The National Security Agency (NSA) is leveraging modularity and customizability in its plans to move the Pentagon toward target-level zero trust capabilities in its Phase One and Phase Two guidance documents released Friday.
The first two phases of NSA’s Zero Trust Implementation Guidelines (ZIGs) are intended to follow the steps taken under its Primer and Discovery Phase, which the agency published last month.
The strategy is aimed at facilitating skilled practitioners’ implementation of zero trust, and outlines how the Department of Defense (DOD) – rebranded as the Department of War by the Trump administration – will fully implement a department-wide zero trust cybersecurity framework by fiscal year 2027.
Under that strategy, defense agencies must meet 91 activities to reach the target level of zero trust and a total of 152 activities for advanced zero trust.
Phase One has 36 activities intended “to build upon or further refine their environment to establish a secure foundation that supports 30 ZT capabilities,” and Phase Two details 41 activities “that initiate the integration of core ZT solutions within the component environment.”
“Phase One and Phase Two aim to move an organization from Discovery to Target-level implementation by mapping out the activities, requirements, precursors and successors as related to the activities,” NSA said in a press release.
“The phased design of the ZIGs offers modularity and high customizability, allowing implementation of foundational and advanced activities as applicable and the ability to tailor the ZIGs to align with unique goals and restraints,” NSA added.
Both Phase One and Phase Two focus on implementing fully integrated security controls that are continuously enforced. They do this by using a pillared approach, including data, user, device, application and workload, network and environment, visibility and analytics, and automation and orchestration.
NSA recommended that those who are interested review the Primer and Discovery Phase documents to get a better understanding of zero trust activities and their organization’s operational landscape before implementing the guidance in Phase One and Phase Two.