The Department of Defense (DoD) released its formal Zero Trust strategy today, marking a major milestone in its goal of achieving enterprise-wide implementation by 2027. The strategy comes at a critical time as United States government networks continue to face nearly half the global nation-state attacks that occur, according to the Microsoft Digital Defense Report 2022.1
Microsoft applauds the DoD’s ongoing efforts to modernize and innovate its approach to cybersecurity. The DoD released its initial Zero Trust reference architecture shortly before last year’s White House executive order on cybersecurity2 and quickly followed with Version 2.0 in July 2022.3 The latest update provides crucial details for implementing the Zero Trust strategy, including clear guidance for the DoD and its vendors regarding 45 separate capabilities and 152 total activities.
While Zero Trust initiatives have been underway for years across various departments, this updated strategy seeks to unify efforts to achieve a strong, proven defensive posture against adversary tactics. Collaborating on Zero Trust has been a challenge across the industry as it can be difficult to compare Zero Trust implementations across organizations and technology stacks. However, the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights into cyberspace operations.
Furthermore, the DoD’s shift from a compliance and controls-based approach to an outcomes-focused methodology—meaning the job is done when the adversary stops, not just when the controls are in place—stands out as a best practice not seen elsewhere to this extent.
Building a secure foundation for Zero Trust together
Strong industry and public sector partnerships are at the heart of our approach, which is why Microsoft was invited by the DoD to discuss how its Zero Trust definitions would map to new and existing computing environments.
Microsoft is uniquely suited to support the DoD in its Zero Trust mission as both a leading cloud service provider to the government and a security company. Microsoft is recognized as a Leader in five Gartner® Magic Quadrant reports4,5,6,7,8,9 and seven Forrester Wave categories,10,11,12,13,14,15,16 representing a full array of fit-for-purpose security tools to achieve Zero Trust outcomes. These components are pre-integrated to provide a strong baseline and a fast path to comprehensive coverage across the DoD’s seven pillars and 45 capabilities of Zero Trust to achieve both target and advanced activities.
Beyond comprehensive coverage of the DoD’s latest capabilities requirements, our strong baseline is further enhanced by an open ecosystem of more than 90 partner Zero Trust solutions from leading security companies that integrate directly with our platform. To name a few:
- Tenable and Microsoft are working together to integrate Tenable.io with Microsoft Defender for Cloud and Microsoft Sentinel solutions to support vulnerability assessments for hybrid cloud workloads.
- Yubico and Microsoft recently announced the release of certificate-based authentication (CBA) for Microsoft Azure Active Directory on Windows, iOS, and Android devices through a hardware security key known as YubiKey to fight against phishing attacks.
- Conquest Cyber launched the ARMED Platform built on Microsoft Sentinel to help agencies configure and manage solutions to address cyber risk with real-time visibility of their posture, guided by compliance, maturity, and effectiveness.
Lastly, Microsoft is deeply committed to promoting cyber resilience and strengthening our nation’s cyber defenses. This responsibility is demonstrated by our work with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) to develop practical, interoperable Zero Trust approaches and architectures, as well as our continued participation in the Joint Cyber Defense Collaborative established by Cybersecurity & Infrastructure Security Agency (CISA).
Real-world pilots and implementations are driving continuous learning and improvement
Zero Trust philosophy is deeply rooted in lessons learned, and the DoD has embraced this aspect by evaluating ongoing pilots and assessments as a research and development activity. Over the past years, Microsoft has partnered with various departments across the DoD to accelerate Zero Trust adoption through several pilot and production implementations, providing agencies with a predictable path to achieving target objectives.
One such example is the United States Navy’s innovative Flank Speed program, which incorporates key federal and DoD efforts to protect nearly 500,000 identities and devices while improving user experience. The Navy’s large-scale deployment—encompassing components including continuous authorization, big data, and comply-to-connect (C2C)—is already utilizing many of the Zero Trust activities put forth in the DoD’s strategy.
Embrace proactive security with Zero Trust.
For more deployment information, tools, and resources as we work together to improve our nation’s cybersecurity, visit the Microsoft cybersecurity for government page.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2022, Microsoft. 2022.
2The Cybersecurity Executive Order: What’s Next for Federal Agencies, Jason Payne, Microsoft. June 17, 2021.
3Department of Defense (DoD) Zero Trust Reference Architecture Version 2.0, Defense Information Systems Agency (DISA), National Security Agency (NSA) Zero Trust Engineering Team. July 2022.
4Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
5Gartner Magic Quadrant for Security Information and Event Management, Pete Shoard, Andrew Davies, Mitchell Schneider, 10 October 2022.
6Gartner Magic Quadrant for Access Management, Henrique Teixeira, Abhyuday Data, Michael Kelly, James Hoover, Brian Guthrie, 1 November 2022.
7Gartner Magic Quadrant for Enterprise Information Archiving, Michael Hoeff, Jeff Vogel, 24 January 2022.
8Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, 5 May 2021.
9Gartner Magic Quadrant for Unified Endpoint Management Tools, Tom Cipolla, Dan Wilson, Chris Silva, Craig Fisler, 1 August 2022.
10The Forrester Wave: Endpoint Detection And Response Providers, Q2 2022. Allie Mellen. April 2022.
11The Forrester New Wave: Extended Detection And Response (XDR), Q4 2021. Allie Mellen. October 2021.
12The Forrester Wave: Security Analytics Platforms, Q4 2020. Joseph Blankenship, Claire O’Malley. December 2020.
13The Forrester Wave: Enterprise Email Security, Q2 2021. Joseph Blankenship, Claire O’Malley with Stephanie Balaouras, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.
14The Forrester Wave: Endpoint Security Software As A Service, Q2 2021. Chris Sherman with Merritt Maxim, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.
15The Forrester Wave: Unstructured Data Security Platforms, Q2 2021. Heidi Shey. May 2021.
16The Forrester Wave: Cloud Security Gateways, Q2 2021. Andras Cser. May 2021.