// PILLAR 05 OF 07 — DoD ZERO TRUST ARCHITECTURE

📁 DATA

Data is the ultimate target of every adversary. Classification, encryption, rights management, and loss prevention must protect data regardless of where it lives, moves, or is accessed.

// Core Requirements — What Must Be Implemented

Data discovery — automated inventory of structured and unstructured data across all storage systems
Data classification — automated content-based labeling aligned to DoD data handling requirements (U/CUI/Secret/TS)
Encryption at rest — AES-256 minimum for all sensitive data stores, FIPS 140-2/140-3 validated modules
Encryption in transit — TLS 1.3 enforced; no plaintext transmission of sensitive data anywhere in the environment
Data Loss Prevention (DLP) — egress monitoring and blocking across email, web, USB, printing, and cloud upload
Digital Rights Management (DRM) / Information Rights Management (IRM) — access controls embedded in files
Cloud data security — CASB controls, cloud DLP, and bucket/container policy enforcement for SaaS/IaaS
Insider threat detection via data access behavioral analytics — anomaly detection on access volume and pattern

// Operational Principle

Data must protect itself. Access controls on the network or application layer can be bypassed. Data that carries its own classification markings, encryption, and usage rights — enforced independently of the containing system — survives compromise at every other layer.

// Hardware — Storage Encryption

Hardware

Thales Luna Network HSM 7

Hardware Security Module for cryptographic key management. FIPS 140-2 Level 3 certified. Required for DoD classified data encryption key storage and PKI operations.

Thales

Hardware

Seagate Secure / Samsung T7 Shield (Encrypted Storage)

FIPS 140-2 validated encrypted storage devices for endpoint data-at-rest protection on DoD endpoints and removable media.

Seagate/Samsung

Hardware

Iron Key Encrypted USB

FIPS 140-2 Level 3, HIPAA/GLBA compliant hardware-encrypted USB storage. DoD-approved for controlled unclassified information transport.

Kingston

// Software, Platforms & Cloud Services

Software / Platform

Microsoft Purview (Classification/DLP/IRM)

Unified data governance platform providing automated data classification, sensitivity labels, DLP policies across M365 and cloud environments, and IRM for document-level access control.

Microsoft

Software / Platform

Titus Classification Suite

Enterprise data classification solution integrating with Microsoft Purview and DoD marking standards. Provides user-assisted and automated classification at the point of creation.

Titus/HelpSystems

Software / Platform

Forcepoint Data Loss Prevention

Enterprise DLP covering endpoint, network, and cloud data channels. Pre-built policies for DoD/government data types. Integrated with SIEM for incident management.

Forcepoint

Software / Platform

Varonis Data Security Platform

Data access governance and threat detection platform. Monitors and analyzes access to file shares, SharePoint, Exchange, and cloud data for behavioral anomalies.

Varonis

Software / Platform

Netskope Security Service Edge (CASB)

Cloud Access Security Broker providing real-time visibility and control over data moving to and from SaaS applications and cloud storage. CASB enforcement for DoD cloud environments.

Netskope

Software / Platform

Virtru Data Protection (DRM)

Client-side encryption and data rights management for email and file sharing. End-to-end encryption that enforces access controls regardless of where data travels.

Virtru

Software / Platform

Symantec Enterprise Data Loss Prevention

Comprehensive DLP platform with network, endpoint, and cloud coverage. Used in large DoD contractor environments for CUI and export-controlled data protection.

Broadcom/Symantec

// Standards, Frameworks & Compliance Alignment

ClassificationMS Purview / Titus

DLPForcepoint / Symantec

EncryptionAES-256 / HSM

CASBNetskope / McAfee

StandardNIST 800-111 / CMMC

DoD Compliance Note: All hardware and software solutions referenced on this page must be evaluated against the DISA Approved Products List (APL) or obtain an Authority to Operate (ATO) through RMF before deployment in DoD environments. FIPS 140-2 or 140-3 validated cryptographic modules are required for any solution handling classified or CUI data. Solutions referencing DoD environments have been noted where DISA APL listings exist as of this publication.

// ZTNSS Assessment for This Pillar

John’s Zero Trust Readiness Assessment evaluates your Data Pillar maturity against all applicable DoD ZT Target Level activities using structured, evidence-based scoring methodology. The assessment identifies specific capability gaps, maps them to DoD activity numbers, and produces a sequenced remediation roadmap prioritized by risk exposure and operational impact.

John’s 24-year operational background at USSOCOM and SOCCENT means this assessment is grounded in environments where the adversaries are nation-state level, the stakes are operational, and compliance checkboxes are not a substitute for actual security.

← Pillar 04 — Application Pillar 06 — Visibility →

[ Assess your Data Pillar maturity against DoD Target Level ]

GET YOUR ZT READINESS SCORE.

30 minutes. Mission-first guidance from someone who built and defended these architectures at USSOCOM.

Book Strategy Call → ← All Seven Pillars