The Department of Defense has moved decisively toward Zero Trust as a guiding principle, but adoption of layered security architectures across the enterprise still runs up against legacy doctrines and slow procedural frameworks that were not designed for today’s threat environment. The result is a dangerous gap between strategic intent and operational reality that adversaries can and do exploit.
At its core, layered security is about diversity of controls and depth of defense. It assumes that no single control is sufficient and that protection requires a mix of identity and access controls, telemetry and detection, network segmentation, endpoint hardening, and data-centric protections. NIST and other federal bodies have codified many of these concepts in their zero trust guidance, which reframes defenses around continuous verification and resource protection rather than a brittle perimeter. That body of work provides a practical blueprint for modern layering.
Yet DoD remains tethered to protocols and institutional processes that slow change. The Risk Management Framework used by DoD to authorize systems was updated in recent years, but its roots trace back through older certification and accreditation models that emphasize periodic assessment and perimeter controls. Where RMF requires authorizations to operate and documented controls, modern adversaries demand near real time posture assessment and dynamic enforcement. The mismatch increases risk because authorization artifacts can become stale between reviews.
Two concrete friction points illustrate the problem. First, the legacy enclave mindset that segments classified and unclassified networks into separate kingdoms makes sense for compartmenting, but it often sacrifices the data-centric controls and identity-first access needed to secure multi-domain operations and partner-sharing. Second, procurement and accreditation timelines remain slow. The department’s strategic roadmap for Zero Trust recognizes both problems and sets goals, but implementation will require updating operational procedures, funding profiles, and acquisition language so that layered architectures are not blocked at design review or ATO gates.
Independent oversight has warned that Zero Trust is hard to define and implement at scale. The Government Accountability Office has documented that federal organizations face challenges translating Zero Trust principles into stable, measurable outcomes. For DoD, this means layered security programs must couple policy reforms with concrete technical pathways such as microsegmentation, continuous monitoring, and policy-driven access controls to avoid becoming another doctrine on a shelf.
Where older protocols still show up is instructive. Controls that assume a trusted internal network, periodic patch cycles, or static ACL lists do not map cleanly to an environment where cloud services, contractor ecosystems, and forward-deployed platforms must interoperate. The supply chain and contractor posture problems the department is trying to solve through initiatives like CMMC are related. Without layered protections that include supplier telemetry, validated configurations, and encryption in motion and at rest, contractual assurances alone will not stop a determined actor from pivoting into mission systems.
What needs to change, and how to prioritize it. First, treat Zero Trust as an architectural goal for layered security rather than a checklist. That means explicitly mapping RMF artifacts to continuous controls and telemetry feeds so ATOs transition from static approvals to living authorizations. Second, prioritize identity and device posture as foundational layers. Strong multifactor authentication, hardware-backed device identity, and continuous attestation must sit above simple network permits. Third, modernize segmentation toward data and microsegmentation. Instead of relying solely on coarse enclaves, enforce least privilege at the workload and data object level. Fourth, bake continuous monitoring and automation into the authorization lifecycle to shorten the time between detection and containment. Fifth, align acquisition and budget cycles so that security is not an afterthought in program development. These steps are consistent with federal ZT guidance and maturity models that recommend a phased, measurable transition.
Operationalizing these shifts will not be trivial. Technical debt in fielded systems, constrained acquisition vehicles, and the scale of DoD ecosystems complicate change. But the alternative is the existing status quo where layered security is promised in strategy documents yet undermined by protocols that assume trust once a boundary is crossed. The overlays and roadmap the DoD has published are useful tools, but they only work if the enterprise rewrites how it licenses, procures, and accredits systems so that layered controls are required by design, not grafted on afterward.
Practically, program managers and engineers can start with achievable, high-return moves. Mandate hardware-backed identity and enforce it on all access paths. Deploy microsegmentation for the most sensitive workloads and instrument those segments with telemetry that feeds automated policy engines. Require suppliers to provide posture telemetry and measurable security baselines as part of contract performance. Replace point-in-time ATOs for critical junctions with continuous authorization constructs that include short lived tokens, attestation-based policies, and adaptive access decisions informed by telemetry. Pair these technical changes with training that changes the culture away from perimeter thinking toward continuous verification.
Conclusion. Layered security remains the correct approach for defense contexts, but the department must stop pretending old protocols are adequate for a zero trust world. Strategy documents and overlays show institutional awareness. Now DoD must accelerate policy and process reform so layered architectures are operational, measurable, and funded. If the department fails to modernize its protocols and its authorization practices, layered security will remain an aspiration rather than the resilient posture warfighters need.