The Mandate
In November 2022, the DoD released its Zero Trust Strategy and Roadmap — a directive requiring all DoD components to achieve department-wide Zero Trust Architecture by FY2027. The trigger was EO 14028 (May 2021), which ordered federal agencies to accelerate ZT adoption, followed by OMB M-22-09 setting hard timelines across the federal enterprise.
The DoD’s version goes further than most federal mandates. It defines 152 discrete ZT activities across two maturity tiers, holds components accountable to a published roadmap, and has a dedicated program office tracking progress. For an organization of this scale — millions of users, tens of thousands of systems, a mix of cloud and legacy — it is the most ambitious ZT program ever attempted.
The Seven Pillars
The DoD ZT framework is organized around seven capability pillars. Each pillar has its own activity set and target maturity level.
| Pillar | Core Requirement |
|---|---|
| User | MFA, continuous behavioral analysis, identity governance |
| Device | Endpoint detection, device health attestation, inventory |
| Applications & Workloads | App-level access control, runtime protection, SBOM |
| Data | Data tagging, DLP, automated classification enforcement |
| Network & Environment | Microsegmentation, encrypted east-west traffic, SASE |
| Automation & Orchestration | SOAR integration, automated response playbooks |
| Visibility & Analytics | UEBA, unified logging, cross-domain correlation |
The Data and Visibility pillars are the hardest. Data tagging at scale in a multi-classification environment — where the same system may handle CUI, FOUO, and SCI — is an unsolved operational problem for most components. Visibility requires telemetry ingestion from systems that were never designed to emit it.
Two Levels: Target and Advanced
The strategy defines two tiers of compliance:
Target ZT — 91 activities covering foundational controls. This is the FY2027 requirement. Most components are building toward this baseline.
Advanced ZT — an additional 61 activities representing a more mature, automated, and analytically sophisticated posture. This is the long-term destination, not a near-term mandate.
The distinction matters operationally: Target ZT is survivable for legacy-heavy organizations. Advanced ZT assumes modern infrastructure, robust telemetry, and policy-as-code enforcement — capabilities that require significant re-platforming for many DoD components.
What DISA Is Building
DISA’s Thunderdome program is the reference implementation. Launched as a ZT pilot in 2022, Thunderdome provides:
- Secure Access Service Edge (SASE) architecture replacing legacy VPN tunnels
- Application-level access control via identity-verified micro-perimeters
- Zero Trust Network Access (ZTNA) brokered by DISA’s cloud-hosted infrastructure
Thunderdome is being extended to DoD enterprise endpoints and serves as the template for component-level ZT deployments. DISA also maintains the ZT Reference Architecture (ZT RA) v2.0, which provides the technical blueprint that program offices are expected to implement against.
Progress and Gaps
The ZT PMO — housed under the DoD CIO — publishes annual assessments. The picture as of early 2026 is mixed:
What’s working:
- Identity and credential management has accelerated. PIV/CAC enforcement and phishing-resistant MFA are broadly deployed across SIPRNet and NIPRNet.
- Cloud migration has created natural ZT on-ramps. New cloud-native workloads are being deployed ZT-first.
- Components with modern infrastructure (DIA, CYBERCOM, NSA) are tracking ahead of schedule on Target ZT activities.
What’s lagging:
- Legacy system integration remains the critical path risk. Many components operate COBOL-era back-office systems that cannot emit the telemetry ZT requires without middleware shims that introduce their own attack surface.
- Microsegmentation is the most-cited unmet control. Segmenting flat DoD networks at scale requires changes to physical switching infrastructure that procurement cycles can’t keep up with.
- Data tagging at the pillar level is largely manual in practice. Automated classification pipelines exist in classified enclaves but are not uniformly deployed.
- OCONUS environments — deployed tactical networks operating in denied or degraded conditions — have no clear ZT implementation path for several advanced controls.
The FY2027 Question
The FY2027 deadline for Target ZT is aggressive but achievable for the majority of DoD components — if procurement and integration timelines hold. The realistic risk is a two-speed outcome: modern, cloud-forward organizations clearing Target ZT, while legacy-heavy components receive waivers or partial credit on the 20–30 activities that require infrastructure modernization.
Advanced ZT by FY2027 is not the goal, and conflating the two tiers creates false urgency in the wrong places. Organizations should focus resources on the 91 Target activities before optimizing toward the Advanced tier.
Summary: The Accountability Layer
What separates the DoD ZT strategy from prior federal security mandates is the accountability structure. The ZT PMO has visibility into component progress, the roadmap is public, and waivers require documented justification. This is policy-as-code thinking applied at the organizational level: the intent is enforceable, measurable, and auditable.
The FY2027 target will stress-test that accountability layer. Components that treat ZT as a compliance checkbox will fail the activity audits. Those that treat it as an infrastructure migration — identity-first, microsegmentation second, telemetry third — have a clear path to completion.
The perimeter is gone. The question is only how long it takes each organization to finish building what replaces it.