DoD unveils Zero Trust Overlays document for achieving cybersecurity goals from 2021 Executive Order

The U.S. Department of Defense (DoD) through its chief information officer published last week ‘Zero Trust Overlays’ document designed to serve as both a road map and guide for helping the department achieve goals set forth in a 2021 executive order signed by President Joe Biden. The DoD used the capability concept to build the Zero Trust Overlays, and they associate the security controls to the security protection needs as defined by the zero trust capabilities, activities, and outcomes.

The nearly 400-page document is based on the DoD Zero Trust Reference Architecture and the DoD Zero Trust Capability Execution Roadmap (COA 1). These documents describe the set of pillars, capabilities, enablers, and supporting activities and outcomes that underpin the Zero Trust Overlays. The execution enablers are cross-cutting, non-technical capabilities and activities that address culture, governance, and elements of DOTmLPF-P (Doctrine, Organization, Training, material, Leadership and Education, Personnel, Facilities, Policy).

The seven pillars outlined in the Zero Trust Overlays document include the user – who continuously authenticates, accesses, and monitors user activity patterns to govern users’ access and privileges while protecting and securing all interactions; devices that understand the health and status of devices inform risk decisions; applications and workload that secures everything from applications to hypervisors, including the protection of containers and virtual machines; and data that covers data transparency and visibility enabled and secured by enterprise infrastructure, applications, standards, robust end-to-end encryption, and data tagging. 

It also includes Network and Environment covering segment, isolate, and control (physically and logically) the network environment with dynamic, granular policy and access controls; Automation and Orchestration with automated security response based on defined processes and security policies enabled by artificial intelligence (AI); and visibility and analytics that analyzes events, activities, and behaviors to derive context and apply AI/machine learning (ML) to achieve a highly personalized model that improves detection and reaction time in making real-time access decisions.

“The zero trust overlays are another tool in the department’s toolbox supporting components’ execution by providing clear guidance on which controls facilitate specific zero trust activities and outcomes,” Dave McKeown, DOD’s deputy CIO for cybersecurity and chief information security officer, said in a media statement.

The overlays are expected to be a boon to those tasked with implementing ‘zero trust’ across the department. 

“The overlays help our risk management practitioners achieve zero trust outcomes, ensuring our adversaries cannot move laterally within our networks,” said Randy Resnick, DOD’s chief zero trust officer. 

The zero trust concept redefines how data, networks, and information systems are secured — not just within DOD, but across industry and the entire federal government, said Will Schmitt, a division chief within DOD’s Zero Trust Portfolio Management Office.

“Zero trust is a modern cybersecurity approach requiring all users and devices, whether inside or outside an organization’s network, to be authenticated and authorized before being granted access to data, assets, applications, and services,” he said. “Zero trust assumes that the adversary is already embedded in your infrastructure and, notwithstanding, implements cybersecurity rules, policies, and techniques which have the effect of thwarting, constraining and frustrating an adversary’s freedom of movement and ability to exploit data.” 

Security today, Schmitt said, is focused on the network. Users authenticate — prove that they are authorized to be on a network, with a CAC login, for instance — and once on that network, they have free rein to look at and modify everything on the network.

Zero trust is not yet in place across the department, but by fiscal year 2027, it’s expected to reach ‘target level’ implementation. That, Schmitt said, involves the DOD having implemented 91 out of the 152 target activities identified in DOD’s Zero Trust Strategy and Roadmap, released in November 2022. 

Schmitt said the overlays will, for the first time, standardize how the DOD implements zero trust across the defense enterprise, prescribe a phased approach to implementing zero trust controls, and develop a zero-trust gap analysis for system architects and authorization officials.

Implementing that across DOD and the military services’ systems and workforce will be a challenge. But the information contained in the latest DOD Zero Trust Overlays will help those most responsible for making it happen to meet the deadlines set by the department and the White House. The overlays are based on Committee on National Security Systems (CNSS) Instruction No. 1253 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5.

The pillars (further defined in the Zero Trust Overlay Characteristics and Assumptions section) provide the foundation for the DoD’s zero trust. The relevant controls from NIST SP 800-53, Revision 5, provide guidance to implement the activities required to achieve the outcomes defined for the zero trust pillars, capabilities, and activities. The enablers are non-technical capabilities and activities, aligned to security controls that address culture and governance.

The NIST SP 800-53, Revision 5 also identifies security controls employed within a system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage cybersecurity risk. NIST publications also define the concept of a capability as a group of security and privacy controls selected to achieve a common purpose, implemented by technical, physical, and procedural means.

The Zero Trust Overlays consist of one overlay for each Pillar plus an overlay for the Execution Enablers. Many of the controls included in the overlays will be implemented at the organizational (or DoD enterprise) level and inherited by each of the systems, following guidance in the DoD Zero Trust Reference Architecture, and DoD Component architectures, including Security and Privacy Architectures. 

The document identified that in most overlays, characteristics are based on the environment, type of information, or the functionality of a system and can be used to justify the control selection. For the Zero Trust Overlays, the Characteristics Section describes the zero trust ecosystem to the extent necessary to associate security controls with the capabilities and activities required to implement zero trust.

The selection of security controls for DoD’s implementation of zero trust across the enterprise is based on DoD’s Zero Trust Reference Architecture, along with the DoD’s Zero Trust Strategic Principles and Tenets. Therefore, this section of the overlay describes the structures of the zero trust architecture, including the use of capabilities, activities, and expected outcomes. These capabilities, activities, and outcomes, along with the Zero Trust Strategic Principles and Tenets provide the justification for the selection of security controls.

The DoD identified that the overlay describes the context for implementing a control, which can be lost when controls are published as a list, without supporting guidance. Many of the controls in the Zero Trust Overlays are already implemented in the baselines, but the baselines reflect implementation into a generic environment. The descriptive information in the Zero Trust Overlays provides the context for security control implementation. The control mappings along with supporting implementation guidance at the capability and activity levels compose the Zero Trust Overlays. 

The document outlined that the responsibility for implementing zero trust cannot be assigned solely to individual system owners; responsibility is spread across all organizational levels with many individuals and organizations contributing to the success of zero trust. Individuals across organizational levels must collaborate for zero trust to succeed. All DoD Components must adopt and integrate zero trust capabilities, technologies, solutions, and processes across their architectures and systems, within their budget and execution plans. The Zero Trust Overlays facilitate this process by communicating security needs through an agreed-upon set of controls within the context of each capability.

For the DoD zero trust environment to succeed, all DoD Components must adopt and integrate zero trust capabilities, technologies, solutions, and processes across their architectures and systems, within their budget and execution plans. Responsibility for implementing zero trust cannot be assigned solely to individual system owners; responsibility is spread across all organizational levels with many individuals and organizations contributing to the success of zero trust. Individuals at all organizational levels must collaborate for zero trust to succeed. As each zero trust capability is implemented, it is built on the foundation of earlier capabilities and provides the input for future capabilities.

Since many zero trust capabilities are implemented by DoD Components, as well as at the DoDenterprise level, there may be more than one individual assigned to implement a zero trust capability, with a lead capability owner responsible for integrating the activities and resulting products, services, or processes related to the capability. Some zero trust capabilities focus on a single topic, related to other capabilities and one individual may manage multiple capabilities. 

While other zero trust capabilities involve numerous Phased Activities and may require a hierarchy of individuals and teams to accomplish the capability, under the supervision of a capability owner. The implementation results must be usable by other Phased Activities and support the zero trust ecosystem.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.