Department of Defense (DoD) Cybersecurity Reference Architecture

The Cybersecurity Reference Architecture (CSRA) is a reference framework intended to be used by the DoD to guide the modernization of cybersecurity as required in Section 3 of E.O. 14028, Improving the Nation’s Cybersecurity and Section 1 of National Security Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems (NSM- 8). The CSRA will advance Defense business systems, DoD national security systems (NSS), and DoD critical infrastructure / key resources (CIKR) – including DoD information technology (IT) and DoD operational technology (OT) – through an evolution to integrate ZT principles. This evolution is necessary to modernize cybersecurity through adoption of ZTA. The CSRA is a threat-informed product through integration of intelligence products and threat-based cybersecurity assessments (e.g., DoD Cybersecurity Analysis Review (DODCAR).

The purpose of the CSRA is to establish characteristics for cybersecurity architecture in the form of principles, fundamental components, capabilities, and design patterns to address threats that exist both inside and outside traditional network boundaries. Alignment of the CSRA to other RAs and solution architectures must include existing command and control (C2) orders and directives. The alignment of C2 and the CSRA will improve cyberspace survivability and enhance resiliency in operations and warfighter support to achieve integrated deterrence.

The CSRA Steering Group (CSRA SG) owns the architecture update effort and partners with stakeholders through a collaborative process involving the DoD EAEP, various NSS and CIKR working groups through the Committee on NSS (CNSS), the DoD Deputy CIO for Cybersecurity, and other DoD personnel from the Combatant Commands, Services, and Agencies (CC/S/A).

The CSRA is intended for the CC/S/A and mission partners who require access to DoD resources on premise or in a cloud environment. It serves as DoD enterprise-level guidance for establishing threshold cybersecurity to support two strategic outcomes: integrated deterrence enabled by automated response actions and enduring advantages enabled by procurement planning alignment.

Views: 0