Can The DoD’s Zero Trust Overlays Be a Starter Kit for Civilian Federal Agencies?

Mack Wartenberger
Security Architect

If you’ve ever tried to navigate the maze of cybersecurity guidance, you probably felt like you needed a guide. The Department of Defense’s (DoD’s) Zero Trust Strategy lays out some ultra-prescriptive, no-nonsense rules for defense agencies, but what about everyone else? On the civilian side, CISA’s Zero Trust Maturity Model and NIST SP 800-207 offer helpful frameworks, but they can sometimes leave you scratching your head, wondering where to start. 

That’s where the DoD Zero Trust Overlays come into play. Released in the summer of 2024, the overlays (all 380+ pages of them…) are designed to assist defense agencies improve their zero trust adoption, but with a little creativity, they also offer a much-needed bridge between ultra-prescriptive defense guidance and the more flexible (but often vague) guidance aimed at civilian industries.

DoD’s Zero Trust Strategy: Ultra-Prescriptive but Ultra-Effective

The DoD doesn’t mess around when it comes to zero trust. The “DoD Zero Trust Strategy” is comprehensive and uncompromising, granularly mapping each control of their seven-pillar zero trust maturity model to specific guidance, including predecessors and successors to each security fix. The DoD even includes suggested timeframes for implementation. They know the stakes are high when you’re talking about national defense, and their plan reflects that. 

Not everyone operates at DoD’s level. Civilian federal agencies, while dealing with their own set of cybersecurity challenges, don’t always need — or can’t afford — the same level of rigor. But that doesn’t mean they can’t take something valuable from the DoD’s approach. That’s where the overlays come in, providing a way to implement key elements of zero trust without having to go full DoD.

Civilian Zero Trust Strategy: A (Too?) Flexible Approach and the Rise of the Tool Vendors

In contrast to the ultra-specific guidance created by the DoD, if you’ve been following the “CISA Zero Trust Maturity Model” or NIST SP 800-207 “Zero Trust Architecture,” you might find the guidance helpful but not always prescriptive enough. Federal agencies in particular have to hold themselves to a higher standard for security, but knowing where to start can be a challenge. While the security functions laid out in the civilian guidance are good, they lack the kind of granular roadmaps and “how tos” that the DoD includes in its guidance. 

That nebulous nature of civilian/industry zero trust guidance has been one of the primary culprits for the rampant misunderstandings surrounding Zero Trust. It’s created a void that the tool and vendor market has seized as an opportunity to fill with tools. So how can these overlays fill that gap you might ask? 

If you take one thing from this blog, remember that whatever a vendor tells you, zero trust is a strategy, not a tool you can buy.

Zero Trust Overlays: A Bridge Between Rigid and Flexible

Regardless of which zero trust model you follow, the DoD and CISA industries have something in common: NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations.” NIST SP 800-53 is widely regarded across defense and civilian spaces as the gold standard for security compliance and privacy controls, outlining specific measures for access management, incident response, and data protection, among other areas. NIST 800-53 is a common language that everyone speaks. The DoD’s zero trust overlays are written to fit snugly into this framework, and outline how organizations can add extra layers of protection (and let’s be honest, a bit of DoD flavor) to what’s already there. And that’s greats news to civilian agencies, because NIST 800-53 represents a control language they already speak.

Because they map directly to security and compliance controls that most agencies are already addressing, the DoD overlays provide a bridge between general security (NIST) and zero trust security. Because the DoD and CISA approaches to zero trust share so many commonalities, the overlays enable civilian industries (with a grain of salt) to trace their zero trust security journeys to the NIST controls they are already addressing. You get the best of both worlds — clear, actionable steps from the DoD’s experience, and the flexibility to implement them in a way that works for your organization. The overlays provide a middle ground (even if you’re not interested in going full DoD). 

Why Civilian Agencies Should Care

If you’re already using NIST SP 800-53 as your security baseline, the overlays give you an easy way to integrate zero trust principles without having to reinvent the wheel. They map directly to the existing controls, making it easier to adopt zero trust in a way that fits your current structure. The DoD’s overlays provide a more structured roadmap for civilian federal agencies that still need flexibility but could benefit from the clarity and prescriptiveness that the DoD brings to the table.

Take health care, for example. You’re already dealing with HIPAA, which mandates strict controls on data privacy and security and was mapped to NIST 800-53 via NIST SP 800-66 earlier this year. Mapping the DoD’s overlays to NIST SP 800-53 gives you a way to add targeted zero trust principles to your existing security framework without needing to overhaul everything. You can still follow the broader civilian zero trust guidance, but now you’ve got a detailed implementation plan that was less clearly defined in the CISA model.

A Practical Roadmap for Non-Defense Organizations

One of the best things about the DoD’s zero trust overlays is that they’re geared toward incremental improvements. Including predecessors and successors for security activities means that organizations can improve their zero trust capabilities over time without completely overhauling their existing systems, leveraging their existing tech stacks (sorry tool vendors). This is critical for civilian agencies that need to maintain continuity while improving their security posture. 

In fact, non-defense organizations can view these overlays as a sort of "starter kit" for zero trust. They offer an example of how to implement key security controls while giving you the freedom to adapt them to your specific needs. By leveraging the flexibility in CISA’s model and the detailed controls in NIST SP 800-53, you can create a customized zero trust strategy that works for your organization, whether you’re in health care, finance, or any other regulated industry. The challenge: you’ve got to have a security team that can understand what parts of the DoD roadmap make sense for your organization's zero trust strategy, and what parts are out of scope-but it's a start.

Conclusion: The Best of Both Worlds?

The DoD’s zero trust overlays can offer a much-needed bridge between the ultra-prescriptive guidance laid out for defense agencies and the more flexible, sometimes nebulous, frameworks geared toward civilian industries. For heavily regulated civilian agencies, these overlays represent an opportunity to take advantage of the DoD’s roadmaps while maintaining the flexibility laid out in the CISA “Zero Trust Maturity Model” and NIST SP 800-207. You’ll still need nuanced and knowledgeable direction to interpret the DoD guidance with a CISA ‘flavor’ that feels more appropriate for the civilian space, but it's a good place to start.

In short, the overlays provide a way to implement zero trust and benefit from its centralization, efficiency, and security, without requiring massive upheaval or system replacements. By mapping to NIST SP 800-53, they can be leveraged (with some tailoring and customization) to give civilian organizations clear, actionable paths towards advancing their zero trust maturity, while still allowing for the flexibility that industries outside of the DoD require. So, if you’re in a regulated industry and you’re looking to take your cybersecurity to the next level, these overlays might just be the bridge you’ve been waiting for.


Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.

Next
Next

TL;DR: The NSA’s Zero Trust “Data” Pillar Cybersecurity Information Sheet