The DoD Zero Trust Mandate: What Defense CISOs Need to Know

The DoD zero trust strategy, released in November 2022, set one of the most ambitious cybersecurity mandates in U.S. government history. Every DoD information system must reach "Target Level" zero trust capabilities by the end of FY2027 — 91 specific activities across seven pillars: User, Device, Network & Environment, Application & Workload, Data, Automation & Orchestration, and Visibility & Analytics.

In July 2025, DoD Directive-Type Memorandum 25-003 formalized the implementation requirements, removing any ambiguity about who must comply and by when. The DoD CIO updated the Zero Trust Capability Execution Roadmap in December 2024 with clearer guidance on what Target Level looks like in practice. The clock is running, and most organizations know it.

Most defense components have made real progress on identity management, network segmentation, and device attestation. Those are visible, well-funded workstreams with established tooling. But there's a capability area that consistently gets under-resourced — one that sits at the intersection of the Data Pillar and the Application & Workload Pillar, and one that adversaries are actively exploiting right now.

It's the file layer.

The Blind Spot Every Zero Trust Implementation Has

Zero Trust security is built on one foundational principle: never trust, always verify. And yet most implementations stop short of applying that principle to files.

Think about what your network ingests every day. PDFs from contractors. Excel reports from partner agencies. Word documents attached to mission briefings. ISO images transferred across classification boundaries. Every one of those files is a potential delivery vehicle for malicious code — and none of the identity controls, network segmentation rules, or device certificates you've deployed will stop a weaponized document once a verified user opens it.

The DoD's own Zero Trust Capability Execution Roadmap explicitly lists File Integrity Monitoring (FIM) and Application Control as Target Level activities. But those controls monitor and detect. They don't neutralize.

Detection-based tools — antivirus, next-gen AV, sandbox detonation — share one fundamental weakness: they can only catch threats they've seen before. Against a zero-day exploit embedded in a structurally valid PDF, or a macro payload hidden inside a legitimate-looking spreadsheet, they're flying blind. The NSA and Five Eyes partners have repeatedly identified file-based delivery as a primary initial access technique used by state-sponsored threat actors targeting defense networks.

The NSA/CISA advisory on the DoD's Data Pillar (April 2024) acknowledged that the data pillar "effectively relies on all other six pillars being secured" — which is precisely why a gap at the file layer propagates across every other pillar. You can have perfect identity management and still have a ransomware payload sitting in a document on a verified user's desktop.

This is the gap that DoD zero trust, as commonly implemented, doesn't close. And it's the one most likely to be weaponized.

For more on the specific threat patterns that make this real, see File-Based Threats Are on the Rise: Key Security Insights for Your Organization in 2025.

What CDR (Content Disarm and Reconstruction) Actually Does

Content Disarm and Reconstruction (CDR) is not antivirus with better marketing. It operates on a fundamentally different premise: rather than trying to detect whether a file is malicious, it assumes every file could be malicious and rebuilds it clean from verified components.

Glasswall's patented CDR process works in four stages:

Inspect — the file is disassembled and its internal structure is mapped against a specification of what a valid, "known-good" file looks like according to the published file format standard.

Rebuild — structural anomalies and deviations from specification are identified and repaired. Malformed structures that are commonly exploited as delivery mechanisms don't survive this stage.

Clean — high-risk active content (macros, embedded objects, scripts, external links) is removed according to configurable policy. No active code that violates policy makes it through.

Deliver — a verified, clean file is reassembled and delivered to the recipient. Visually identical to the original. Fully functional. Free of any malicious payload.

No detonation. No signature lookup. No waiting for a threat intelligence feed to catch up with the attacker.

This means CDR protects against zero-day file exploits by design. If a malicious payload violates file structure specifications — and almost all of them do — it doesn't survive reconstruction. If it's embedded in active content, policy strips it. The file that reaches your user is clean because it was built from clean components, not because a scanner cleared it.

For defense CISOs working through Data Pillar compliance, CDR is the mechanism that makes "never trust, always verify" apply to content itself — not just to the users and devices moving it. For a technical breakdown, see What Is Content Disarm and Reconstruction (CDR)?

CDR for Air-Gapped and DDIL Networks

Most threat prevention tools require cloud connectivity. Signature updates, threat intelligence feeds, sandbox detonation infrastructure — all of it depends on reliable network access. In air-gapped and DDIL (Disrupted, Degraded, Intermittent, and Low-bandwidth) environments, that dependency doesn't just create inconvenience. It creates mission risk.

Forward operating bases, shipboard networks, classified enclaves, and disconnected tactical systems can't pause operations while waiting for a cloud lookup to clear a file. Air gap cybersecurity has always demanded tools that function autonomously — and most of the security industry hasn't caught up to that requirement.

Glasswall CDR is purpose-built for exactly this. Because the "known-good" standard is baked directly into the engine — derived from file format specifications, not from live threat databases or cloud services — it doesn't need an internet connection to do its job. Deploy it on a classification boundary, at a data diode, embedded in a tactical system, or running on an air-gapped server. It keeps working whether the network is fully connected, throttled to 64kbps, or completely isolated.

This is materially different from detection-based tools. Network segmentation and identity controls can be adapted for DDIL environments. Sandboxes and signature-dependent AV cannot. CDR can — and it does so without adding latency that breaks operational tempo.

For more context on why this matters in practice, see The Importance of Establishing Robust Military Communications in DDIL Environments and Why File Trust Fails at the Tactical Edge — and How Zero Trust Solves It.

CDR and Cross Domain Solutions in a Zero Trust Architecture

Cross domain solutions (CDS) are how defense organizations move data between networks of different security classifications — SIPRNet to NIPRNet, coalition partner networks, classified cloud environments. They are critical infrastructure for joint operations. They are also a prime target.

The DoD Cross Domain Enterprise Service governs how data moves across classification boundaries, and the requirements for doing this securely are defined by the NSA's National Cross Domain Strategy & Management Office (NCDSMO). For any cross domain solution operating in U.S. government networks, file content filtering isn't optional — it's an architectural requirement.

CDR integrates directly into cross domain architectures at the content filtering layer. Glasswall's engine transforms complex file formats — documents, images, binaries — into their constituent components, verifies structural integrity, strips malicious content, and reconstitutes the file on the far side of the trust boundary. This is exactly the verification that "never trust, always verify" demands at a domain crossing. Not just checking who is moving the file but verifying and neutralizing what's inside it.

For data exiting a classified environment, Glasswall CDR also handles data loss prevention through word search, metadata scrubbing, hidden data identification, and redaction — ensuring that sensitive information doesn't flow out inadvertently alongside the content users actually need to share.

For a deeper look at how cross domain solutions enforce zero trust principles at classification boundaries, see Cross Domain Solutions: Keeping Data Safe Across Boundaries in a Zero Trust World.

The NSA's "Raise the Bar" Initiative — and What It Demands

Raise the Bar (RTB) is the NSA NCDSMO's framework for cross domain solution security, introduced in 2018. It sets the standards any vendor must meet before shipping software into government networks via a CDS — and it is deliberately rigorous.

CDS vendors seeking to operate in U.S. government environments must pass Lab-Based Security Assessments (LBSAs). Getting a slot can take up to nine months. The assessment itself takes up to six months more. Any content filter integrated into a CDS must be individually validated through this process. Most don't make it through.

Glasswall CDR has. The technology is already integrated within existing CDS platforms that have passed LBSA testing and are actively deployed in U.S. government networks. The NCDSMO typically mandates two content filters within a CDS architecture for defense-in-depth — and Glasswall CDR is one of the validated options meeting that requirement.

For defense CISOs evaluating CDR vendors for NSA raise the bar compliance, this is the most direct question you can ask: has your CDR solution already passed NCDSMO's LBSA process within a deployed government CDS? Not "is it on a roadmap" — has it already passed?

For more on RTB and what it demands from CDS vendors, see Raise the Bar Sets High Standards for Cross Domain Solutions: 5 Key Challenges for CDS Vendors.

Five Questions Defense CISOs Should Ask Their CDR Vendor

Not all CDR is what it claims to be. Some products labeled "CDR" are file conversion tools that strip functionality to produce a flat output. Others work adequately on standard Office documents but break down against the nested archives, binary formats, and polyglot files common in defense workflows. Before you commit to a CDR vendor, ask these five questions. The answers will tell you everything you need to know.

1. Does your CDR rebuild files to a known-good standard, or does it strip and flatten? File flattening destroys usability — converting PDFs to static images, losing spreadsheet formulas, collapsing document structures. True CDR reconstructs the file while preserving its function and appearance. If a vendor's process produces a flattened output, your users will find ways around it.
2. Does it work without an internet connection or signature updates? Non-negotiable for air gapped cybersecurity and DDIL deployments. If the vendor's technology requires cloud connectivity to be effective, it won't be effective where you need it most. Ask for a documented offline deployment reference.
3. Has your technology been validated within a CDS that passed LBSA under NSA's Raise the Bar? This is the only third-party validation that matters for DoD deployments. Government claims of "RTB alignment" without LBSA confirmation are unverifiable. Ask for the specific CDS program and the LBSA assessment date.
4. Can you handle nested archives, polyglot files, and proprietary binary formats? Attackers don't deliver payloads in clean, standard PDFs. They use ISO files, nested Zip archives, polyglot formats that present as one file type and execute as another. Ask specifically what the engine does with those. Ask for a demonstration.
5. What file telemetry does your CDR generate, and how does it integrate with your SIEM? CDR should produce detailed audit logs for every file processed — what was found, what was removed, file hashes before and after, processing timestamps, and anomaly flags. This data feeds your Visibility & Analytics Pillar and gives your SOC actionable signal. If the vendor can't describe their telemetry output in detail, that's the answer.

Take the Next Step on Your DoD Zero Trust Roadmap

The FY2027 deadline for DoD zero trust Target Level compliance isn't slowing down. Neither is the threat activity targeting the file layer.

Glasswall works with DoD components, defense contractors, and Five Eyes government organizations to implement CDR within zero trust architectures and cross domain solutions. If you're mapping your compliance roadmap and want to see exactly where file security fits — including a gap analysis against the DoD Zero Trust Execution Roadmap and NSA Raise the Bar requirements — request a technical briefing with our defense team.

If you're already running a CDR deployment and want to pressure-test it against these questions, talk to a Glasswall solutions architect. We'll show you what the architecture looks like in practice — in air-gapped environments, within CDS pipelines, and at the tactical edge.

Sources: DoD Zero Trust Strategy (November 2022, dodcio.defense.gov); DoD Zero Trust Capability Execution Roadmap v1.1 (December 2024); Directive-Type Memorandum 25-003, "Implementing the DoD Zero Trust Strategy" (July 2025); NSA/CISA CSI: Advancing Zero Trust Maturity Throughout the Data Pillar (April 2024); NSA NCDSMO Raise the Bar initiative (ncdsmo.mil, 2018); NSA Zero Trust Implementation Guideline Primer (January 2026).