DISA issues zero-trust reference architecture for Defense Department

DISA's 163-page reference architecture sets out the strategic purpose, principles, associated standards and other technical details for the DOD's large-scale adoption of zero trust.
The DISA and JFHQ-DODIN Headquarters Building at Fort Meade, Maryland. (Photo by Kevin Headtke/ DOD)

The Pentagon’s IT support agency recently issued an initial zero-trust reference architecture to put the entire Department of Defense on the same page implementing modern cybersecurity practices.

The Defense Information Systems Agency (DISA) released version 1.0 of the reference architecture in February but just recently made it public. Former DISA Director Vice Adm. Nancy Norton teased the launch of the document late last year, attributing the move to mass telework during the pandemic as an accelerant for the DOD’s move to zero trust.

It also comes as the Biden administration last week issued an executive order that, among other things, has mandated civilian agencies to create plans for the adoption of zero-trust architectures. The mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.

DISA’s 163-page reference architecture sets out the strategic purpose, principles, associated standards and other technical details for the DOD’s large-scale adoption of zero trust, which shifts from network-based defenses to a data-centric model and doesn’t grant implicit trust to users to prevent potential malicious actors from moving around a network. The department’s adoption of zero trust is based on three foundational guidelines: “Never trust, always verify; assume breach; and verify explicitly.”


“The intent and focus of zero-trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA Security Enablers Portfolio chief engineer, said in a statement.

DISA worked with the DOD Office of the CIO, U.S. Cyber Command and the National Security Agency to develop this initial reference architecture.

“From start to finish, the development of this initial DOD ZT Reference Architecture has been a true team effort,” said Joe Brinker, the DISA Security Enablers Portfolio manager. “The partnership we’ve fostered through this process with our NSA, Cyber Command and DOD CIO mission partners was integral toward the development of a comprehensive reference architecture that was unanimously approved by DOD senior leadership.”

Brinker said that “DISA will continue to partner with DOD components in planning the implementation of [zero trust] across the department and the development of [zero trust]-aligned enterprise capabilities.”

Last month, acting DOD CIO John Sherman revealed that the department is also developing a zero-trust strategy to be released later this year. During remarks at the Billington CyberSecurity Defense Summit, Sherman explained that while zero trust is a cybersecurity and technology model, it more so represents a mindset shift for the DOD.


“This is not about technology, it’s about strategy,” he said.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. After earning his journalism degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts