The DoD Zero Trust Strategy mandates achieving Target Level Zero Trust by fiscal year 2027. For programs that haven't started, that deadline is closer than it looks — particularly given the ATO dependencies and integration complexity involved in meeting all 90 Target-level activities.
The DoD Zero Trust Reference Architecture defines five pillars — User/Identity, Device, Network/Environment, Application/Workload, and Data — each with a maturity progression from Foundational to Optimal. Cloud-native architectures accelerate this progression significantly because managed services do the heavy lifting of foundational controls, freeing engineering investment for advanced capabilities.
Rutagon's implementations address all five pillars as an integrated system, not as isolated components.
Pillar 1: User/Identity
The identity pillar is the highest-leverage starting point. Without strong identity, every other control has a meaningful gap.
DoD Target-level requirements:
- Multi-factor authentication (phishing-resistant preferred: PIV/CAC, FIDO2/WebAuthn)
- Continuous re-authentication based on risk signals
- Just-in-time (JIT) privilege access for administrative functions
- Identity governance with automated access certification
Cloud-native implementation:
# Lambda — Continuous authentication risk evaluator
# Integrates with Cognito Advanced Security / IdP risk signals
import boto3
import json
from datetime import datetime, timezone
def evaluate_session_risk(event: dict, context) -> dict:
"""
Evaluate authentication session risk and return
required re-authentication actions.
"""
risk_factors = []
risk_score = 0
# Check behavioral anomaly from IdP risk signal
if event.get("ip_reputation") == "suspicious":
risk_score += 40
risk_factors.append("suspicious_ip")
# Check privilege level vs. normal usage pattern
if event.get("requested_scope") not in event.get("typical_scopes", []):
risk_score += 30
risk_factors.append("unusual_privilege_request")
# Check session age
session_age_minutes = event.get("session_age_minutes", 0)
if session_age_minutes > 60:
risk_score += 20
risk_factors.append("session_age")
# Check device posture from Pillar 2
if not event.get("device_compliant", False):
risk_score += 50
risk_factors.append("non_compliant_device")
return {
"risk_score": risk_score,
"require_step_up": risk_score > 50,
"require_logout": risk_score > 90,
"risk_factors": risk_factors,
"evaluated_at": datetime.now(timezone.utc).isoformat()
}For DoD programs, PIV/CAC authentication is integrated through an enterprise identity provider (ECA/DMDC). FIDO2/WebAuthn passkeys are increasingly accepted as phishing-resistant alternatives for mission partner systems without CAC readers.
JIT privilege is implemented through time-bound IAM role assumption — elevated permissions expire automatically after 1-4 hours, enforced at the AWS IAM layer without operator intervention.
Pillar 2: Device
Device health must be a continuous input to authorization decisions — not just a point-in-time check at login.
Target-level requirements:
- All devices in scope enrolled in endpoint management (SIEM/UEM)
- Continuous compliance assessment (patch status, AV, disk encryption)
- Device health signals feeding real-time authorization decisions
- Certificate-based device authentication
Implementation pattern:
# AWS IoT Device Defender rule — non-compliant device signal
# Triggers Lambda to revoke session tokens for affected user
resource "aws_cloudwatch_event_rule" "device_noncompliant" {
name = "device-noncompliance-detected"
description = "Trigger when IoT Device Defender detects non-compliance"
event_pattern = jsonencode({
source = ["aws.iot"]
detail-type = ["IoT Device Defender Audit Finding Added"]
detail = {
findingSeverity = ["CRITICAL", "HIGH"]
}
})
}
resource "aws_cloudwatch_event_target" "revoke_sessions" {
rule = aws_cloudwatch_event_rule.device_noncompliant.name
target_id = "RevokeSessions"
arn = aws_lambda_function.session_revocation.arn
}For non-IoT endpoints (workstations, mobile), device compliance signals are ingested from the endpoint management platform (JAMF, Microsoft Intune, or CrowdStrike Falcon) via API and stored as device posture records consulted by the session risk evaluator (Pillar 1 integration above).
Pillar 3: Network/Environment
Traditional network perimeter models trust anything inside the network boundary. Zero trust treats the network as hostile and enforces access controls at every service boundary.
Target-level requirements:
- Micro-segmentation — workloads can only communicate with explicitly authorized peers
- Encrypted traffic for all east-west (service-to-service) communication
- Network-based behavioral analytics
- Software-defined perimeter for external access
Kubernetes implementation with Istio:
# Istio PeerAuthentication — enforce mTLS in production namespace
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT # Reject any non-mTLS traffic
---
# Istio AuthorizationPolicy — service-level micro-segmentation
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: mission-data-access
namespace: production
spec:
selector:
matchLabels:
app: mission-data-service
rules:
- from:
- source:
principals:
- "cluster.local/ns/production/sa/analytics-service"
- "cluster.local/ns/production/sa/reporting-service"
to:
- operation:
methods: ["GET"]
paths: ["/api/v1/data/*"]This configuration means the mission-data-service only accepts mTLS connections from the two explicitly named service accounts, on GET requests to the data path — every other connection attempt is rejected at the Envoy sidecar before reaching the application.
Pillar 4: Application/Workload
Applications must enforce authorization at the API and function level — not rely on network controls for data protection.
Target-level requirements:
- Application-layer authentication and authorization at every endpoint
- Automated SAST/DAST/SCA in CI/CD pipelines
- Software supply chain integrity (connects to container signing — Pillar linkage)
- Runtime application self-protection (RASP) signals
CI/CD integration for automated application security:
# GitLab CI — application security gate
application-security:
stage: security
parallel:
matrix:
- SCAN_TYPE: [sast, dast, dependency_scanning, container_scanning]
script:
- |
case $SCAN_TYPE in
sast)
semgrep --config=auto --sarif > sast-results.sarif
python3 scripts/fail_on_severity.py sast-results.sarif HIGH
;;
dast)
zap-baseline.py -t $STAGING_URL -r dast-report.html
python3 scripts/fail_on_severity.py dast-report.html HIGH
;;
dependency_scanning)
trivy fs --format sarif --output dep-results.sarif .
python3 scripts/fail_on_severity.py dep-results.sarif CRITICAL
;;
container_scanning)
trivy image --format sarif --output container-results.sarif $IMAGE
python3 scripts/fail_on_severity.py container-results.sarif CRITICAL
;;
esac
artifacts:
when: always
reports:
sast: sast-results.sarif
paths:
- "*-results.sarif"
- "*-report.html"Scan results are archived as ATO evidence and feed into the ConMon security findings tracker for POA&M management.
Pillar 5: Data
Data is the ultimate protection target. All preceding pillars exist to protect data — the data pillar adds classification-aware access controls.
Target-level requirements:
- Data tagging and classification at creation
- Encryption at rest and in transit with FIPS 140-2 validated keys
- Data loss prevention (DLP) monitoring
- Rights management for CUI
AWS Macie + S3 classification pattern:
# Lambda — triggered by S3 PutObject, applies classification tag
import boto3
import re
def classify_and_tag_object(event: dict, context) -> None:
"""
Apply initial classification tag to new S3 objects.
Macie handles subsequent content-based reclassification.
"""
s3 = boto3.client('s3', region_name='us-gov-west-1')
bucket = event['Records'][0]['s3']['bucket']['name']
key = event['Records'][0]['s3']['object']['key']
# Initial classification from path convention
classification = "CUI" if "/cui/" in key else "UNCLASSIFIED"
s3.put_object_tagging(
Bucket=bucket,
Key=key,
Tagging={
'TagSet': [
{'Key': 'DataClassification', 'Value': classification},
{'Key': 'ClassifiedAt', 'Value': context.invoked_function_arn},
]
}
)S3 bucket policies enforce that CUI-tagged objects can only be accessed from within the CUI enclave VPC — network-level enforcement backing the data-level controls.
The five pillars are most effective as an integrated system where signals from each pillar inform the others. Rutagon delivers this integration as part of full-program zero trust engagements, with DISA ZTA Target-level activity tracking built into the delivery plan. See our continuous ATO capabilities for the ConMon integration layer.
Start your Zero Trust assessment with Rutagon →
Frequently Asked Questions
What does "Target Level" zero trust mean in the DoD context?
The DoD Zero Trust Reference Architecture defines two maturity levels: Foundational (basic zero trust controls) and Target (advanced, automated, continuous controls). The FY2027 mandate requires all DoD systems to achieve Target Level — not just Foundational. Target Level adds continuous behavioral monitoring, automated response, and ML-driven anomaly detection that Foundational leaves as manual processes.
Which zero trust pillar should programs prioritize first?
Identity (Pillar 1) provides the highest ROI per control investment because it blocks entire attack categories (credential theft, privilege abuse) that network-only controls miss. Programs should achieve phishing-resistant MFA across all users before investing heavily in network micro-segmentation. However, all pillars have interdependencies — the sequence matters less than having an integrated roadmap covering all five.
How does Istio service mesh relate to DoD Zero Trust?
Istio directly implements Pillar 3 (Network) zero trust through mTLS enforcement and fine-grained authorization policies. It also contributes to Pillar 4 (Application) by providing service-level observability and traffic control without modifying application code. Rutagon's Istio configurations are mapped to specific DISA ZTA Target-level activities, providing ATO-auditable evidence of control implementation.
Does cloud-native architecture accelerate zero trust implementation?
Significantly. Managed services like AWS IAM, Cognito, Security Hub, and GuardDuty implement foundational controls out of the box — organizations deploying on GovCloud start closer to Target Level than equivalent on-premises implementations. Service meshes (Istio) and admission controllers (Kyverno) provide Pillar 3 and 4 controls that require significant custom engineering on bare metal. Programs should exploit these managed service capabilities rather than building from scratch.
What ATO evidence does zero trust implementation generate?
Zero trust architecture generates substantial ATO evidence: IAM access analyzer findings (for access control documentation), CloudTrail logs (for audit compliance), Security Hub findings (for continuous monitoring), and Istio telemetry (for network control evidence). Rutagon maps each component to specific NIST 800-53 controls and organizes the evidence into the SSP and ConMon artifacts required for ATO submission and maintenance.