Tailoring Security and Zero Trust Principles to Weapon System Environments

Zero trust is a security model where every user, application, system, and device is untrusted by default, requiring verification and authorization for every access attempt. A key aspect of zero trust is the concept that today’s infrastructures no longer have clearly defined perimeters. The movement to a zero trust philosophy changes how an organization implements its security strategy, driven by the need to manage evolving threats and technologies. Much of the available zero trust guidance focuses on applying zero trust concepts to enterprise information technology (EIT) environments. The Department of Defense (DoD) is on the path to implementing zero trust in weapon systems, which generally have different requirements than EIT systems. DoD stakeholders need guidance on how to tailor and adapt zero trust concepts to weapon system platforms. To address this need, the Software Engineering Institute (SEI) conducted a study that analyzed the applicability of foundational security and zero trust principles to weapon system environments. These principles define a framework for making security decisions and implementing security controls, enabling mission assurance through effective risk management. This report provides analysis results for nine security and zero trust principles included in the study.