// PILLAR 01 OF 07 — DoD ZERO TRUST ARCHITECTURE

👤 USER

Identity is the new perimeter. Every user — human or machine — must be continuously authenticated, authorized, and validated before accessing any DoD resource.

// Core Requirements — What Must Be Implemented

Multi-Factor Authentication (MFA) — phishing-resistant, hardware-based (CAC/PIV, FIDO2/WebAuthn)
Identity Governance and Administration (IGA) — lifecycle management for all human and machine accounts
Privileged Access Management (PAM) — just-in-time elevation, zero standing admin rights, session recording
Continuous Authentication — session-level re-verification beyond login-time checks
Role-Based and Attribute-Based Access Control (RBAC / ABAC) with dynamic policy enforcement
User Entity Behavior Analytics (UEBA) — behavioral baseline establishment and anomaly detection
Non-Person Entity (NPE) identity management — service accounts, APIs, RPA bots, automation pipelines
Federation and Single Sign-On (SSO) aligned to DoD ICAM standards and SAML 2.0 / OIDC protocols

// Operational Principle

Never trust a credential. Always verify the context. Authentication is not a gate — it is a continuous process running for every session, every transaction, and every API call.

// Hardware — Authentication Tokens

Hardware

YubiKey 5 Series (FIDO2/PIV)

Hardware security key supporting FIDO2/WebAuthn and PIV. NSA-approved for DoD phishing-resistant MFA. Supports CAC/PIV emulation, OTP, and OpenPGP.

Yubico

Hardware

Thales SafeNet IDPrime 930/940

PIV-compliant smart card for DoD CAC integration. FIPS 140-2 Level 3 certified. Supports PKI digital signatures and encryption.

Thales

Hardware

HID ActivID ActivKey SIM Token

Hardware OTP token for environments where USB tokens are restricted. Used across multiple DoD agency environments.

HID Global

Hardware

Feitian FIDO2 Keys

Cost-effective FIDO2 hardware tokens certified for DoD environments. Supports NFC for mobile device authentication.

Feitian

// Software, Platforms & Cloud Services

Software / Platform

Microsoft Entra ID (Azure AD)

Enterprise cloud IdP. SAML 2.0, OIDC, SCIM provisioning. Native integration with DoD M365 environments. Conditional access policies for ZT enforcement.

Microsoft

Software / Platform

Okta Workforce Identity Cloud

Enterprise identity platform with adaptive MFA, lifecycle automation, and 7,000+ pre-built integrations. Used extensively in DoD contractor environments.

Okta

Software / Platform

CyberArk Privileged Access Manager

DoD APL-listed PAM solution. Just-in-time access, session recording, credential vaulting, and threat analytics for privileged accounts.

CyberArk

Software / Platform

BeyondTrust Privileged Remote Access

Secure remote access and PAM with session monitoring, full audit trails, and zero-trust network access for privileged sessions.

BeyondTrust

Software / Platform

SailPoint IdentityIQ

Identity governance platform for automated provisioning, access reviews, and role management across DoD enterprise environments.

SailPoint

Software / Platform

Exabeam Fusion SIEM (UEBA)

Behavioral analytics engine that establishes user baselines and detects anomalous identity behavior. Used for insider threat detection in federal environments.

Exabeam

Software / Platform

Ping Identity PingFederate

Enterprise federation server for SSO across on-prem and cloud applications. SAML/OIDC/WS-Fed support with DoD PIV/CAC integration.

Ping Identity

// Standards, Frameworks & Compliance Alignment

StandardNIST SP 800-63B

IdentityDoD ICAM Reference Design

BehaviorUEBA / ML Analytics

FederationSAML 2.0 / OIDC

CryptoFIPS 140-2/140-3

DoD Compliance Note: All hardware and software solutions referenced on this page must be evaluated against the DISA Approved Products List (APL) or obtain an Authority to Operate (ATO) through RMF before deployment in DoD environments. FIPS 140-2 or 140-3 validated cryptographic modules are required for any solution handling classified or CUI data. Solutions referencing DoD environments have been noted where DISA APL listings exist as of this publication.

// ZTNSS Assessment for This Pillar

John’s Zero Trust Readiness Assessment evaluates your User Pillar maturity against all applicable DoD ZT Target Level activities using structured, evidence-based scoring methodology. The assessment identifies specific capability gaps, maps them to DoD activity numbers, and produces a sequenced remediation roadmap prioritized by risk exposure and operational impact.

John’s 24-year operational background at USSOCOM and SOCCENT means this assessment is grounded in environments where the adversaries are nation-state level, the stakes are operational, and compliance checkboxes are not a substitute for actual security.

← All Seven Pillars Pillar 02 — Device →

[ Assess your User Pillar maturity against DoD Target Level ]

GET YOUR ZT READINESS SCORE.

30 minutes. Mission-first guidance from someone who built and defended these architectures at USSOCOM.

Book Strategy Call → ← All Seven Pillars