Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · National Defense Authorization Act for Fiscal Year 2022 · Sec. 1528

Sec. 1528. ZERO TRUST STRATEGY, PRINCIPLES, MODEL ARCHITECTURE, AND IMPLEMENTATION PLANS

1,446 words·~7 min read·/statute-compilations/comps-16861/sec-1528

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 1528 ZERO TRUST STRATEGY, PRINCIPLES, MODEL ARCHITECTURE, AND IMPLEMENTATION PLANS **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)In General Not later than 270 days after the date of the enactment of this Act, the Chief Information Officer of the Department of Defense and the Commander of United States Cyber Command shall jointly develop a zero trust strategy, principles, and a model architecture to be implemented across the Department of Defense Information Network, including classified networks, operational technology, and weapon systems. ###
(b)Strategy, Principles, and Model Architecture Elements The zero trust strategy, principles, and model architecture required under subsection
(a)shall include, at a minimum, the following elements: ####
(1)Prioritized policies and procedures for establishing implementations of mature zero trust enabling capabilities within on-premises, hybrid, and pure cloud environments, including access control policies that determine which persona or device shall have access to which resources and the following: #####
(A)Identity, credential, and access management. #####
(B)Macro and micro network segmentation, whether in virtual, logical, or physical environments. #####
(C)Traffic inspection. #####
(D)Application security and containment. #####
(E)Transmission, ingest, storage, and real-time analysis of cybersecurity metadata endpoints, networks, and storage devices. #####
(F)Data management, data rights management, and access controls. #####
(G)End-to-end encryption. #####
(H)User access and behavioral monitoring, logging, and analysis. #####
(I)Data loss detection and prevention methodologies. #####
(J)Least privilege, including system or network administrator privileges. #####
(K)Endpoint cybersecurity, including secure host, endpoint detection and response, and comply-to-connect requirements. #####
(L)Automation and orchestration. #####
(M)Configuration management of virtual machines, devices, servers, routers, and similar to be maintained on a single virtual device approved list (VDL). ####
(2)Policies specific to operational technology, critical data, infrastructures, weapon systems, and classified networks. ####
(3)Specification of enterprise-wide acquisitions of capabilities conducted or to be conducted pursuant to the policies referred to in paragraph (2). ####
(4)Specification of standard zero trust principles supporting reference architectures and metrics-based assessment plan. ####
(5)Roles, responsibilities, functions, and operational workflows of zero trust cybersecurity architecture and information technology personnel— #####
(A)at combatant commands, military services, and defense agencies; and #####
(B)Joint Forces Headquarters-Department of Defense Information Network. ###
(c)Architecture Development and Implementation In developing and implementing the zero trust strategy, principles, and model architecture required under subsection (a), the Chief Information Officer of the Department of Defense and the Commander of United States Cyber Command shall— ####
(1)coordinate with— #####
(A)the Principal Cyber Advisor to the Secretary of Defense; #####
(B)the Director of the National Security Agency Cybersecurity Directorate; #####
(C)the Director of the Defense Advanced Research Projects Agency; #####
(D)the Chief Information Officer of each military service; #####
(E)the Commanders of the cyber components of the military services; #####
(F)the Principal Cyber Advisor of each military service; #####
(G)the Chairman of the Joints Chiefs of Staff; and #####
(H)any other component of the Department of Defense as determined by the Chief Information Officer and the Commander; ####
(2)assess the utility of the Joint Regional Security Stacks, automated continuous endpoint monitoring program, assured compliance assessment solution, and each of the defenses at the Internet Access Points for their relevance and applicability to the zero trust architecture and opportunities for integration or divestment; ####
(3)employ all available resources, including online training, leveraging commercially available zero trust training material, and other Federal agency training, where feasible, to implement cybersecurity training on zero trust at the— #####
(A)executive level; #####
(B)cybersecurity professional or implementer level; and #####
(C)general knowledge levels for Department of Defense users; ####
(4)facilitate cyber protection team and cybersecurity service provider threat hunting and discovery of novel adversary activity; ####
(5)assess and implement means to effect Joint Force Headquarters-Department of Defense Information Network’s automated command and control of the entire Department of Defense Information Network; ####
(6)assess the potential of and, as appropriate, encourage, use of third-party cybersecurity-as-a-service models; ####
(7)engage with and conduct outreach to industry, academia, international partners, and other departments and agencies of the Federal Government on issues relating to deployment of zero trust architectures; ####
(8)assess the current Comply-to-Connect Plan; and ####
(9)review past and conduct additional pilots to guide development, including— #####
(A)utilization of networks designated for testing and accreditation under section 1658 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116-92; 10 U.S.C. 2224 note); #####
(B)use of automated red team products for assessment of pilot architectures; and #####
(C)accreditation of piloted cybersecurity products for enterprise use in accordance with the findings on enterprise accreditation standards conducted pursuant to section 1654 of such Act (Public Law 116-92). ###
(d)Implementation Plans ####
(1)In general Not later than one year after the finalization of the zero trust strategy, principles, and model architecture required under subsection (a), the head of each military department and the head of each component of the Department of Defense shall transmit to the Chief Information Officer of the Department and the Commander of Joint Forces Headquarters-Department of Defense Information Network a draft plan to implement such zero trust strategy, principles, and model architecture across the networks of their respective components and military departments. ####
(2)Elements Each implementation plan transmitted pursuant to paragraph
(1)shall include, at a minimum, the following: #####
(A)Specific acquisitions, implementations, instrumentations, and operational workflows to be implemented across unclassified and classified networks, operational technology, and weapon systems. #####
(B)A detailed schedule with target milestones and required expenditures. #####
(C)Interim and final metrics, including a phase migration plan. #####
(D)Identification of additional funding, authorities, and policies, as may be required. #####
(E)Requested waivers, exceptions to Department of Defense policy, and expected delays. ###
(e)Implementation Oversight ####
(1)In general The Chief Information Officer of the Department of Defense shall— #####
(A)assess the implementation plans transmitted pursuant to subsection (d)(1) for— ######
(i)adequacy and responsiveness to the zero trust strategy, principles, and model architecture required under subsection (a); and ######
(ii)appropriate use of enterprise-wide acquisitions; #####
(B)ensure, at a high level, the interoperability and compatibility of individual components’ Solutions Architectures, including the leveraging of enterprise capabilities where appropriate through standards derivation, policy, and reviews; #####
(C)use the annual investment guidance of the Chief to ensure appropriate implementation of such plans, including appropriate use of enterprise-wide acquisitions; #####
(D)track use of waivers and exceptions to policy; #####
(E)use the Cybersecurity Scorecard to track and drive implementation of Department components; and #####
(F)leverage the authorities of the Commander of Joint Forces Headquarters-Department of Defense Information Network and the Director of the Defense Information Systems Agency to begin implementation of such zero trust strategy, principles, and model architecture. ####
(2)Assessments of funding Not later than March 31, 2024, and annually thereafter, each Principal Cyber Advisor of a military service shall include in the annual budget certification of such military service, as required by section 392a(c)(4) of title 10, United States Code, an assessment of the adequacy of funding requested for each proposed budget for the purposes of carrying out the implementation plan for such military service under subsection (d)(1). ###
(f)Initial Briefings ####
(1)On model architecture Not later than 90 days after finalizing the zero trust strategy, principles, and model architecture required under subsection (a), the Chief Information Officer of the Department of Defense and the Commander of Joint Forces Headquarters-Department of Defense Information Network shall provide to the congressional defense committees a briefing on such zero trust strategy, principles, and model architecture. ####
(2)On implementation plans Not later than 90 days after the receipt by the Chief Information Officer of the Department of Defense of an implementation plan transmitted pursuant to subsection (d)(1), the secretary of a military department, in the case of an implementation plan pertaining to a military department or a military service, or the Chief Information Officer of the Department, in the case of an implementation plan pertaining to a remaining component of the Department, as the case may be, shall provide to the congressional defense committees a briefing on such implementation plan. ###
(g)Annual Briefings Effective February 1, 2022, at each of the annual cybersecurity budget review briefings of the Chief Information Officer of the Department of Defense and the military services for congressional staff, until January 1, 2030, the Chief Information Officer and the head of each of the military services shall provide updates on the implementation in their respective networks of the zero trust strategy, principles, and model architecture.
Connectionstraces to 2
Citation graph
cites case law
Sec. 1528
ZERO TRUST STRATEGY, PRINCIPLES, MODEL ARCHITECTURE, AND IMPLEMENTATION PLANS
U.S.C.§ 2224
Pub. L.Public Law 116-92
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.