The Department of Defense’s (DoD) Office of the Chief Information Officer (CIO) on June 4 released new guidance to help defense agencies implement target and advanced levels of the DoD’s Zero Trust Strategy.
The “Zero Trust Overlays” is a 400-page document, which consists of one overlay for each pillar in the DoD Zero Trust Strategy – user, device, data, application and workload, network and environment, automation and orchestration, visibility and analytics – and an overlay for the enablers.
“The overlays help our risk management practitioners achieve zero trust outcomes, ensuring our adversaries cannot move laterally within our networks,” Randy Resnick, DoD’s chief zero trust officer, said in a statement.
Each pillar overlay consists of an introduction that provides a brief overview of the pillar and lists of associated capabilities, a description of how controls work together to implement a capability and achieve the defined outcomes, a table identifying all the controls within the pillar and associated capabilities, and a section of the controls aligned to the capability associated with a pillar.
The guidance also includes an ‘Execution Enabler’ overlay, which is slightly different from the rest. The ‘Execution Enabler’ overlay lays the foundation for implementing zero trust and influencing the organization’s culture.
According to the DoD, the overlays serve as a roadmap and guide for helping the components achieve the goals outlined in the department’s Zero Trust Strategy and President Biden’s 2021 cybersecurity executive order.
DoD expects the overlays to be a “boon” for agencies implementing zero trust across the department.
“The zero trust overlays are another tool in the department’s toolbox supporting components’ execution by providing clear guidance on which controls facilitate specific zero trust activities and outcomes,” said Dave McKeown, DoD’s deputy CIO for cybersecurity and chief information security officer.
