Professional Documents
Culture Documents
Version: 1.0
FOREWORD
In September 2022, DON CIO published the Capstone Design Concept for Information Superiority,
providing top level direction to modernize the DON Information Environment, consisting of:
This Major Design Concept establishes our direction to achieve our third major modernization objective:
Implement Zero Trust.
Our objective is to establish identity driven perimeters that enhance information security through dynamic,
conditions-based access to data, assets, applications and services. We will do this by:
Zero Trust updates our framework for cybersecurity for the software-defined era by recognizing that our
data, assets, applications, and services (resources) are what must be protected, that identity (of people
and autonomous sensors/systems) is the boundary, and through data tagging/analysis and automated
policy orchestration it is possible to dynamically provide conditional access to specific identities on certain
infrastructures to specific data and workloads. In this view, the network and its firewalls still exist, but as
an attribute of the terrain rather than the terrain itself. This allows us to securely make any information
available from virtually anywhere, improving both customer experience and operational resilience.
Technology patterns and practices along these lines will continue to evolve, and so must our guidance.
The DON Chief Technology Officer will directly publish updates to this Major Design Concept, and
welcomes anyone and everyone working within this space to author Topical Design Concepts in areas of
their expertise. We will quickly review and publish as many as we find necessary and useful.
We must all continue to work together to drive innovation at the scale and pace needed to realize the
premise of the DON Information Superiority Vision, that information is combat power. Successful
completion of our mission to modernize, innovate, and defend our information to achieve a digital edge
that no adversary can match depends on our ability to design, develop, and deploy the best technology
solutions. We have the watch, and we must think and act differently to achieve Information Superiority.
JANE O. RATHBUN
Chief Information Officer (Acting)
Department of the Navy
UNCLASSIFIED
UNCLASSIFIED
Table of Contents
Modernization objective .................................................................................................................. 1
zero trust: A shift in our cybersecurity approach ........................................................................ 1
Network-centric security .......................................................................................................... 1
Data-centric security ................................................................................................................ 2
What is “zero trust ”? ................................................................................................................... 3
DON Implementation of Zero-Trust ............................................................................................ 5
Design Patterns and Approaches ................................................................................................... 6
Design activities to achieve zero trust ........................................................................................ 6
Enabling dynamic user access and resource visibility ............................................................. 10
Providing secure/broad access across network/devices .......................................................... 11
Conditionally authorizing access to multiple categories of information .................................... 13
Unifying & automating cyber defense/network operations ....................................................... 14
Measuring success ....................................................................................................................... 17
Doing the right thing: Outcomes ............................................................................................... 17
Doing Things The Right Way: Attributes .................................................................................. 18
Moving forward ............................................................................................................................. 19
UNCLASSIFIED
UNCLASSIFIED
Modernization objective
Network-centric security
The concepts of network-centric security represent the best practices and principles of
cybersecurity that evolved in the late 20th and early 21st centuries. Under a network-centric
security paradigm, one can think of a network like a castle, and the job of cybersecurity as the
defense of the castle. The objective, in a network-centric security model, is to keep bad actors
out of the network. Defenders focus mainly on the perimeters of the network, relying on multiple,
complex layers of security measures to prevent, detect, and respond to a network intrusion in
much the same way that a castle is protected by moats, ramparts, and turrets.
Because security is afforded by the network in this model, anyone needing access must be
inside of the network to be considered secure. This means that the network must be extended
anywhere that secure access is required—leading to the rise of Virtual Private Networks (VPNs)
as a means of extending the blanket of cybersecurity around endpoints from other networks.
This also means that anything that must be externally accessible (such as a public web site)
must be in a ‘demilitarized zone (DMZ)’—a gray area that is not fully protected because, like a
gate house with a drawbridge, it must be accessible from the outside to fulfill its basic purpose.
A network-centric security approach:
• Assumes that bad actors come mostly or entirely from outside of the network, and that
the basic role of cybersecurity is to prevent, detect, and respond to network intrusion.
• Assumes that keeping the network perimeter secure keeps the organization’s resources
(data, assets, applications, and services) secure.
• Allows or denies access to resources mostly by allowing or denying access to networks
(network access includes access to many or most organizational resources by default).
Page 1
UNCLASSIFIED
UNCLASSIFIED
• Assumes that bad actors have already breached the network or that a breach of the
network is inevitable.
• Protects the organization’s resources (data, assets, applications, and services) directly,
instead of focusing primarily on network perimeter defense.
• Allows or denies access to organizational resources based on a combination of factors,
including identity, device, network, policy, threat intelligence, and patterns of behavior.
Practicing data-centric security does not mean giving up the boundary-focused defenses that
characterize a network-centric security architecture, but it does mean that we no longer see the
primary role of cybersecurity as protecting the network from intrusion. In a data-centric security
model, the primary role of cybersecurity is to protect the organization’s resources (data, assets,
applications, and services). A data-centric security approach does not have ‘trusted’ zones and
does not assume that boundary defenses will keep the organization’s resources safe. In fact,
data centric security proceeds from the assumption that any given network is already breached.
Defending a castle after its walls have been breached is very different from defending a castle
prior to that point. The most important assets—people and property—need to be moved into a
keep (a smaller, more defensible area). Defenders can no longer assume that anyone inside the
castle is really an ally, even if they appear to be one of the defenders. Anyone approaching the
keep must be challenged—and context (not only who approaches, but how, when, and why they
are seeking access) becomes critical in determining whether to allow access.
The same concepts apply in a data-centric security model. Micro-segmentation separates
resources into smaller, more defensible groups. Every request for a resource is treated as
potentially malicious. A policy decision point (PDP) analyzes the device, network, and identity
of the subject (person or non-person entity making the request), and applies policy settings,
threat intelligence, and patterns of activity to determine whether to grant access to the resource.
This process of granting access is applied in a continuous manner, constantly evaluating
requests to resources. A policy enforcement point (PEP) manages requests and controls
access to resources.
Page 2
UNCLASSIFIED
UNCLASSIFIED
The Department of Defense (DoD) CIO published the DoD Zero Trust Strategy required by the
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022 section 1528. The
strategy further defines zero trust by establishing capability pillars for Users, Devices,
Application & Workload, Data, Network & Environment, Automation & Orchestration, and
Visibility & Analytics. The capabilities are broken down into a set of enabling activities that
specify Target and Advanced zero trust levels. The DoD Zero Trust Capability Execution
Roadmap provides greater zero trust definition to support program and project implementation.
Zero trust provides a data-centric security model that applies the principle of least-privilege to
every access decision, thus allowing users access to only the resources required to perform
their duties. The concept also implements granular, risk-based access controls and assumes
that a breach is inevitable or has already occurred. The DoD Zero Trust Reference Architecture
embeds comprehensive security monitoring technologies to employ anomalous or malicious
activity detection and considers who, what, when, where, and how as critical factors for correctly
allowing or denying access to resources. Target Level is the minimum set of zero trust capability
functions technical baselines must achieve to secure and protect the DON’s data, applications,
assets and services (DAAS). While the DoD zero trust framework will mature and adapt over
time, the current strategic context dictates an immediate focus on expediting investments in
core zero trust capabilities and technologies. The DON and Services must achieve Target Level
zero trust as soon as possible.
Page 3
UNCLASSIFIED
UNCLASSIFIED
The target architecture continues to evolve operational capabilities with the adoption of new
technology such as Software Defined Perimeters (SDP), Robotic Process Automation (RPA),
Remote Procedure Call (RPC) enabled AI, integration with enterprise Identity Credential and
Access Management (ICAM) services, data protections, and robust risk-based analytics.
The integration of enterprise Naval Identity Services (NIS) ICAM services ensures the same
identity and attributes are leveraged throughout authorization decisions and provide identity
federation for each zero trust implementation across the naval enterprise. Adoption of SDP
provides an additional abstraction layer to the DoDIN as inspection and segmentation are
performed prior to user/device connecting the resource. SDP combined with data tagging,
protections such as data loss prevention and data rights management provide strong protection
against data exfiltration. Each of these security capabilities ensures the visibility necessary to
perform the analytics required to develop risk scores used in authorization decisions.
The NDAA for FY22 also requires DoD components to develop zero trust implementation plans
within one year of DoD’s publication of zero trust architecture, strategy, and principles. Zero
trust implementation plans must include the DoD Information Network (DoDIN), including
classified network, operational technology (control systems that operate critical industrial
equipment and assets), and weapon systems.
Page 4
UNCLASSIFIED
UNCLASSIFIED
The DON zero trust view depicted above provides a high-level overview of zero trust concepts,
and some essential enabling technology patterns for each of the capability pillars. This view
begins to show how the DON implements zero trust principles in practice.
• Devices include any type of device that may access data. This includes computers of
any type, size, or form factor. Devices may be managed (owned/operated by the DON)
or unmanaged (owned and operated by others).
• Networks include both DoD-owned and operated network infrastructure, and any other
network infrastructure that the DON may use, in any setting (in garrison, deployed, at
home or on travel, etc.).
• Users are both any persons (any DON-affiliated person) and any non-person entities
(automated processes or services) that require access to resources.
• Applications are the computer programs used by users (persons and non-person
entities) to either generate or gain access to data.
• Data is the center of the zero trust enterprise; it is what we are seeking to understand,
protect, and deliver securely.
• Visibility and analytics provide the tooling necessary to see, gather, and analyze what
is happening across all our devices, networks, users, applications, and data.
• Automation and orchestration provide the tooling necessary to take or trigger actions
based on the patterns of behavior we observe through visibility and analytics.
Zero trust authorization decisions consider users, networks, and devices, as well as patterns of
behavior exposed through visibility and analytics. A zero trust enterprise assumes a breach is
inevitable and applies protective measures directly around resources.
Page 5
UNCLASSIFIED
UNCLASSIFIED
The DOD Maturity Model provides a high-level view of the capabilities and activities required to
achieve Target Level. The detailed descriptions, outcomes, and updates are provided in the
DOD Zero Trust Strategy Appendix A-D; includes basic and intermediate zero trust maturity as
defined by the Zero Trust RA. The DoD Zero Trust Portfolio Management Office (ZT PfMO)
defines target level zero trust as both basic and intermediate capabilities.
Page 6
UNCLASSIFIED
UNCLASSIFIED
The DON Zero Trust design thinking view illustrates isolating ‘organizational data’ behind a
Policy Enforcement Point (PEP). The accompanying ABAC digital access policies restrict all
access to the data via the PEP, granting only a select few applications to connect to the data
resource. In the example, micro segmentation is used to logically separate the Software as a
Service (SaaS) application and the organizational data. The SaaS workload and data are
Page 7
UNCLASSIFIED
UNCLASSIFIED
NIS ICAM Interoperability employs trust relationship between the Identity provider (IdP) and
Service Providers (SP). The composite of three different standards, are used to illustrate the
above example, NIST 800-207 Zero Trust Architecture, NIST 800-162 ABAC, and SAML v2.0.
Service provider software must be able to work with both internal and external IdPs, load
balanced or configured to prefer one over the other, as shown if figure 9.
All ABAC conditions for access to the protected environment must be met before access is
considered, to include ‘Comply to Connect’ access conditions. When a user request access to a
resource, the SAML token is forwarded from the Policy Administrator (PA) to the Policy Engine
(PE). The PE considers the entitlements listed in the authentication token’s ‘Authorization
Decision Statement’ defined by this design concept as NIS centralized administrative intent. The
PE reads the token and translates it into ABAC low priority access permission specific to the
user. The PE compares the user’s request for access against higher priority ABAC access
criteria. If all conditions are met, the decision is communicated to the PA that maps the user to
data pathways to authorized resources. This method meets NIS administrator’s requirements to
audit global user access permissions. The Service Provider products must have the ability to
assign internal entitlements hidden from the global community to meet provision in the
Program’s Protection Plan (PPP). Programs should forward PPPs that have Critical Program
Information (CPI) hidden entitlement requirements to NIS using classification appropriate
channels. The PE’s contextual based trust algorithm checks the user’s organization role,
historical logs, and other factors to detect a possible subverted account based on the user’s
Page 8
UNCLASSIFIED
UNCLASSIFIED
The above example illustrates an option to embed zero trust access within the protected zone.
Embedded zero trust access control can be employed for unclassified or secret networks to
meet specific security needs. In this example, the embedded Zero Trust Access Control
Mechanism (ACM) is a SIPR v2.0 classified zone behind a bulk encryption device. USN and
USMC classified network design architecture and deployments will stipulate absolute
restrictions on location access, device physical connection that meet tempest requirements,
data flow anti-tamper safeguards, and prevailing quantum resistive encryption standards. The
user and classified device connected to SIPR v2.0 Naval Network will leverage tuple
authentication methods for “Explicit authenticate of both the user and the device”, dependent on
authorized usage locations and SIPR v2.0 encryption requirements. The SIPR v2.0 remain
cryptologically separated from unclassified transport networks. Micro segmentation command
and control ensures only partnering local and remote encryption hardware and software are
Page 9
UNCLASSIFIED
UNCLASSIFIED
Page 10
UNCLASSIFIED
UNCLASSIFIED
Page 11
UNCLASSIFIED
UNCLASSIFIED
Page 12
UNCLASSIFIED
UNCLASSIFIED
Deeply understanding our data makes it both more secure and more useful.
Zero trust architecture absolutely depends on a deep understanding of data, both to secure it,
and to make better use of that data operationally. Implementing zero trust means, significantly,
understanding and managing our data far better than we have in the past.
From a security perspective, zero trust architectures implement Attribute Based Access Control
(ABAC)—which makes data available (or not) based on the attributes of both the resource (the
data being sought) and the subject (the person or non-person entity seeking the data). Allowing
or not allowing access to a resource based on the attributes of the resource and the subject
requires that we understand both—the data sought, and the entity seeking it—sufficiently to
make granular access decisions based on both. Humans can intuitively decide that a human
resources professional should have access to human resources data, or that a military
commander has a legitimate need to access information about readiness of their military units.
In part, zero trust is about enabling machines to make the same kinds of judgments, which
requires both subjects and the resources to be tagged in ways that enable access decisions.
This might seem like it makes data less available, but we would expect the opposite to be true.
Tagging data about subjects (people, groups or organizations, and non-person entities) and
resources (data, assets, applications, and services) makes that data more available to a wider
audience than traditional methods of segregating data for purposes of access control. This is
because this approach segregates data logically more than physically—meaning that data about
subjects and resources that wouldn’t ordinarily be in the same place, can be in the same place.
Page 13
UNCLASSIFIED
UNCLASSIFIED
Data Rights Management (DRM): Access control technologies that are used by hardware
manufacturers, publishers, copyright holders and individuals to limit the use of digital
content and devices in online or off-line environments.
Data Tagging: A non-hierarchical keyword or term assigned to a piece of information which
helps describe an item and allows it to be found or processed automatically.
Trusted Data Format (TDF): A government open standard for the tagging of data and control
over access to data across its full lifecycle. Originally developed by the intelligence community,
and leveraged where interoperability of multiple data-centric security approaches is required.
• Visibility & analytics (the tools that allow cyber defenders to see and analyze what is
happening across all networks and endpoints under their protection)
Page 14
UNCLASSIFIED
UNCLASSIFIED
• What is connected? What devices, applications, and services are used by the
organization? This includes observing and improving the security posture of these
artifacts as vulnerabilities and threats are discovered.
• Who is using the network? What users are part of the organization or are external and
allowed to access enterprise resources? These include NPEs that may be performing
autonomous actions.
• What is happening on the network? An enterprise needs insight into traffic patterns
and messages between systems.
• How is data protected? The enterprise needs a set policy on how information is
protected at rest, in transit, and in use.
This gathers information about the enterprise asset’s current state and applies updates to
configuration and software components. An enterprise CDM system provides the policy engine
with the information about the asset making an access request, such as whether it is running
the appropriate patched operating system (OS), the integrity of enterprise-approved software
components or presence of non-approved components and whether the asset has any known
Page 15
UNCLASSIFIED
UNCLASSIFIED
Page 16
UNCLASSIFIED
UNCLASSIFIED
Measuring success
The Capstone Design Concept for Information Superiority mandates two outcomes to ensure
that solution providers are doing the right things, and four key attributes that help to ensure
that solution providers are doing things in the right ways.
Capability providers must be able to measure and report customer experience (CX). DON CIO
and other relevant authorities will ask: What are your measures for CX and who approved them,
and, what is your CX performance, and how do you know? The answers to these questions
matter because they predict whether customers will use solutions as provided, or seek others.
As examples, CX measures for solutions that implement zero trust might include:
Capability providers must also be able to measure and report operational resilience (OR). DON
CIO and other relevant authorities will ask: What are your measures for OR and who approved
them, and, what is your OR performance, and how do you know? The answers to these
questions matter because they predict whether solutions, as provided, can be trusted.
As examples, OR measures for solutions that implement zero trust might include:
Page 17
UNCLASSIFIED
UNCLASSIFIED
Customer Focused
Customer focus means that there is no ambiguity about who the customer is, nor is there any
daylight between the customer’s view of their own needs and the service provider’s view of the
customer’s needs. The other three attributes require that capability providers unambiguously
know who their customers are, and what their customers need.
Anti-patterns – behaviors indicating that we are not focused on our customers – include not
knowing who the customer is, not having regular communication with customers, and relying on
outdated static documents, rather than feedback from customers, to drive requirements.
Best value cost is not necessarily the lowest possible cost for a product or service; rather, it is
the cost that corresponds to the greatest affordable benefit for both the American taxpayer and
the customer, who is known unambiguously to the solution provider. Implementing Financial
Operations (FinOps) best practices, advanced by the FinOps Foundation, can provide evolving
cloud financial management discipline and cultural practice that can enable DON organizations
to get maximum best value cost by helping engineering, finance, technology and business
teams to collaborate on data-driven spending decisions.
Anti-patterns – behaviors indicating that we are not seeking best-value cost – include specifying
lowest price technically acceptable (LPTA) for every contract, regardless of what is being
procured, and seeking fixed prices for technical services where requirements and designs for a
material solution remain unknown.
Confidence-Inspiring
Solutions, and their capability providers, must inspire the confidence of their customers, who
they know unambiguously. When IT solutions fail to inspire confidence, they aren’t utilized.
When capability providers continue to deliver IT solutions that fail to inspire confidence over a
long period of time, the customer’s lack of confidence in solutions becomes a lack of confidence
in the solution provider.
Anti-patterns – behaviors indicating that we are not inspiring confidence – include customers
objecting to being told to use a product or service, and the emergence of shadow IT (alternative
solutions procured by customers themselves, typically using funds intended for other purposes).
Page 18
UNCLASSIFIED
UNCLASSIFIED
Dynamic
Solution providers must produce, deliver, and change solutions at a pace that is meaningfully
responsive to the input of their customers, who they know unambiguously. Solutions must
evolve at a pace that allows their customers to meet changing operational needs and counter
changing operational threats.
Anti-patterns – behaviors indicating that we are not dynamic – include the inability to measure
the rate at which new features or solutions are deployed, the inability to show which features or
solutions derive from what customer input, and the inability to deploy new features and security
updates for commercial software at the pace at which they become available for general use.
Moving forward
This Major Design Concept will be the anchor for a series of more detailed Topical Design
Concepts. The Topical Design Concepts will each focus on singular transformation topics
organized loosely under each of the four design patterns and approaches described here:
Page 19
UNCLASSIFIED