Department of the Air Force Zero Trust StrategyThis strategy aims to strengthen the DAF's cybersecurity posture and provide to the warfighter assured and secure data access at the speed of war, while simultaneously denying adversary efforts to achieve information dominance.Decades of technological evolution and persistent competitors and adversaries have diminished the relevance and effectiveness of the perimeter-centric cybersecurity model. After years of addressing cyber vulnerabilities, insider threats, and design shortcomings with short-term solutions, the Department of the Air Force (DAF) network has evolved into an operationally complex, technically challenging environment that neither meets the standards of modern Airmen & Guardians, nor the requirements for current and future warfighting environments. Continuing to sustain this security model jeopardizes the ability to preserve its operational effectiveness and lethality. Department of the Air ForceDAF_f44f343c-b6c9-11e2-b3e2-1be1e2f52354Venice M. GoodwineSES, DAF | Chief Information Officer, Office of the Chief Information Officer Department of DefenseThe Department of Defense (DoD) aims to revolutionize its network-focused defense-in-depth "castle and moat" cybersecurity strategy into one that focuses on individual data as a strategic asset. To achieve this, the DAF must evolve towards a data centric Zero Trust cybersecurity strategy.AirmenA Zero Trust culture lays the rock-solid digital foundation that connects all Air and Space Force members across a trusted digital force. DAF must institutionalize a Zero Trust culture in order to enact the warfighting changes necessary to recapture our warfare advantage and evolve to meet the operational imperatives of today.GuardiansOffice of the Chief Information OfficerOffice of the Chief Information Officer (SAF/CN) ~ SAF/CN will provide policy, guidance, and strategic risk mitigation as priorities evolve. SAF/CN will also work with SF/S8 and AF/A8 (Deputy Chief of Staff for Plans and Programs) throughout the Planning, Programming, Budgeting, and Execution (PPBE) processes to advocate for resources.Air Combat CommandAs Air Force lead command for cyberspace operations, Air Combat Command (ACC) is the overall lead to develop the DAF Zero Trust Strategy I-Plan, execute this strategy, mitigate operational risks, and lead all legacy sunsetting efforts. ACC is the customer-facing organization, leading Zero Trust strategic communications actions, and synchronizing all DAF Zero Trust efforts. ACC will take special care to coordinate with Air Force Material Command (AFMC), as Lead Command and requirements-owner for SAP IT and the SAP Zero Trust I-Plan.Space Systems CommandAs Space Force lead command for cyberspace operations, Space Systems Command (SSC) in coordination with Space Operations Command (SpOC) lead command for cyberspace operations, and is appointed to develop and integrate space force requirements, architectures, and equities into all DAF lifecycle planning, acquisition, execution, and sustainment efforts. ^^ As Space Force lead acquisition field command for space mission systems, Space Systems Command (SSC), in coordination with Space Operations Command (SpOC) lead command for cyberspace operations, as well as Field Commands such as Space Development Agency, Space Rapid Capabilities Office, is appointed to develop and integrate Zero Trust (ZT) requirements, architectures, and equities into all DAF lifecycle planning, acquisition, execution, and sustainment efforts.Cyber Capabilities CenterThe Cyber Capabilities Center (CCC) is appointed to develop, coordinate, and deconflict all DAF, MAJCOM, C-MAJCOM, FIELDCOM, and field agency Zero Trust requirements and corresponding architectures, aligned to DoD’s reference architecture.Air Force AcquisitionThe Air Force Acquisition (SAF/AQ) will develop and execute the acquisition strategy, while mitigating delivery risks and coordinating architectures, designs, and implementation across the EIT and OT portfolio.16th Air Force16th Air Force is appointed to operate, secure, and defend the AFIN, in-line with this strategy.Zero Trust Transition TeamAs this strategy matures, the Zero Trust Transition Team (ZTTT) responsibilities will transition to traditional Lead Command responsibilities, under ACC.10Operational imperatives are met_9ab685e2-3da4-11ef-a2ca-dbff0483ea00To strengthen the DAF's cybersecurity posture and provide to the warfighter assured and secure data access at the speed of war, while simultaneously denying adversary efforts to achieve information dominance_9ab6888a-3da4-11ef-a2ca-dbff0483ea00DataZero Trust is a data and application access strategy that assumes all connections, regardless of network origin, come from untrusted sources.ApplicationsAccessAccess to each resource is only granted after explicitly requesting, establishing, and continuously re-verifying confidence in the requestor's identity, device, and context of each connection.IdentityVerificationContextSimplificationUltimately, this strategy makes the warfighting changes we need to evolve as a department possible by simplifying access for our Airmen & Guardians and imposing higher costs on our competitors and adversaries. The seven pillars capability elements, and activities, focus DAF resources to align with the DoD Zero Trust Strategy and industry leading Zero Trust models. CybersecurityThis strategy describes the concept for establishing a DAF Zero Trust capability, delivering a future cybersecurity posture that simplifies access for our Airmen & Guardians and imposes higher costs on our competitors and adversaries, to accelerate the adoption of next-generation warfare technologies.ScalabiltyThis vision requires a scalable, resilient, auditable, globally accessible, and defendable framework centered on the protection of our most critical, mission-essential data, applications, assets, and services (DAAS), to prevent, detect, respond to, and recover from malicious cyber activity in multiple operating environments. ResilienceAuditabilityDefensibilityConfidenceApplications & WorkloadsPrioritize application and resource availability to warfighters, while cloaking them from malicious actors_9ab68c72-3da4-11ef-a2ca-dbff0483ea001Applications and Workloads: Application-Level Visibility and Control ~ To improve our mission effectiveness, the DAF must prioritize application and resource availability to warfighters, while cloaking them from malicious actors. Under a Zero Trust model, combining authentication and authorization of identities, devices, and context-based attributes helps derive confidence for graduated resource-access decisions. Adopting a principle of least privilege in this model further reduces application compromise, while providing direct access to warfighters, mission partners, and allies. Together, these capabilities impair lateral movement and privilege escalation, mitigating the impact of any successful malicious cyber activity. DiscoveryEvolve to a real-time, automated, and domain less visibility and analytics capability for universal consumption_9ab68cea-3da4-11ef-a2ca-dbff0483ea001.1Continuous Application Discovery ~ In order to control access and visibility to applications, preventing back doors, DAF must discover and map all current application activity on the AFIN, as a foundational and ongoing mission in order to identify legacy capabilities and tools, and prioritize modernization efforts. Foremost, this requires strong governance between cyber operation units and mission owners, as critical partners. While initial efforts may be manual, DAF must evolve to a real-time, automated, and domain less visibility and analytics capability available for universal consumption. Maps to DoD ZT Capability 3.1Roles & ResponsibilitiesDefine evolving roles, responsibilities, and expectations_9ab68d4e-3da4-11ef-a2ca-dbff0483ea001.2DAF Cyber OperatorsData StewardsMission OwnersOn-Board Applications and Mission Owners to Zero Trust ~ A critical objective going forward, managing every application and mission partnership requires clear policy, procedures, and tools. DAF must define the evolving roles, responsibilities, and expectations for DAF cyber operators, as well as data stewards & mission owners for migrating into this new paradigm. It must address new and legacy applications - identifying and prioritizing which applications will and will not on-board. Many applications will need both technical and business process re-engineering to adopt better security practices. Any on-boarding process must also crucially identify mission owners' current and future access attribute requirements (e.g., users, devices, and context) recognizing automating any part of this process will drastically accelerate this goal’s maturity.Visibility & AccessImplement centralized application permissions and control of applications_9ab68dbc-3da4-11ef-a2ca-dbff0483ea001.3Tightly Control Application Visibility and Access ~ In order to mitigate the impact of any successful attack and achieve application-level control, DAF must implement centralized application permissions and control. Transitioning to attributebased access control will prevent applications from query and provides access only to authorized and authenticated warfighters, mission partners, and allies. Creating micro perimeters around data, applications, assets, and services (DAAS) based on criticality. Enforce network segmentation. Encrypting data at rest and in transit. Additionally blocking non authorized users and devices from the appropriate application. Once fully automated, we need to work towards streamlining and eventual elimination of the DD Form 2875 process, incorporating the many known workflows. These workflows can be applied and enforced on Software Defined Perimeters (SDP) during on-boarding. Mission owners will maintain these rulesets, along with continuous, Machine Learning (ML) and AI-driven behavioral analytics to monitor the application throughout its lifecycle. Maps to DoD ZT Capability 1.2.DataExtend the protect surface by defining data down to the cellular level_9ab68e20-3da4-11ef-a2ca-dbff0483ea002Data: Data As The New Perimeter ~ The future of information dominance depends on the quality, visibility, accessibility, understandability, linkages, trustworthiness, interoperability, and security (VAULT-IS), of data as a strategic asset. To transform how the DAF protects and defends resources, in line with the DAF Implementation Plan of the DoD Data Strategy9, DAF must extend the protect surface by defining data, down to the cellular level, as the new perimeter and adopting dynamic data tagging, labeling and encryption technology that empowers data stewards and consumers, and assures access from anywhere, anytime. Together, this provides the potential to collapse the number of DAF warfighting environments.DiscoveryDiscover all data on the AFIN_9ab68e84-3da4-11ef-a2ca-dbff0483ea002.1Continuous Data Discovery ~ In order to control access and visibility to prioritized business and mission data, preventing any back doors, DAF must first discover all data on the AFIN, including newly created data, as a foundational and ongoing mission. Foremost, this effort requires strong governance between cyberspace operation units, mission owners and data stewards, as critical partners. While initial efforts may be manual or semi-automated, DAF must evolve this into a real-time, automated visibility and analytics capability, available for DoD or DAF consumption and managed through the data lifecycle. Maps to DoD ZT Capability Maps to DoD ZT Capability 4.2 and 4.4.TaggingImplement and govern continuous tagging as data is created_9ab68ef2-3da4-11ef-a2ca-dbff0483ea002.2Implement and Govern Continuous Tagging As Data is Created ~ Managing all data and mission partnerships requires clear policy, procedures, and tools. DAF must define the evolving roles, responsibilities, and expectations for the DAF Chief Data and AI Office (CDAO), 16 AF organizations and operators, as well as mission owners and information and data stewards, in line with a DAF Data I-Plan. It must address which data is critical and define initial, manual, or semi-automated data tagging & auditing processes to start today, while working towards a ML and AI-driven process. Policies must include governance structures, defining how to tag data, how to share, who has stewardship of certain types of data, minimum data tagging and labeling standards, as well as human audit requirements. Crucially, mission owners & data stewards must identify access attribute requirements (e.g., users, devices, and context). All newly created data must adhere to these processes, but DAF must also address all existing data. Maps to DoD ZT Capability 4.3.Visibility & AccessControl data visibility and access_9ab68f60-3da4-11ef-a2ca-dbff0483ea002.3Tightly Control Data Visibility & Access ~ To mitigate the impact of successful attacks & achieve data-level control, DAF must implement strong role, labeling, and attribute-based access controls, based on the discovered and tagged data access attribute requirements. Implementing least privilege provides data privacy and provides access only to authorized and authenticated requests. Once fully automated, these access rules can be applied and enforced on SDPs as data is created. Mission owners & data stewards will maintain these rulesets, throughout the data lifecycle. Maps to DoD ZT Capability 4.7.Loss PreventionImplement ata loss prevention analytics_9ab68fc4-3da4-11ef-a2ca-dbff0483ea002.4Implement Data Loss Prevention Analytics ~ Treating data as strategic assets requires strong protection and orchestration, throughout its lifecycle. DAF must redefine and implement data loss prevention techniques through strong encryption in transit and at rest. These capabilities must be integrated from first data exposure throughout the data lifecycle to facilitate governance over critical mission data and their associated continuous data monitoring missions. Maps to DoD ZT Capability 4.6.UsersProvide users with the right access to the right entities for the right reasons_9ab6903c-3da4-11ef-a2ca-dbff0483ea003Users: Right Access, To The Right Entity, For The Right Reason ~ A unified, reliable, and federated identity model is fundamental to DAF Zero Trust. Federation is essential as it simplifies process for users to access multiple systems of services, increasing security, improving efficiency, while enhancing interoperability. Evolving into a continuous authorization, authentication and monitoring approach, DAF Identity, Credential, and Access Management (ICAM) capabilities empower Air & Space professionals, partners, and allies with seamless and secure, user-friendly access to resources. Strong governance, automated authorization services, and support for modern authentication tools, protocols, and standards ensure the right people and systems have the right level of access to appropriate resources. Continuous monitoring and analytics drive risk assessments that revoke access, when needed.Access & Policy ManagementEnforce enterprise access and policy management services_9ab690aa-3da4-11ef-a2ca-dbff0483ea003.1Enforce Enterprise Access and Policy Management Services ~ To save Airmen and Guardians time with faster access request responses, the DAF must evolve to balance security and usability via centralized dynamic role and attribute-based access. DAF will implement centralized access management to automate and audit account provisioning, deprovisioning, and privileged access management, reducing mission risk exposure. DAF will also implement access management, leveraging data tagging, labeling, policy enforcement/decision points (PEP/PDP) and SDPs, providing authorized identities lower-risk, on-demand access to resources anytime, anywhere. PEP/PDP’s will carry out or enforce all access policy decisions. Maps to DoD ZT Capability 1.2 and 1.7.AuthenticationEnable multi-factor authentication_9ab69118-3da4-11ef-a2ca-dbff0483ea003.2Enable Universal Multi-Factor Authentication ~ In order to deliver an improved user experience, the DAF must eliminate the weakness of username and passwords and allow multiple DoD-approved authenticators (e.g., hardware tokens and mobile authenticators), that support a wide range of users, devices, partners, security, and access levels across a spectrum of mission environments and scenarios (e.g., airborne, terrestrial, etc.). The DAF will also deliver a public-facing, self-service, enterprise ICAM identity interface where military, retirees, dependents, and partners can map additional authenticators to their identity. Maps to DoD ZT Capability 1.3.Authentication & AuthorizationStandardize authentication and authorization_9ab6919a-3da4-11ef-a2ca-dbff0483ea003.3Standardize Continuous Authentication and Authorization ~ Knowing who or what is accessing DAF resources requires strong governance, providing the programmatic oversight, as well as technical policy development and enforcement. Adopting and automating enforcement of ICAM policies and standards provides a uniform security posture, minimizes risk, and realizes manpower savings through risk-informed access decisions across the enterprise. Continuously monitoring and auditing ICAM events, through AI and ML analytics, revolutionizes the DAF approach to cybersecurity for an agile and resilient defense posture - ready to revoke access when necessary. Maps to DoD ZT Capability 1.8.DevicesReduce the risk created by any device_9ab69212-3da4-11ef-a2ca-dbff0483ea004Endpoint Devices: Reduce The Risk Created By Any Single Device ~ Endpoint devices (e.g., server, PC, laptop, phone, controllers, and tablet), of the future must mature to autonomously protect, detect, and respond to cyber threats. This begins with ensuring least privilege access to endpoint devices and proper Identity and Access Management, continuous discovery of endpoints, assessment of security suitability, determination of acceptability to connect, ongoing continuous monitoring reporting of results, ensuring data is encrypted both at rest and in transit, as well as proper use of firewalls, intrusion detection systems and other measures to protect the network that the endpoint devices are connected to. ^^ From this, policy decision points may derive confidence to make role and attribute-based access decisions. The DAF must adopt centralized, platform-agnostic endpoint health management services that unleash warfighters to execute their mission from the most capable device that meets their needs. While no approach prevents every attack, this reduces the risk of compromise and mitigates the impact of any successful attack. Hardware & SoftwareDiscover connected hardware, software, and NPEs operating on the AFIN_9ab69280-3da4-11ef-a2ca-dbff0483ea004.1Continuous Hardware and Software Discovery ~ In order to enforce endpoint compliance and prevent back doors, DAF must first discover connected hardware, software, and NPEs operating on the AFIN, leveraging strong, certificatebased, device identities, as a foundational and ongoing mission. Foremost, this effort requires strong governance between cyberspace operation units and mission and system owners, as critical partners. While initial efforts may be manual, DAF must evolve this into a real-time, automated capability, available for universal consumption. Maps to DoD ZT Capability 2.1, 2.2, and 2.6.Endpoint AssetsEnforce endpoint asset compliance_9ab6933e-3da4-11ef-a2ca-dbff0483ea004.2Enforce Endpoint Asset Compliance ~ In order to reduce the risk of compromise, DAF application and data stewards must establish and enforce clear patching and policy standards for both managed and unmanaged devices. Efforts should evolve endpoint security and management from single, comply-to-connect decisions (connect/quarantine/no connect) to continuous monitoring procedures which auto-remediate managed and unmanaged devices. Solutions must also yield confidence attributes, which mission owners and data stewards can leverage for graduated access decisions. Advanced maturity must enforce the baseline or deny access through hybrid-cloud solutions, allowing efficient access, no matter the location or DDIL conditions. Maps to DoD ZT Capability 2.2, 2.3.DomainsCreate a domain less environment_9ab693b6-3da4-11ef-a2ca-dbff0483ea004.3Create a Domain less Environment ~ Currently, DAF employs single-vendor domain controllers (DC), which require connections to every device on the AFNET domain. The DAF supports two or more DCs at over 180 DAF sites, leaving adversaries over 360 attack vectors to reach the entire department. In order to mitigate the impact of any successful attack, the DAF must eliminate as much as possible, the internal trust, inherent to the concept of a domain. To achieve this, all endpoints must be removed from AFIN DCs -- laptops, mobile, servers, etc. Under this paradigm, resource access becomes truly network agnostic, relying only on identity, client health, and context attributes for access decisions. Maps to DoD ZT Capability 2.1, 2.3, 2.5, and 2.6.ThreatsContinuously detect and respond to threats_9ab6942e-3da4-11ef-a2ca-dbff0483ea004.4Continuous Threat Detection and Response ~ In order to impose further costs on adversaries, DAF must also evolve endpoint protection and a security operation center (SOC) concept to cloud-based, automated endpoint/extended detection and responses (EDR/XDR) for aggregated, context-driven analysis across the AFIN. Combined with AI and ML-driven security orchestration, automation, and response (SOAR) capabilities, operators can fuse real-time data visibility and multi-source intelligence for faster, more effective threat responses. Maps to DoD ZT Capability 2.6, and 2.7.Network & EnvironmentControl access to protected resources anytime, anywhere_9ab694ba-3da4-11ef-a2ca-dbff0483ea005Network and Environment: Access To Protected Resources Anytime, Anywhere ~ Zero Trust assumes the network is untrusted and potentially hostile, shifting the security monitoring and protection focus to data, users, and endpoints. Adopting Software Defined Perimeter (SDP) enables remote, secure, streamlined, and direct worldwide access to resources, through encrypted, authenticated, and authorized channels. This network-agnostic model unlocks the best of multiple commercial, global space and terrestrial transport backbones as viable mission network options. Together, these capabilities provide warfighters and partners with ubiquitous network availability, enabling freedom to operate from anywhere, anytime, and relieving the restraints of the legacy gateway and VPN bottlenecks.Discovery & MonitoringActively manage the best transport path for each resource connection_9ab6953c-3da4-11ef-a2ca-dbff0483ea005.1Mature Network Discovery and Monitoring for Zero Trust ~ Before the AFIN network perimeter can pull back from the network down to the datacenter level, DAF must actively manage the best transport path for each resource connection. In order to find and manage any best path, DAF must aim to discover its many physical and logical transport paths (e.g., routing tables, VLAN, P2P, SD-WAN overlays, etc.), as a foundational and ongoing mission.SDPsDeploy SDPs as close to protected resources as possible_9ab695be-3da4-11ef-a2ca-dbff0483ea005.2Deploy SDPs as Close to Protected Resources as Possible ~ In order to streamline secure and direct worldwide access to resources, DAF must evolve the base boundary from the network down to the datacenter level and eventually down to the individual data and microservice level. This is achieved through the PEPs/PDPs that make up an SDP, both in the cloud and on-premises. Using mutual transport layer security (mTLS), and common service access, SDPs consume all individual identity, device, and context attributes required to automatically make granular access decisions, establish, and monitor secure connections. Regardless of where the connection is coming from, the SDP validates the attributes against the data and application requirements from mission owners and application and data stewards. Placing the SDP as close to the protected resource as possible shrinks the attack surface and simplifies the transactional path, eliminating the need for VPNs, improving access for warfighters, and imposing higher costs on adversaries. Maps to DoD ZT Capability 5.2.Cloud ServicesMigrate enterprise services to a hybrid cloud model_9ab6964a-3da4-11ef-a2ca-dbff0483ea005.3Migrate Enterprise Services to Hybrid Cloud ~ In order to provide anytime, anywhere access and security, DAF must migrate enterprise services to a hybrid cloud model. A combination of globally hosted cloud and on-premises services provide resilient and elastic capabilities from anywhere, while automatically synchronized, onpremises, and tactically deployable services provide assured availability under the harshest DDIL conditions. This environment ensures user identity attributes, device health, and access management persist uninterrupted.SegmentationMature segmentation to lowest level_9ab696d6-3da4-11ef-a2ca-dbff0483ea005.4Mature Segmentation to Lowest Level ~ Segmentation is the practice of breaking a unified system into smaller, isolated segments, in order to apply more granular visibility and access controls to each segment. To provide the strongest controls, the DAF must evolve from network-based segmentation to datacenter, hostbased and micro-service level segmentation. The first priority is to expand segmentation across the AFIN, then apply segmentation down, as close to the protected resources as possible. On top of the added security, such low-level segmentation drives further benefits from DevSecOps code reuse, down to the container level, orchestration, and automated service management. Microsegmentation will be the first rolled out ZT capability of the DAF, as early as FY23. Maps to DoD ZT Capability 5.1.Automation & OrchestrationAutomate security responses based on security policies_9ab69758-3da4-11ef-a2ca-dbff0483ea006Automation and Orchestration: Automated Security Responses based on Security PoliciesTasks, Responses & ToolsetsInventory, debatee, and codify task automation, response, and toolsets_9ab697ee-3da4-11ef-a2ca-dbff0483ea006.1Policy Inventory and Development ~ To build out robust and responsible automation, current task automation, response, and toolsets must be inventoried, debated, and codified. The DAF requires a cohesive Application Programming Interface (API)-driven mechanism to document, and query (e.g., orchestrate) policies across the enterprise and amongst Zero Trust components for effective automation. Governance will be needed for auditable change control of enterprise assets. Policies within the Zero Trust ecosystem must be continuously refined and matured to ensure effective enforcement against protected resources. Maps to DoD ZT Capability 6.1.WorkflowsReduce and eventually eliminate manual processes_9ab69ac8-3da4-11ef-a2ca-dbff0483ea006.2Workflow Enrichment ~ Through the continuous enumeration and analysis of manual processes, the DAF must reduce, and eventually eliminate, these inefficient and slow processes through the unceasing implementation of automation required to operate at speed and scale. The DAF must employ automation methods to address repetitive, predictable tasks for critical functions such as data enrichment, security controls, and incident response workflows according to system security engineering principles. Maps to DoD ZT Capability 6.2Policies & ProcessesAutomate security processes and implement policy-based actions_9ab69b72-3da4-11ef-a2ca-dbff0483ea006.3Automated Defensive Cyber Maneuvers ~ The DAF requires robust defensive cybersecurity operations to deploy, operate, and maintain security monitoring, protections, and response for protected resources. ^^ As the DAF adopts a Zero Trust construct, the amount of security–related data originating from all points of the architecture will quickly overwhelm cyber defenders. Therefore, to defend at speed and scale, the DAF must automate security processes and implement policy–based actions to the greatest extent possible by deploying automated security tooling -- such as Security Orchestration, Automation and Response (SOAR) integration with Security Information and Event Management (SIEM) -- will substantially decrease response times to detected threats and greatly enhance the enterprise cybersecurity posture. Organizations and system owners must ensure that they have a welldefined and robust investigation and remediation plans in place. ^^ In addition, to streamlining the detection and response to cybersecurity incidents, the DAF intends to reduce the number of SOAR solutions through enterprise-wide contracts. This enables professionals to have a federated location for orchestration and automated responses to address potential threats. At the same time, any additional SIEMs not already identified must conform to this SOAR strategy. ^^ Finally, all detection and response capabilities should be interoperable with Defensive Cyber Operations (DCO) capabilities to support incident response. Automated security response requires defined processes and consistent security policy enforcement across all environments in a Zero Trust enterprise to provide proactive command and control. Coupled with workflow enrichment, security technologies and policies can be orchestrated to improve security operations, threat and vulnerability management, and security incident response by ingesting alert data, triggering playbooks for automated response and remediation. Maps to DoD ZT Capability 6.5.AI/MLEmploy AI/ML to enhance the execution of critical functions_9ab69c76-3da4-11ef-a2ca-dbff0483ea006.4Artificial Intelligence and Machine Learning ~ The DAF will employ AI/ML to enhance the execution of critical functions such as incident response (i.e., Security Operations Center (SOC) and Incident Response (IR), Security Orchestration, Automation & Response (SOAR)), anomaly detection, identity baselining, and data tagging -- and particularly for risk and access determinations and environmental analysis.Visibility & AnalyticsImprove detection and reaction time_9ab69d70-3da4-11ef-a2ca-dbff0483ea007Visibility and Analytics: Improve Detection and Reaction Time ~ Identifying/detecting and reacting to threats requires proper analytics. A key action on the ZT roadmap is to initiate application events integration into Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) for Financial Improvement and Audit Readiness (FIAR) / audit remediation.LogsIntegrate log analysis across multiple data types to unify data collection and examine events, activities, and behaviors_9ab69e1a-3da4-11ef-a2ca-dbff0483ea007.1Log Collection and Analysis ~ Log analysis is an important action in identifying system and software anomalies. Collection, processing, and analysis of logs -- including network, data, application, device, and user logs -- are critical to the monitor, detect, and protect functions for defensive cyber operations. Log analysis must be integrated across multiple data types to unify data collection and examine events, activities, and behaviors. Maps to DoD ZT Capability 7.1.AlertsSet alerts to notify a group or software to act on security violations_9ab69eba-3da4-11ef-a2ca-dbff0483ea007.2Threat Alerting ~ To action security violations, alerts must be set to notify a group or software to act. A key action on the ZT roadmap is to develop a shared responsibility model for application events with Cyber Security Service Providers (CSSP) and to establish logs, processes, and data available for CSSPs and Security Operation Centers (SOC). Advanced analytics support detection of anomalous users, devices, and Non-Person Entity (NPE) actions and advanced threats. Integration of threat intelligence information and streams about identities, motivations, characteristics, and tactics, techniques, and procedures (TTPs) enriches cyber analytics for enhanced threat detection. Maps to DoD ZT Capability 7.5.Behavior BaselinesBaseline, profile, and correlate individual user and entity behaviors_9ab69fc8-3da4-11ef-a2ca-dbff0483ea007.3Identity and Entity Behavior Baselines ~ Users and entities interacting with the Zero Trust architecture provide vital, contextual details that provide a greater understanding of performance, behavior, and activity across the enterprise. Baselining, profiling, and correlating individual user and entity behaviors vastly improves detection of anomalous behavior and enables the ability to make dynamic changes to security policy and real-time access decisions based upon changing threat conditions. Investigating beyond network telemetry gains visibility into observable threats that are present and allows orientation of defenses more intelligently. Maps to DoD ZT Capability 7.4.2024-07-09https://www.safcn.af.mil/Portals/64/Documents/Strategy/DAF%20Zero%20Trust%20Strategy%20v1.0.pdfOwenAmburOwen.Ambur@verizon.net