Develop Attribute Based Access Control (ABAC) Access Policies (Rules)
o Identify Hardware and Software reconfiguration or replacement options
• Design Thinking Activities
o Event Storming (Domain Driven Design)
o Tabletop Mission Cyber Risk Assessments (TMCRAs)
• Prototype and Test
o Validate Meta Polices prioritize access policies correctly
o Always Verify Policy Permits
o Automation & Orchestration
o Unified analytics
o User and Entity Behavioral Analytics (UEBA)
• Simplify the design as much as possible
• Monitor and Maintain
• Look for opportunities to improve the design
The overall design must ensure that the protected resource’s network segment is a quiescent as
possible, making anomaly detection rapid even when bare minimum hardware resources and
network bandwidth are available to support the safeguarding software capability and UEBA.
Cloud based implementations will benefit from refining the design to remain highly effective,
avoid waste and remain affordable. Tabletop Cybersecurity risk assessments provide additional
insight in the design decisions made verses known adversary Tactics, Techniques, and
Procedures (TTPs). Lessons learned can highlight the need for additional safeguards, deception
and decoy strategies and technologies.

Figure 7: DON Zero Trust Design Thinking View

The DON Zero Trust design thinking view illustrates isolating ‘organizational data’ behind a
Policy Enforcement Point (PEP). The accompanying ABAC digital access policies restrict all
access to the data via the PEP, granting only a select few applications to connect to the data
resource. In the example, micro segmentation is used to logically separate the Software as a
Service (SaaS) application and the organizational data. The SaaS workload and data are

Page 7

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

isolated in their own-segmented protected zones. Authorized virtual machines or micro service
brokers are able to connect to applications and denied direct access to the ‘organizational data’.
Authentication mechanisms will use the NSA Tuple method to explicitly authenticate both the
user and device as a condition for access to naval systems. When all conditions for access
have been met, Comply to Connect, and other service provider or data owner access criteria; a
brokering micro service or virtual desktop will be spun-up and connected at the time of
authorization. The ‘ephemeral access broker’ will connect, via additional PEPs, to the nearest
regional macro segmentation boundary to the user requesting access. The connectivity method
applies to managed devices and BYODs for each user session. The brokering service provides
full access to the bare minimum resources to perform assigned duties. The remote user is
subject to all restrictions and monitoring applied to the environment with a single point to revoke
access, if necessary. When the user disconnects or logs off the brokering service is removed,
resources recovered, and connections to macro segmentation boundary and authorized
applications are disconnected.

Figure 8: Naval Identity Service (NIS) ICAM Interoperability

NIS ICAM Interoperability employs trust relationship between the Identity provider (IdP) and
Service Providers (SP). The composite of three different standards, are used to illustrate the
above example, NIST 800-207 Zero Trust Architecture, NIST 800-162 ABAC, and SAML v2.0.
Service provider software must be able to work with both internal and external IdPs, load
balanced or configured to prefer one over the other, as shown if figure 9.
All ABAC conditions for access to the protected environment must be met before access is
considered, to include ‘Comply to Connect’ access conditions. When a user request access to a
resource, the SAML token is forwarded from the Policy Administrator (PA) to the Policy Engine
(PE). The PE considers the entitlements listed in the authentication token’s ‘Authorization
Decision Statement’ defined by this design concept as NIS centralized administrative intent. The
PE reads the token and translates it into ABAC low priority access permission specific to the
user. The PE compares the user’s request for access against higher priority ABAC access
criteria. If all conditions are met, the decision is communicated to the PA that maps the user to
data pathways to authorized resources. This method meets NIS administrator’s requirements to
audit global user access permissions. The Service Provider products must have the ability to
assign internal entitlements hidden from the global community to meet provision in the
Program’s Protection Plan (PPP). Programs should forward PPPs that have Critical Program
Information (CPI) hidden entitlement requirements to NIS using classification appropriate
channels. The PE’s contextual based trust algorithm checks the user’s organization role,
historical logs, and other factors to detect a possible subverted account based on the user’s
Page 8

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

current system usage. As machine learning advances, the contextual based algorithm will
become a full featured UEBA capability.
If the user becomes too high of a risk to be acceptable for continued access, the PE can revoke
access for a period of time, require reauthentication or permanently lockout the account.
Enterprise IT environments can employ aggressive automated counter-measures. The key point
here is that even in the tactical environments, you will have the same standard of awareness of
what is going on in your technical baseline. The tactical environment onsite commanding officer
will be able to adjust automated counter-measures to meet mission requirements and
supplement with a human managed response to threats detected. Automated risk tolerance in
Enterprise IT environments, can be very robust deploying various counter-measures with a
possibility of delaying genuine user work for a couple of hours; if the trigger was based on a
false positive indicator. The tactical environment; requires greater human intervention and
vigilance. Meaning the automation will notify the Security Operations Center (SOC) and the
onsite commanding officer to make a decision on high-risk activities observed in the cyber
domain.

Figure 9: Notional SIPR v2.0 Zero Trust Technical Baseline

The above example illustrates an option to embed zero trust access within the protected zone.
Embedded zero trust access control can be employed for unclassified or secret networks to
meet specific security needs. In this example, the embedded Zero Trust Access Control
Mechanism (ACM) is a SIPR v2.0 classified zone behind a bulk encryption device. USN and
USMC classified network design architecture and deployments will stipulate absolute
restrictions on location access, device physical connection that meet tempest requirements,
data flow anti-tamper safeguards, and prevailing quantum resistive encryption standards. The
user and classified device connected to SIPR v2.0 Naval Network will leverage tuple
authentication methods for “Explicit authenticate of both the user and the device”, dependent on
authorized usage locations and SIPR v2.0 encryption requirements. The SIPR v2.0 remain
cryptologically separated from unclassified transport networks. Micro segmentation command
and control ensures only partnering local and remote encryption hardware and software are

Page 9

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

able to see SIPR v2.0 encryption mechanisms. SIPR v2.0 users and devices will use a
brokering instance of NVD (Virtual Desktop) or Application Container with assigned x.509
certificate or better construct to view and work with classified data; in the same fashion as
unclassified network’s users and devices. The classified device will not have the ability to copy
protected classified data from the Naval Network to the user controlled physical device. The
access to classified data constitutes non-administrative privileged access that must include the
digital identities clearance attribute in the authentication token. Oversight of classified access
will be tracked, meet strict workspace access criteria, and DON logging requirements. Programs
implementing embedded zero trust ACMs will work with their USCYBERCOM sub-component
commands to share locally collect logs and threat data with the DON Enterprise Information
Network.

ENABLING DYNAMIC USER ACCESS AND RESOURCE VISIBILITY

Users should only be able to see what they are allowed to use.
Half of the battle for cybersecurity is understanding the terrain. Cyber attackers rely on
knowledge of the attributes of targeted networks, devices, applications, users, and data.
Defenders benefit when attackers cannot map the cyber terrain (for example, to discover what
computers are on a network, what services are available at a given endpoint, etc.).
Conceptually, in a zero trust enterprise, rather than discovering resources and then being
allowed or denied access to them based on your credentials, the operation happens in reverse:
You provide your credentials first, and then you discover what resources are available to you.
Applicable technology patterns for dynamic user access and resource visibility include but
are not limited to:
Enterprise Public Key infrastructure (PKI): This system is responsible for generating and
logging certificates issued by the enterprise to resources, subjects, services and applications.
This also includes the global certificate authority ecosystem and the Federal PKI, which may or
may not be integrated with the enterprise PKI. This could also be a PKI that is not built upon
X.509 certificates.
ID management system: This is responsible for creating, storing, and managing enterprise
user accounts and identity records (e.g., lightweight directory access protocol (LDAP) server).
This system contains the necessary subject information (e.g., name, email address, certificates)
and other enterprise characteristics such as role, access attributes, and assigned assets. This
system often utilizes other systems (such as a PKI) for artifacts associated with user accounts.
This system may be part of a larger federated community and may include non-enterprise
employees or links to non-enterprise assets for collaboration.
Identity Credential and Access Management (ICAM): ICAM is an important cybersecurity
domain that allows agencies to securely access resources across existing systems and

Page 10

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

emerging platforms. The presumptive ICAM solution for the DON is Naval Identity Services
(NIS), which is being designed and implemented in support of all DON systems and networks.
Platform as a Service (PaaS) Region: Container orchestration platform designed so that a
single cluster can run across multiple failure zones, typically where these zones fit within a
logical grouping called a region.
Multi-Factor Authentication (MFA): Multi-factor Authentication (MFA) is an authentication
method that requires the user to provide two or more verification factors to gain access. MFA is
a layered approach to securing your online accounts and the data they contain. When you
enable MFA in your online services (like email), you must provide a combination of two or more
authenticators to verify your identity before the service grants you access.
Software Imposed Limitations: Software designed with identity based digital access policy
limitations to impose brokering application restrictions between users and data. The
implementation leverages application container microservices to deploy software capability
based on permissions granted to the digital identification. Enabled to detect malicious use,
designed to mitigate unintended use, and disconnect user under threat conditions.
Transport Layer Security (TLS) Termination Proxy: Forward TLS bridging proxies that allow
intrusion detection systems to analyze all client traffic. Allow inspection of encrypted traffic by an
intrusion detection system to detect and block malicious activities, network surveillance and
analysis of encrypted traffic. A proxy used by clients as an intermediary gateway for all
outbound connections is typically called a Forward proxy, while a proxy used by servers as an
intermediary gateway for all inbound connections is typically called a Reverse proxy.
Zero Trust Network Access (Zero Trust NA): A security solution that provides secure remote
access to an organization's applications, data, and services based on clearly defined access
control policies. Zero trust provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in information
systems and services in the face of a network viewed as compromised. The goal is to prevent
unauthorized access to data and services and make access control enforcement as granular as
possible.
Continuous Access Evaluation (CAE): Constantly monitors the risk posture of access DAAS
based on the signals being generated by the user, device, threat intelligence, behaviors etc.
CAE is integrated into all Policy Enforcement Points throughout a zero trust architecture.

PROVIDING SECURE/BROAD ACCESS ACROSS NETWORK/DEVICES

Secure access should not depend on using specific devices or networks.
Zero trust architecture accounts for a broad range of devices, both managed and unmanaged,
connecting and requesting access to resources from a broad range of networks. When
considering a request, the device and network used to present the request matter—but they are
not necessarily overriding concerns. Ultimately, both the user and the device must be
authorized for an access request to be granted, regardless of network location.

Page 11

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Policies may be configured to deny requests for certain resources when they come from outside
of a particular network—for example, a request to access an industrial control system might be
denied by policy if it comes from outside of the facility where that control system resides.
When a request is not denied by policy, device and network used may still figure into the risk
associated with granting or denying the request. For example, there are different levels of risk
associated with granting a request that appears to originate from a managed device on a
military network, an unmanaged device on a private network in the Continental United States,
and an unmanaged device on a network originating in mainland China—even if the same
identity requests the same resource in all three cases.
Applicable technology patterns for providing secure/broad access across networks/devices
include but are not limited to:
Application Container: An OS-level virtualization method used to deploy and run distributed
applications without launching an entire virtual machine (VM) for each app. Multiple isolated
applications or services run on a single host and access the same OS kernel.
Black Core Network (BCN): A communication network architecture in which user data
traversing a global internet protocol (IP) network is end-to-end encrypted at the IP layer. Related
to striped core.
Cloud Native Access Point (CNAP): Provide secure authorized access to DoD resources in a
commercial cloud environment, leveraging zero trust architecture, by authorized DoD users and
endpoints from anywhere, at any time, from any device.
Gray Gateway: A Commercial Solution for Classified (CSfC), managed by secure certificates
and offered as an enterprise gateway service. This gateway infrastructure has a centralized
certificate and network management function that enables thousands of projects/capabilities
with the ability to use multiple CSfC capability packages for transit across the gateway.
Intent-based networking (IBN): is a form of network administration that incorporates artificial
intelligence (AI), network orchestration and machine learning (ML) to automate administrative
tasks across a network. The goal of IBN is to reduce the complexity of creating, managing and
enforcing network policies and reduce the manual labor associated with traditional configuration
management.
Network Macro-Segmentation: Large segments of the network are divided into logical zones
that allow access filtering at a broad scale. Such as permitting a specific class of employees to
access general information systems that are considered necessary to perform their duties. For
example anonymous users looking for public releasable information from accessing
authenticated employee areas of the network. The Cloud Native Access Point (CNAP) is an
example of a Macro-Segmentation solution.
Network Micro-Segmentation: Small segments of the network are divided closely to protected
resources out to access points, like the Cloud Native Access Point (CNAP). At risk resources
should have Policy Enforcement Points (PEP) nearest to them as possible to ensure the
information or control is protected specifically. The implementation of zero trust architecture is
specifically designed to defend the at-risk resource where hosted and communication pathways
to and from are safeguarded.

Page 12

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Secure Access Service Edge (SASE): Delivers converged network and security as a service
capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (zero trust
NA). SASE supports branch office, remote worker and on-premises secure access use cases.
SASE is primarily delivered as a service and enables zero trust access based on the
identity of the device or entity, combined with real-time context and security and
compliance policies.
Software-Defined Perimeter (SDP): In this approach, the Policy Administrator (PA) acts as the
network controller that sets up and reconfigures the network based on the decisions made by
the PE. The clients request access via PEPs, and forwarded to the PA component. The PE
decision to grant access will direct the PA to change network and PEP configurations to permit
client access to the resource. Completed client sessions will close network communication and
PEP access configurations back to baseline. Denied requests for access, result in no change to
the technical baseline’s security posture. See also Software Defined Networks (SDN) and
Intent-Based Networking (IBN).

CONDITIONALLY AUTHORIZING ACCESS TO MULTIPLE CATEGORIES OF

INFORMATION

Deeply understanding our data makes it both more secure and more useful.
Zero trust architecture absolutely depends on a deep understanding of data, both to secure it,
and to make better use of that data operationally. Implementing zero trust means, significantly,
understanding and managing our data far better than we have in the past.
From a security perspective, zero trust architectures implement Attribute Based Access Control
(ABAC)—which makes data available (or not) based on the attributes of both the resource (the
data being sought) and the subject (the person or non-person entity seeking the data). Allowing
or not allowing access to a resource based on the attributes of the resource and the subject
requires that we understand both—the data sought, and the entity seeking it—sufficiently to
make granular access decisions based on both. Humans can intuitively decide that a human
resources professional should have access to human resources data, or that a military
commander has a legitimate need to access information about readiness of their military units.
In part, zero trust is about enabling machines to make the same kinds of judgments, which
requires both subjects and the resources to be tagged in ways that enable access decisions.
This might seem like it makes data less available, but we would expect the opposite to be true.
Tagging data about subjects (people, groups or organizations, and non-person entities) and
resources (data, assets, applications, and services) makes that data more available to a wider
audience than traditional methods of segregating data for purposes of access control. This is
because this approach segregates data logically more than physically—meaning that data about
subjects and resources that wouldn’t ordinarily be in the same place, can be in the same place.

Page 13

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

This allows human-machine teams to quickly find and create unexpected use cases for data
they wouldn’t otherwise have had access to, or known about, if we didn’t implement zero trust.
Applicable technology patterns to conditionally authorize access to multiple categories of
information include but are not limited to:
Attribute-Based Access Control (ABAC): A logical access control model that is
distinguishable because it controls access to objects by evaluating rules against the attributes of
entities (subject and object), operations, and the environment relevant to a request. ABAC
systems are capable of enforcing both Discretionary Access Control (DAC) and Mandatory
Access Control (MAC) concepts. ABAC enables precise access control, which allows for a
higher number of discrete inputs into an access control decision, providing a bigger set of
possible combinations of those variables to reflect a larger and more definitive set of possible
rules to express policies.
Data access policies: These are the attributes, rules, and policies about access to enterprise
resources. This set of rules could be encoded in (via management interface) or dynamically
generated by the policy engine. These policies are the starting point for authorizing access to a
resource as they provide the basic access privileges for accounts and applications/services in
the enterprise. These policies should be based on the defined mission roles and needs of the
organization.
Data Loss Protection (DLP): A systems ability to identify, monitor, and protect data in use (e.g.
endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage)
through deep packet content inspection, contextual security analysis of transaction (attributes of
originator, data object, medium, timing, recipient/destination, etc.), within a centralized
management framework. Data loss prevention capabilities are designed to detect and prevent
the unauthorized use and transmission of NSS information.

Data Rights Management (DRM): Access control technologies that are used by hardware
manufacturers, publishers, copyright holders and individuals to limit the use of digital
content and devices in online or off-line environments.
Data Tagging: A non-hierarchical keyword or term assigned to a piece of information which
helps describe an item and allows it to be found or processed automatically.
Trusted Data Format (TDF): A government open standard for the tagging of data and control
over access to data across its full lifecycle. Originally developed by the intelligence community,
and leveraged where interoperability of multiple data-centric security approaches is required.

UNIFYING & AUTOMATING CYBER DEFENSE/NETWORK OPERATIONS

When we implement zero trust, human-machine teams defend the enterprise.
The last two pillars of the zero trust architecture (see Figure 3 for DoD’s view, or Figure 5 for
DON view) are:

• Visibility & analytics (the tools that allow cyber defenders to see and analyze what is
happening across all networks and endpoints under their protection)

Page 14

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

• Automation & orchestration (the tools that allow cyber defenders to take actions, both
manual and automated, based on current activities and threat intelligence)
These two pillars recognize that human-machine teams are required to properly defend a
modern enterprise. A network of a scale similar to the DON (roughly one million end users
spread across the world, using dozens or hundreds of physical and logical discrete networks)
will generate millions or billions of events per day. All of those events are logged, and machine
learning techniques allow those millions or billions of event records to be boiled down to a
manageable number of incidents requiring human interaction. Without such tools and
approaches, humans could never keep up with the demand of monitoring our networks, let
alone quickly respond to cyber incidents that require actions by human operators.
The same tools and approaches become more important as we get closer to the tactical edge.
This is especially true for units that lack organic cyber defensive operators. Leveraging
automation and orchestration lessens the burden on smaller units and amplifies the
effectiveness of human cyber defenders by focusing attention where it is most needed. As we
diversify our transport options and modernize our application and data hosting environments (in
keeping with the Major Design Concept to Optimize the Information Environment for Cloud), we
open up new and vastly improved cyber defense capabilities for tactical units in the process.
Applicable technology patterns to unify and automate cyber defense/network operations
include but are not limited to:
Continuous Diagnostics and Mitigations (CDM): The DHS CDM program is an effort to
improve federal agency information technology (IT). Vital to that posture is an agency’s insight
into the assets, configuration, and subjects within itself. To protect a system, agencies need to
set up processes to discover and understand the basic components and actors in their
infrastructure.

• What is connected? What devices, applications, and services are used by the
organization? This includes observing and improving the security posture of these
artifacts as vulnerabilities and threats are discovered.
• Who is using the network? What users are part of the organization or are external and
allowed to access enterprise resources? These include NPEs that may be performing
autonomous actions.
• What is happening on the network? An enterprise needs insight into traffic patterns
and messages between systems.
• How is data protected? The enterprise needs a set policy on how information is
protected at rest, in transit, and in use.
This gathers information about the enterprise asset’s current state and applies updates to
configuration and software components. An enterprise CDM system provides the policy engine
with the information about the asset making an access request, such as whether it is running
the appropriate patched operating system (OS), the integrity of enterprise-approved software
components or presence of non-approved components and whether the asset has any known

Page 15

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

vulnerabilities. CDM systems are also responsible for identifying and potentially enforcing a
subset of polices on non-enterprise devices active on enterprise infrastructure.
Hardware Asset Management (HWAM): program is an effort to help agencies identify devices
on their network infrastructure to deploy a secure configuration. This is similar to the first steps
in developing a road map to zero trust architecture. Agencies must have visibility into the assets
active on the network (or those accessing resources remotely) to categorize, configure, and
monitor the network’s activity.
Industry compliance system: This ensures that the enterprise remains compliant with any
regulatory regime that it may fall under (e.g., FISMA, healthcare or financial industry information
security requirements). This includes all the policy rules that an enterprise develops to ensure
compliance.
Infrastructure as Code (IaC): The process of managing and provisioning computer data
centers through machine-readable definition files, rather than physical hardware configuration or
interactive configuration tools. The IT infrastructure managed by this process comprises both
physical equipment, such as bare-metal servers, as well as virtual machines, and associated
configuration resources. The definitions should reside in a version control system. The code in
the definition files may use either scripts or declarative definitions, rather than maintaining the
code through manual processes, but IaC more often employs declarative approaches.
Network and system activity logs: This enterprise system aggregates asset logs, network
traffic, resource access actions, and other events that provide real-time (or near real-time)
feedback on the security posture of enterprise information systems.
Software Bill of Materials (SBOM): Has emerged as a key building block in software security
and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients
that make up software components.
Security Information and Event Management (SIEM): This collects security centric
information for later analysis. This data is then used to refine policies and warn of possible
attacks against enterprise assets.
Security Orchestration, Automation & Response (SOAR): SOAR (Security Orchestration,
Automation, and Response) refers to a collection of software solutions and tools that allow
organizations to streamline security operations in three key areas: threat and vulnerability
management, incident response, and security operations automation.
Threat intelligence feed(s): This provides information from internal or external sources that
help the policy engine make access decisions. These could be multiple services that take data
from internal and/or multiple external sources and provide information about newly discovered
attacks or vulnerabilities. This also includes newly discovered flaws in software, newly identified
malware, and reported attacks to other assets that the policy engine will want to deny access to
from enterprise assets.
Vulnerability Exploitability eXchange (VEX): Provide users (e.g., operators, developers, and
services providers) additional information on whether a product is impacted by a specific
vulnerability in an included component and, if affected, whether there are actions recommended
to remediate. In many cases, a vulnerability in an upstream component will not be “exploitable”

Page 16

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

in the final product for various reasons (e.g., the affected code is not loaded by the compiler, or
some inline protections exist elsewhere in the software).

Measuring success
The Capstone Design Concept for Information Superiority mandates two outcomes to ensure
that solution providers are doing the right things, and four key attributes that help to ensure
that solution providers are doing things in the right ways.

DOING THE RIGHT THING: OUTCOMES

Customer Experience (CX)

Capability providers must be able to measure and report customer experience (CX). DON CIO
and other relevant authorities will ask: What are your measures for CX and who approved them,
and, what is your CX performance, and how do you know? The answers to these questions
matter because they predict whether customers will use solutions as provided, or seek others.
As examples, CX measures for solutions that implement zero trust might include:

• Click counts (e.g., average number of clicks to conduct common operations)

• Timing of responsiveness to direct user input (e.g., keystroke or cursor lag)
• Boot/startup/wait times (e.g., time spent waiting for a productive user interface)
• Direct user feedback (e.g., trouble tickets; survey responses; unsolicited inputs)
• User engagement metrics (e.g., trends in time spent using applications/services)

Operational Resilience (OR)

Capability providers must also be able to measure and report operational resilience (OR). DON
CIO and other relevant authorities will ask: What are your measures for OR and who approved
them, and, what is your OR performance, and how do you know? The answers to these
questions matter because they predict whether solutions, as provided, can be trusted.
As examples, OR measures for solutions that implement zero trust might include:

• Downtime metrics (e.g., raw downtime; trends in availability, positive or negative)

• Degradation metrics (e.g., sustained bitrates; responsiveness under extreme conditions)
• Recovery metrics (e.g., time to recover applications/services to a user-responsive state)
• Direct measures of integrity (e.g., fault tolerance; failure mode functionality)
• Measures of self-help capabilities (e.g., success rates of fault isolation and correction)

Page 17

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

DOING THINGS THE RIGHT WAY: ATTRIBUTES

Customer Focused

Customer focus means that there is no ambiguity about who the customer is, nor is there any
daylight between the customer’s view of their own needs and the service provider’s view of the
customer’s needs. The other three attributes require that capability providers unambiguously
know who their customers are, and what their customers need.
Anti-patterns – behaviors indicating that we are not focused on our customers – include not
knowing who the customer is, not having regular communication with customers, and relying on
outdated static documents, rather than feedback from customers, to drive requirements.

Best Value Cost

Best value cost is not necessarily the lowest possible cost for a product or service; rather, it is
the cost that corresponds to the greatest affordable benefit for both the American taxpayer and
the customer, who is known unambiguously to the solution provider. Implementing Financial
Operations (FinOps) best practices, advanced by the FinOps Foundation, can provide evolving
cloud financial management discipline and cultural practice that can enable DON organizations
to get maximum best value cost by helping engineering, finance, technology and business
teams to collaborate on data-driven spending decisions.
Anti-patterns – behaviors indicating that we are not seeking best-value cost – include specifying
lowest price technically acceptable (LPTA) for every contract, regardless of what is being
procured, and seeking fixed prices for technical services where requirements and designs for a
material solution remain unknown.

Confidence-Inspiring

Solutions, and their capability providers, must inspire the confidence of their customers, who
they know unambiguously. When IT solutions fail to inspire confidence, they aren’t utilized.
When capability providers continue to deliver IT solutions that fail to inspire confidence over a
long period of time, the customer’s lack of confidence in solutions becomes a lack of confidence
in the solution provider.
Anti-patterns – behaviors indicating that we are not inspiring confidence – include customers
objecting to being told to use a product or service, and the emergence of shadow IT (alternative
solutions procured by customers themselves, typically using funds intended for other purposes).

Page 18

UNCLASSIFIED
 UNCLASSIFIED

IMPLEMENT ZERO TRUST

Dynamic

Solution providers must produce, deliver, and change solutions at a pace that is meaningfully
responsive to the input of their customers, who they know unambiguously. Solutions must
evolve at a pace that allows their customers to meet changing operational needs and counter
changing operational threats.
Anti-patterns – behaviors indicating that we are not dynamic – include the inability to measure
the rate at which new features or solutions are deployed, the inability to show which features or
solutions derive from what customer input, and the inability to deploy new features and security
updates for commercial software at the pace at which they become available for general use.

Moving forward
This Major Design Concept will be the anchor for a series of more detailed Topical Design
Concepts. The Topical Design Concepts will each focus on singular transformation topics
organized loosely under each of the four design patterns and approaches described here:

• Enabling Dynamic User Access and Resource Visibility

• Providing Secure/Broad Access Across Network/Devices
• Conditionally Authorizing Access to Multiple Categories of Information
• Unifying & Automating Cyber Defense/Network Operations.
All Topical Design Concepts will be focused, timely, and updated often to provide our workforce
the up-to-date guidance they need to continue to drive the transformation of the DON
Information Environment.

Page 19

UNCLASSIFIED