14
July 2022
1.4.1 Vision and High-Level Goals (CV-1)
Vulnerabilities exposed by data breaches inside and outside DoD demonstrate the need for a
new and more robust cybersecurity model that facilitates mission enabling decisions that are
risk aware. ZT is a cybersecurity strategy and framework that embeds security principles
throughout the Information Enterprise (IE) to prevent, detect, respond, and recover from
malicious cyber activities. This security model eliminates the idea of trusted or untrusted
networks, devices, personas, or processes, and shifts to multi-attribute-based confidence levels
that enable authentication and authorization policies based on the concept of least privileged
access. Implementing ZT requires designing a consolidated and more efficient architecture
without impeding operations to minimize uncertainty in enforcing accurate, least privilege per-
request access decisions in information systems and services viewed as compromised.
ZT focuses on protecting critical data and resources, not just the traditional network or
perimeter security. ZT implements continuous multi-factor authentication, micro-segmentation,
encryption, endpoint security, automation, analytics, and robust auditing to Data, Applications,
Assets, Services (DAAS). As the Department evolves to become a more agile, more mobile,
cloud-instantiated workforce, collaborating with multiple federal and non-governmental
organizations (NGO) entities for a variety of missions, a hardened perimeter defense can no
longer suffice as an effective means of enterprise security. In a world of increasingly
sophisticated threats, a ZT framework reduces the attack surface, reduces risk, and ensures
that if a device, network, or user/credential is compromised, the damage is quickly contained
and remediated.
State-funded hackers are well trained, well-resourced, and persistent. The use of new tactics,
techniques, and procedures combined with more invasive malware can enable motivated
malicious personas to move with previously unseen speed and accuracy. Any new security
capability must be resilient to evolving threats and effectively reduce threat vectors, internal and
external.
ZT end-user capabilities improve visibility, control, and risk analysis of infrastructure, application
and data usage. This provides a secure environment for mission execution. Enabling ZT
capabilities address the following issues and high-level goals:
• Moder
nize Information Enterprise to Address Gaps and Seams.
Over time, DoD
environments have been decentralized. Usability and security challenges stem from
years of building infrastructure along organizational, operational and doctrinal
boundaries, with multiple security and support tiers, enclaves and networks. Capabilities
developed in silos have inevitably resulted in disconnects and gaps in the command
structure and processes that preclude establishing a comprehensive, dynamic, and
near-real time common operating picture. Adversaries have exploited these logical,
technological, and organizational gaps and seams.
• Simplify Security Architecture. A fragmented approach to information technology and
cybersecurity has led to excessive technical complexity, creating vulnerabilities in
enterprise hygiene, inadequately addressing threats and results in high levels of latency.
Complex security techniques render the user experience unresponsive and ineffective.