DoD Zero Trust Reference Architecture
The U.S. Department of Defense Zero Trust Reference Architecture and Zero Trust Capabilities/Activities. Defines the DoD zero-trust target state across 7 pillars (User; Device; Application & Workload; Data; Network & Environment; Automation & Orchestration; Visibility & Analytics), 45 capabilities and 152 Target-Level / Advanced-Level activities, supporting the DoD Zero Trust Strategy goal of a target-level zero-trust architecture. Aligned with NIST SP 800-207 zero-trust tenets and implemented over NIST SP 800-53 controls.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
DoD ZT Pillar 1: User
| Code | Title |
|---|---|
| DODZT-1.1 | User Inventory |
| DODZT-1.2 | Conditional User Access |
| DODZT-1.3 | Multi-Factor Authentication |
| DODZT-1.4 | Privileged Access Management |
| DODZT-1.5 | Identity Federation and User Credentialing |
| DODZT-1.6 | Behavioral, Contextual ID, and Biometrics |
| DODZT-1.7 | Least Privileged Access |
| DODZT-1.8 | Continuous Authentication |
| DODZT-1.9 | Integrated ICAM Platform |
DoD ZT Pillar 2: Device
| Code | Title |
|---|---|
| DODZT-2.1 | Device Inventory |
| DODZT-2.2 | Device Detection and Compliance |
| DODZT-2.3 | Device Authorization with Real-Time Inspection |
| DODZT-2.4 | Remote Access |
| DODZT-2.5 | Partially and Fully Automated Asset, Vulnerability and Patch Management |
| DODZT-2.6 | Unified Endpoint Management and Mobile Device Management |
| DODZT-2.7 | Endpoint and Extended Detection and Response |
DoD ZT Pillar 3: Application and Workload
| Code | Title |
|---|---|
| DODZT-3.1 | Application Inventory |
| DODZT-3.2 | Secure Software Development and Integration |
| DODZT-3.3 | Software Risk Management |
| DODZT-3.4 | Resource Authorization and Integration |
| DODZT-3.5 | Continuous Monitoring and Ongoing Authorizations |
DoD ZT Pillar 4: Data
| Code | Title |
|---|---|
| DODZT-4.1 | Data Catalog Risk Alignment |
| DODZT-4.2 | DoD Enterprise Data Governance |
| DODZT-4.3 | Data Labeling and Tagging |
| DODZT-4.4 | Data Monitoring and Sensing |
| DODZT-4.5 | Data Encryption and Rights Management |
| DODZT-4.6 | Data Loss Prevention |
| DODZT-4.7 | Data Access Control |
DoD ZT Pillar 5: Network and Environment
| Code | Title |
|---|---|
| DODZT-5.1 | Data Flow Mapping |
| DODZT-5.2 | Software Defined Networking |
| DODZT-5.3 | Macro Segmentation |
| DODZT-5.4 | Micro Segmentation |
DoD ZT Pillar 6: Automation and Orchestration
| Code | Title |
|---|---|
| DODZT-6.1 | Policy Decision Point and Policy Orchestration |
| DODZT-6.2 | Critical Process Automation |
| DODZT-6.3 | Machine Learning |
| DODZT-6.4 | Artificial Intelligence |
| DODZT-6.5 | Security Orchestration, Automation and Response |
| DODZT-6.6 | API Standardization |
| DODZT-6.7 | Security Operations Center and Incident Response |
DoD ZT Pillar 7: Visibility and Analytics
| Code | Title |
|---|---|
| DODZT-7.1 | Log All Traffic |
| DODZT-7.2 | Security Information and Event Management |
| DODZT-7.3 | Common Security and Risk Analytics |
| DODZT-7.4 | User and Entity Behavior Analytics |
| DODZT-7.5 | Threat Intelligence Integration |
| DODZT-7.6 | Automated Dynamic Policies |
Your Compliance Coverage
If you comply with DoD Zero Trust Reference Architecture, you already cover:
Maps to 6 other frameworks
Frequently Asked Questions
What is DoD Zero Trust Reference Architecture?
DoD Zero Trust Reference Architecture is a compliance framework from United States with 7 domains and 45 controls. The U.S. Department of Defense Zero Trust Reference Architecture and Zero Trust Capabilities/Activities. Defines the DoD zero-trust target state across 7 pillars (User; Device; Application & Workload; Data; Network & Environment; Automation & Orchestration; Visibility & Analytics), 45 capabilities and 152 Target-Level / Advanced-Level activities, supporting the DoD Zero Trust Strategy goal of a target-level zero-trust architecture. Aligned with NIST SP 800-207 zero-trust tenets and implemented over NIST SP 800-53 controls. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does DoD Zero Trust Reference Architecture have?
DoD Zero Trust Reference Architecture has 45 controls organised across 7 domains. The largest domains are DoD ZT Pillar 1: User (9 controls), DoD ZT Pillar 2: Device (7 controls), DoD ZT Pillar 4: Data (7 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does DoD Zero Trust Reference Architecture map to?
DoD Zero Trust Reference Architecture maps to 6 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (33% coverage), NIST Cybersecurity Framework 2.0 (11% coverage), NIST SP 800-207 (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with DoD Zero Trust Reference Architecture compliance?
Start your DoD Zero Trust Reference Architecture compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about DoD Zero Trust Reference Architecture requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 45 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required