This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) using the DoDAF Architecture Framework. It integrates Zero Trust principles — continuous verification, least‑privilege access, micro‑segmentation, identity‑centric security — into DoDAF’s operational, system, service, data, and capability views.
The service ensures Zero Trust is mission‑aligned, capability‑driven, and fully traceable across the enterprise, enabling a modern, resilient, and threat‑informed security posture suitable for defence‑grade environments.
Assess current architecture maturity using DoDAF and Zero Trust principles.
Develop a DoDAF‑aligned Zero Trust Reference Architecture.
Integrate Zero Trust into operational, system, service, and data architecture views.
Reduce implicit trust, lateral movement, and identity‑related risks.
Improve visibility, monitoring, and adaptive access enforcement.
Deliver a phased Zero Trust transformation roadmap aligned to DoDAF lifecycle.
A DoDAF‑aligned Zero Trust maturity assessment.
A Zero Trust Reference Architecture mapped to DoDAF viewpoints.
Hardened identity, device, network, application, and data controls.
Updated governance, capability models, and operational processes.
Improved detection, response, and automation capabilities.
A multi‑phase Zero Trust transformation roadmap.
Identify mission objectives, operational needs, and critical capabilities.
Map Zero Trust outcomes to DoDAF CV‑1, CV‑2, CV‑3 artefacts.
Define capability gaps and Zero Trust capability uplift.
Stakeholder mapping and mission impact assessment.
Define Zero Trust governance principles aligned to mission needs.
Develop Zero Trust operational concepts (OV‑1).
Map Zero Trust processes, actors, and interactions (OV‑2, OV‑5).
Define operational activities for:
Identity lifecycle
Access decision workflows
Threat detection & response
Continuous verification
Operational impact analysis and mission assurance alignment.
System‑level architecture for Zero Trust enforcement.
Define system interfaces, data flows, and trust boundaries (SV‑1, SV‑2).
Map Zero Trust components:
Identity Provider
Policy Decision Point (PDP)
Policy Enforcement Point (PEP)
Trust evaluation services
Telemetry & analytics
System‑level segmentation and isolation patterns.
Define Zero Trust security services (SvcV‑1, SvcV‑2).
Map services to:
Identity & Access
Device Trust
Network Segmentation
Application & Workload Trust
Data Protection
Monitoring & Analytics
Automation & Orchestration
Service‑level dependencies and integration patterns.
Data classification and Zero Trust data access model (DIV‑1).
Data lineage, ownership, and protection patterns.
Encryption, tokenisation, and key management strategy.
Data flow mapping and exfiltration risk analysis.
Align Zero Trust controls to:
NIST SP 800‑207
CISA Zero Trust Maturity Model
NCSC Zero Trust principles
ISO 27001
CIS Controls
Define Zero Trust standards, policies, and compliance requirements.
Zero Trust governance model aligned to DoDAF.
Architecture decision‑making workflows.
Policy lifecycle management.
Zero Trust risk register and control mapping.
Metrics, KPIs, and continuous assurance.
Prioritised capability roadmap (12–36 months).
Work package catalogue aligned to mission priorities.
Dependency mapping across identity, network, data, and cloud.
Costing, resourcing, and risk analysis.
Identity hardening (MFA, PIM, conditional access).
Network segmentation and ZTNA deployment.
SIEM/SOAR/XDR integration.
Cloud security hardening (Azure/AWS/GCP).
DevSecOps and CI/CD security integration.
DoDAF Zero Trust Maturity Assessment Report
Zero Trust Reference Architecture Blueprint (DoDAF‑aligned)
Capability Viewpoint (CV) Zero Trust Mapping
Operational Viewpoint (OV) Zero Trust Model
System & Service Architecture Packs (SV, SvcV)
Data Architecture & Protection Framework (DIV)
Governance & Operating Model Framework
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Capability Alignment — Mission, capabilities, governance
Operational Modelling — Zero Trust operational views
System & Service Architecture — SV, SvcV, trust boundaries
Data Architecture — DIV, data protection, lineage
Standards & Compliance — StdV, policies, controls
Implementation Planning — Roadmap, work packages
Governance & Operations — Continuous assurance
Optional: Continuous Zero Trust Assurance (subscription)
Lead Enterprise Architect (DoDAF Practitioner)
Zero Trust Architect
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Governance & Risk Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to enterprise architecture artefacts and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing DoDAF documentation and architecture diagrams.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Architecture sprawl → mitigated through DoDAF governance and traceability.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.