← Back to Blog
Zero TrustDoDData PillarArchitectureDefense

The DoD Zero Trust Overlays Already Describe a Data-Centric Architecture

Lattix branded cover for The DoD Zero Trust Overlays Already Describe a Data-Centric Architecture. /15 section number, 152 capability outcomes statistic, seven pillar map highlighting data pillar, IBM Plex Mono on dark grid background, surgical yellow accent.

The DoD Zero Trust Portfolio Management Office published the Zero Trust Overlays in September 2024 to translate the November 2022 Zero Trust Strategy into a control-mapped reference for program offices. The Overlays decompose the strategy into seven pillars, 152 capability outcomes, and 364 discrete controls drawn from NIST SP 800-53 Revision 5. The 3rd Annual DoD Zero Trust Virtual Symposium ran across three days in April 2026 against this artifact. The symposium framing put the data pillar at the center of the unfinished work, and the Overlays' own language has been saying that since the original publication.

Randy Resnick, the Director of the DoD Zero Trust Portfolio Management Office, has repeatedly described zero trust as a data access cybersecurity strategy. The Overlays' Data Pillar reads as the operational expression of that framing. Outcomes under the pillar include data inventory, data classification, data tagging, data encryption and rights management, data monitoring and sensing, and data loss prevention. None of these outcomes can be satisfied by a network or identity control alone. All of them require enforcement bound to the data itself.

What 152 capability outcomes actually require

DISA Thunderdome reported in April 2025 that the program had hit 152 out of 152 target activities on the network and identity pillars of the DoD ZT framework, with the data pillar still carrying material debt. The framing is correct, and it is the framing that should be applied across every DoD program tracking against the Overlays.

Two operational realities make the data pillar harder than the first four pillars in the DoD context.

First, the data does not stay in the network or identity boundary that enforces the first four pillars. Operational technology environments carry historian records to corporate analytics tiers, regulator submissions, joint-operations partners, and contractor maintenance access points. Weapon systems carry telemetry and mission data across deployed nodes, sustainment vendors, and operational research environments. The forward-edge deployment surface routes through tactical communications that the program office does not control. Network and identity controls do not follow the data through these boundaries.

Second, the data carries a longer half-life than the first four pillars. A session token expires. A network flow terminates. A device attestation refreshes. A data object persists. The Overlays' Data Pillar outcomes are designed against an artifact that may live in production for years and carry sensitivity that may extend across decades under EO 13526 automatic declassification timelines. The enforcement model has to survive that lifetime.

Where the Overlays describe object-level enforcement without naming it

The Data Pillar outcomes in the Overlays read as a specification of object-level cryptographic enforcement, even where the surrounding language stops short of saying so.

The data encryption and rights management outcomes require encryption applied at the object layer, with policy bound to the encryption, and with key release contingent on attribute evaluation. The data tagging outcomes require attribute metadata to travel with the object, surviving export and replication. The data monitoring and sensing outcomes require lineage on every access event, with the lineage independent of any application that mediates the access. The data loss prevention outcomes require enforcement that survives the data leaving the perimeter, not just inspection of egress traffic.

The Overlays do not name ZTDF or IC-TDF. They predate the NSA Zero Trust Implementation Guideline Phase Two by sixteen months. The April 2024 NSA and CISA joint Cybersecurity Information Sheet on Advancing Zero Trust Maturity Throughout the Data Pillar bridges that gap, naming the architectural primitives the Overlays implicitly require. The Phase Two Implementation Guideline closes the loop by naming the DRM schema. Read together, the three documents describe a data pillar architecture that is already procurable.

What the FY27 acquisition language will look like

The FY27 acquisition calendar will reflect three converging signals. The DoD Zero Trust Strategy 2.0, published in early 2026, extends target-level maturity expectations to operational technology, IoT, defense critical infrastructure, and weapon systems. The Overlays' capability outcomes apply across the new scope, which means program offices building FY27 packages for these surfaces will be scoring against the same 152 outcomes that the IT enterprise has been working against since 2022. The NSA Phase Two Implementation Guideline provides the DRM schema reference, and CISA's January 23, 2026 Post-Quantum Cryptography Product Categories list provides the cryptographic algorithm reference.

The intersection of these three signals is the procurement vocabulary the data pillar has needed. An RFP that names target-level maturity against the Data Pillar capability outcomes, with ZTDF or IC-TDF as the DRM schema, with FIPS 203 and FIPS 204 implementations for the cryptographic envelope, is a specification, not a wishlist. The acquisition language is the forcing function for the architecture.

What Lattix does against the Overlays

Lattix Technologies binds policy to the data object through attribute-based access control at the policy enforcement point, post-quantum key encapsulation using ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage in content-addressed storage. The architecture maps to the Data Pillar capability outcomes by construction. ABAC at the policy enforcement point satisfies the data encryption and rights management outcomes. The attribute metadata travels with the wrapped object. The Merkle-tree lineage anchors the data monitoring and sensing outcomes. The fail-closed cryptographic envelope satisfies the data loss prevention outcomes.

This is the architecture the Overlays describe. The work for the data pillar is no longer specification. It is procurement and deployment, against an acquisition language that the FY27 cycle will start enforcing.

References

  • DoD CIO, Zero Trust Overlays, September 2024. https://dodcio.defense.gov
  • DoD CIO, Zero Trust Strategy and Roadmap, November 2022.
  • DoD CIO, Zero Trust Reference Architecture v2.0, September 2022.
  • NSA and CISA, Advancing Zero Trust Maturity Throughout the Data Pillar, April 2024. https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF
  • NSA, Zero Trust Implementation Guideline Phase Two, January 30, 2026.
  • DefenseScoop, DISA Thunderdome scores 152/152, April 2025.
  • DefenseScoop, Pentagon plans to publish zero trust strategy 2.0 in early 2026, December 9, 2025.
  • DSI 3rd Annual DoD Zero Trust Virtual Symposium, April 2026.
← Back to Blog