According to a Gartner study published last year, almost two-thirds of organizations worldwide have implemented a zero-trust cybersecurity strategy. The report goes on to say that “56% . . . are primarily pursuing a zero-trust strategy because it’s cited as an industry best practice.”
As Gartner also points out, however, “For most organizations, a zero-trust strategy typically addresses half or less of an organization’s environment and mitigates one-quarter or less of overall enterprise risk.” Partial adoption of zero trust leaves decision makers exposed, particularly where data is shared across mission partners, supply chains, and cloud environments.
It appears these issues have not gone unnoticed in the U.S. military, which has been actively refining its approach to zero trust with more comprehensive roadmaps and detailed implementation strategies. Both the Navy and the Army have recently updated their plans with initiatives designed to strengthen military resilience. In doing so, they also offer guidance for how zero trust may evolve more broadly across civilian sectors.
The Army Unified Network Plan
The Army Unified Network Plan (AUNP) 2.0 is a strategic approach to modernizing Army network infrastructure for future military operations. It will act as a secure digital backbone, linking tactical units, command centers, and every level in between with reliable, protected data exchange. The plan also relies on increased modernization for multi-domain operations across land, sea, air, space, and cyberspace while also implementing a data-centric model and embedding zero-trust principles.
Digging a little deeper, AUNP sets out a range of zero-trust priorities. These include the need for resilience across networks that can recover from attacks and outages. The plan also mandates common standards so that tactical, strategic and allied networks can interoperate, such as the development of a unified mission-partner environment to integrate allies and coalition partners.
Cloud and hybrid compute will also be extended to the edge, including the modernization of hybrid compute capability and the integration of Army cloud services, even in denied or disrupted environments. AUNP also says that the Army’s zero-trust network will be data-centric, based on common data standards and architecture, specifically through the Unified Data Reference Architecture (UDRA). In parallel, the Army Data Platform (ADP) and its multi-vendor ecosystem are building the foundation of a true data-centric force, where zero trust extends from the transport layer to the data layer itself.
The DON CIO Zero Trust Blueprint
Turning to the developments taking place at the Department of the Navy (DON), its Zero Trust Architecture (ZTA) Blueprint is being used to establish an environment where every user, device and file is treated with equal scrutiny.
This initiative, led by the DON Chief Information Officer (CIO), aligns closely with the broader Department of Defense (DoD) Zero Trust strategy, which assumes networks are already compromised and mandates constant verification of users and devices.
The Navy’s blueprint lays out a phased plan (to FY2030) to integrate zero trust principles into everything from enterprise IT services to tactical systems. It is strategically significant because it hardens naval cybersecurity against sophisticated threats, ensuring it protects sensitive data and missions in line with DoD’s goal of achieving full Zero Trust capabilities by FY2027.
This framework echoes the Raise the Bar standards that are also applied to Cross Domain Solutions where file level trust is just as crucial as user or device trust. It is built around six core pillars that will work in concert to enforce the “never trust, always verify” across the board:
1. Identity: Verifying that every user is who they claim to be, using strong authentication and strict access controls.
2. Device: Ensuring any device accessing the Navy’s networks, from workstations to mobile to IoT, is authenticated and meets security standards.
3. Network/environment: Segmentation and security at the network level, both physical and cloud.
4. Application & workload: Securing applications and workloads by enforcing strong access policies and software security practices.
5. Data: Protecting data at rest and in transit with encryption, tagging, and strict handling policies.
6. Visibility & analytics: Continuous monitoring of user behavior, device logs, network traffic, and application events.
Implementing zero trust in the armed forces is, of course, a complex undertaking requiring careful modernization of legacy systems while ensuring solutions work consistently across cloud, on-premises, and deployed environments with variable connectivity. The services must also manage risks tied to its vast partner and supply chain ecosystems, verifying external data and software while enabling secure remote access for personnel without compromising productivity. By tackling zero trust at the scale of multi-domain operations and global naval missions, the Army and Navy provide a playbook that civilian sectors can adapt, which ensures operational continuity, resilience, and true decision advantages in an era where every file, user, and device must be continuously verified.
Join our LinkedIn group Information Security Community!
