DISA Releases Initial Zero Trust Reference Architecture

The Defense Information Systems Agency finished the initial version of its zero-trust reference architecture for cybersecurity, according to a May 13 press release. 

Zero trust is a cybersecurity paradigm that calls for a data-focused, rather than network and perimeter-based, approach—and though the concept has been gaining steam in government, an executive order released May 12 specifically directs agencies to implement it. Then-DISA Director Vice Adm. Nancy Norton originally announced in July that DISA would release a zero-trust reference architecture for the Defense Department. 

“The intent and focus of zero-trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA Security Enablers Portfolio chief engineer, said in the release. 

A public version of the architecture was posted online this week, and Joe Brinker, DISA Security Enablers Portfolio manager, told Nextgov in an email the document is meant to be “dynamic,” with an updated version is already under development and expected later this year.

While zero trust does rely on some technologies like identity and credential access management, officials emphasize that it’s not something that can simply be bought and turned on. Rather, it’s a strategy—a mindset change. 

The press release highlighted zero trust’s foundational principles: never trust, always verify; assume breach; and verify explicitly and said the architecture will help “the U.S. military maintain information superiority on the digital battlefield.”

DISA’s architecture comes after more than a year of widespread telework along with several significant systems breaches—most recently the Colonial Pipeline hack—have raised concerns with existing cybersecurity practices. Recent guidance from the National Security Agency said zero-trust environments create more opportunities for detecting novel threats.

NSA is one of the agencies DISA worked with on the reference architecture. It also partnered with U.S. Cyber Command and the DOD chief information officer, according to the release. 

DOD already has some pockets of zero trust activity. For example, Platform One and Cloud One, two Air Force programs, are fully architected for zero trust. And the Air Force chief information officer said the service is working on zero trust for its Office 365 implementation. 

“Moving forward, DISA will continue to partner with DoD components in planning the implementation of ZT across the department and the development of ZT-aligned enterprise capabilities,” Brinker said in the release.

Brinker added over email that formal implementation planning for zero trust is still underway, but that DISA views “ZT adoption as a continuous evolution” where fundamental concepts like identity management, Security Technical Implementation Guides and patching can be adopted ahead of formal guidance.

Editor's note: This article has been updated with comments from a DISA official.