How the US Military Is Redefining Zero Trust (2025)

Source: ArtemisDiana via Alamy Stock Photo

COMMENTARY

Recently, the US militaryupdatedits approach to zero-trust strategies, doubling down on efforts to safeguard data, networks, and operations, especially in contested and connectivity-challenged environments. But where are these organizations heading, and how might their approach drive how zero trust is implemented elsewhere?

For the Department of the Navy, its revised DON Zero Trust Strategy and Roadmap positions cybersecurity against adversaries who use stealth, deception, and disregard for rules. With an updated goal of full zero-trust adoption by 2030, it operates under the assumption that adversaries may possess superior visibility, employ deception, and disregard conventional rules, citing real-world incidents such asSolarWindsand counterfeit hardware, which demonstrate persistent internal threat vectors across the defense and technology ecosystems.

To counter this, the Navy is implementing microsegmentation to restrict an adversary's lateral movement, leveraging AI and machine learning for real-time threat detection, and enforcing thorough access controls at every Policy Decision Point (PDP) and Policy Enforcement Point (PEP). It has identified User and Entity Behavioral Analytics (UEBA) as a "zero-trust lynchpin," emphasizing its role in preventing unauthorized movement within their networks.

Related:1 Year Later: Lessons Learned From the CrowdStrike Outage

Data security is another cornerstone of its approach, with a strong focus on end-to-end encryption, data tagging, and achieving complete visibility to ensure no threat goes unnoticed. The Navy is also preparing to operate in contested environments where connectivity is unreliable, which is often referred to as denied, degraded, intermittent, and limited (DDIL) scenarios. For instance, a submarine with no signal access must still operate securely, a challenge the Navy is addressing head-on.

The Navy adheres to stringent standards, such as NIST 800-207 for zero-trust architecture and NIST 800-53 for security controls, while collaborating with enterprise ICAM services and cybersecurity service providers (CSSPs) to integrate best-in-class solutions. Additionally, the Navy is investing in workforce development through a Zero Trust Practitioner's Workshop at the Defense Acquisition University (DAU), ensuring their teams are well-equipped to execute this strategy. Both efforts align with the overarching Department of Defense Zero Trust Strategy, which outlines seven pillars and a target of achieving an advanced zero-trust posture by 2027.

The Army's Unified Network Plan 2.0

Related:How Businesses Can Align Cyber Defenses With Real Threats

In parallel, the Army Unified Network Plan (AUNP) 2.0 is focused on enabling secure, data-centric operations in similarly high-risk, low-connectivity settings. It consolidates infrastructure, embeds eight foundational zero-trust principles, and prioritizes capabilities such as secure Office 365 usage, hybrid cloud integration, and mission partner data sharing.

The Army aims to enable multidomain operations (MDO) in contested environments, ensuring soldiers can access and share data securely, even in DDIL scenarios, such as a forward operating base with no connectivity or an unreliable signal. To achieve this, it has consolidated its networks under ARCYBER for centralized service delivery and is developing a common operating environment (COE), common services infrastructure (CSI), and common transport layer (CTL) to facilitate secure data flow from the enterprise to the tactical edge.

Zero trust forms the foundation of the Army's strategy, guided by eight principles, including "never trust, always verify," "presume breach," and "least privilege." A key priority is to secure data at every echelon, preventing unauthorized access and modernizing encryption to safeguard data integrity. This includes addressing 91 distinct activities to achieve zero trust, with a particular emphasis on securing Microsoft Office 365 applications.

Related:

The Army is also committed to data orchestration, synchronizing data flows to deliver timely and accurate information where needed most. This effort aligns with their hybrid cloud strategy and supports the broader objectives of a Unified Data Reference Architecture — an emerging framework designed to standardize data interoperability and governance across domains in support of Joint All-Domain Command and Control (JADC2).

Interoperability is another key focus, with the Army establishing a persistent Mission Partner Environment (MPE) to facilitate secure data sharing with allies, scaling from Impact Level 2 (IL2) to IL5/IL6 for enhanced security. It also leverages AI and machine learning for predictive readiness and network mapping to identify vulnerabilities. Currently in Phase II (2024-2026), the Army is operationalizing the network with zero-trust principles, with Phase III (2027 and beyond) set to explore integration of emerging technologies such as quantum-resistant encryption and mission-focused AI/ML capabilities.

From Military to Civilian

More generally speaking, the AUNP 2.0 reflects a broader shift toward comprehensive zero-trust architectures across both public and private sectors. In particular, organizations outside the military should view these plans as a clear indicator of the growing need to modernize legacy systems to boost resilience and proactive threat mitigation.

For instance, in the healthcare industry, hospitals and healthcare providers can utilize zero-trust strategies to secure patient records and manage identity-based access to sensitive patient data across distributed locations. Similar principles apply across a range of sectors, with critical infrastructure, utilities, and financial services among the many important examples. In particular, approaches set out in AUNP 2.0 to protect operational technology (OT) networks can be used to prevent disruption.

Ultimately, the Army's updated strategy emphasizes a universal cybersecurity truth: Trust no longer comes from network boundaries alone but from continuously validating and protecting data and identities at every interaction, regardless of industry or domain.