The Department of Defense has 152 zero trust capabilities to deliver by the end of fiscal year 2027, the seven pillars they map into are not optional reading for cleared engineers, and the National Capital Region pay band for a Zero Trust Architect with active Top Secret / Sensitive Compartmented Information (TS/SCI) clearance runs $165,000 to $225,000 against a Bureau of Labor Statistics commercial baseline of $124,910 for Information Security Analysts. The deadline was set by the DoD Chief Information Officer’s Zero Trust Strategy, signed out in November 2022; the 152-capability split was codified in the DoD Zero Trust Reference Architecture v2.0, which the Defense Information Systems Agency maintains. Both documents now drive contract language, Plan-of-Action-and-Milestones reporting, and cleared cyber engineering hiring across every component of the Department of Defense.
This guide is built for cleared engineers who already hold an active TS/SCI or are in scope for one and who want to map themselves into the zero trust hiring lane that the FY27 deadline opened. It anchors every load-bearing claim to a primary source: the DoD Strategy and Reference Architecture above, NIST Special Publication 800-207 (the foundational architecture published in August 2020), OMB Memorandum M-22-09 (the parallel federal civilian deadline driver), the NSA’s February 2021 paper on zero trust, and the CISA Zero Trust Maturity Model v2.0. The salary figures pair the BLS May 2024 OEWS release for Information Security Analysts (SOC 15-1212), BLS OEWS for Computer Network Architects (SOC 15-1241), OPM 2026 General Schedule pay tables for the DC locality, ZipRecruiter’s TS/SCI clearance salary aggregation, and CyberSecJobs.com’s own anonymized 2025 cleared-cyber data.
What the DoD Zero Trust Strategy actually obligates programs to deliver
The DoD Zero Trust Strategy, signed out in November 2022, is the document that turned zero trust from a CISO buzzword into a budgeted, audited program-of-record. It sets a fixed end state , what the strategy calls “Target Level” zero trust — that every component of the Department of Defense must reach by the end of fiscal year 2027. The companion Zero Trust Reference Architecture, version 2.0, which DISA maintains and the DoD CIO published in 2022, breaks that end state into 152 numbered capabilities: 91 Target and 61 Advanced. Programs report quarterly against that capability list to the DoD Zero Trust Portfolio Management Office, the DoD CIO-housed office that Randy Resnick directs.
For hiring managers, two consequences matter. First, every cleared cyber program has a zero trust line in its Plan of Action and Milestones, so demand for engineers who can read the Reference Architecture and map capabilities to controls is structural, not cyclical. Second, candidates who can name the seven pillars and quote the FY27 deadline in an interview separate themselves immediately from generalists who learned zero trust from a vendor white paper. That is the cleared market the rest of this guide is written for , and the audience reading this article holds Top Secret / Sensitive Compartmented Information clearance or is in scope for it.
The upstream policy event was Executive Order 14028, signed May 12 2021, which named zero trust as the direction of federal cybersecurity. On the federal civilian side, OMB Memorandum M-22-09 — signed by then-OMB Acting Director Shalanda Young on January 26 2022 , translated that direction into a binding end-of-FY24 deadline for civilian agencies. The DoD Strategy’s FY27 deadline is the defense-side parallel, set later because the DoD attack surface is larger and the legacy enclaves are deeper. Both deadlines now drive procurement, training budgets, and cleared cyber hiring inside the agencies and primes responsible for executing them.
How NIST 800-207 became the DoD’s seven pillars
Zero trust did not begin with the DoD. The term was introduced by Forrester analyst John Kindervag in a 2010 research note, the operational doctrine was published by the NSA in February 2021, and the canonical technical architecture was published by the National Institute of Standards and Technology four months earlier. The DoD’s seven-pillar overlay is a defense-specific implementation of those upstream documents, not a competing model.
NIST Special Publication 800-207, authored by Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly and published in August 2020, established the reference architecture every subsequent zero trust document inherits. The core abstraction is a three-component policy plane — a Policy Engine (PE) that makes the access decision, a Policy Administrator (PA) that executes it, and a Policy Enforcement Point (PEP) that sits in the data path , combined with continuous trust evaluation rather than a one-time perimeter check. The seven NIST tenets the document codifies — all data sources and services as resources, all communication secured regardless of network location, per-session access, dynamic policy, asset integrity monitoring, dynamic authentication and authorization, and continuous telemetry , are the same tenets the DoD Reference Architecture quotes verbatim in its grounding chapter.
The NSA’s February 2021 paper Embracing a Zero Trust Security Model translated NIST 800-207 into operational language for national-security systems. The NSA cybersecurity directorate’s framing — define, architect, monitor, operate , is the doctrinal backbone the DoD CIO’s office inherited when it began drafting the DoD-specific reference architecture in 2021 and 2022.
John Kindervag, the Forrester analyst who introduced the term “zero trust” in a 2010 Forrester research note and who now serves as Chief Evangelist and Field CTO at Illumio, has been consistent on one point across the decade since: zero trust is a strategy that asserts no implicit trust based on network location, not a product anyone sells. “Zero trust is a strategy. It is not a technology, it is not a product, and you cannot buy it from a vendor” is the framing he has repeated in Forrester research, in public conference talks, and across Illumio publications. It is also the framing every cleared candidate should be able to articulate before walking into a DoD Architect interview, because senior hiring panels filter on it: a candidate who pitches a vendor product as the zero trust answer flags as a generalist on slide two of the technical brief.
The DoD’s specific contribution was decomposing the NIST policy plane into seven operational pillars, layering 152 numbered capabilities across them, and assigning a maturity scale that components could report against quarterly. That is what makes the DoD Reference Architecture distinct. The seven pillars are not the doctrine — NIST 800-207 is the doctrine. The seven pillars are the engineering schedule.
Zero Trust frameworks compared: DoD, NIST, NSA, CISA, OMB
Cleared candidates routinely walk into ZT Architect interviews expecting to discuss the DoD seven-pillar model and discover that the hiring panel wants them to cross-reference it against the NIST, NSA, CISA, and OMB documents that bracket it. The comparison below is the synthesis a senior architect is expected to have on demand. Year-tagged. Cross-referenced. The fifth column , “Mandatory for” — is the one most generic content gets wrong.
| Framework (2026) | Issuing body | Published | Pillar / tenet count | Mandatory for |
|---|---|---|---|---|
| DoD Zero Trust Strategy + Reference Architecture v2.0 | DoD CIO / DISA | Strategy: Nov 2022. RA v2.0: 2022. | 7 pillars; 152 capabilities (91 Target + 61 Advanced) | All DoD components by end FY27 |
| NIST SP 800-207 | NIST | August 2020 | 7 tenets; PE / PA / PEP logical components | Federal civilian + foundational reference for DoD RA |
| NSA , Embracing a Zero Trust Security Model | NSA Cybersecurity Directorate | February 2021 | 4-stage capability progression (define / architect / monitor / operate) | NSA / Intelligence Community; cited as doctrinal source by DoD RA |
| CISA Zero Trust Maturity Model v2.0 | CISA | April 2023 | 5 pillars + 3 cross-cutting capabilities; 4 maturity stages (Traditional → Optimal) | Federal civilian agencies (paired with M-22-09) |
| OMB Memorandum M-22-09 | OMB (signed S. Young) | January 26 2022 | Action items keyed to NIST + CISA pillars | All federal civilian agencies by end FY24 |
Two cross-references matter most in interviews. First, the DoD’s seven pillars (User, Device, Application/Workload, Data, Network/Environment, Automation & Orchestration, Visibility & Analytics) map cleanly onto CISA’s five pillars (Identity, Devices, Networks, Applications & Workloads, Data) plus three cross-cutting capabilities (Visibility & Analytics, Automation & Orchestration, Governance). The mapping is not identical — DoD separates User from Device while CISA combines Identity-into-Devices coverage differently , but the analytic move is to know where the seam is, not to pretend the two frameworks are interchangeable. Second, the NIST PE/PA/PEP logical model is implemented across multiple DoD pillars (User-pillar policy enforcement at Okta or Microsoft Entra ID; Device-pillar enforcement at CrowdStrike or Intune; Network-pillar enforcement at Zscaler or Illumio). A candidate who can name where the PEPs live in a Thunderdome reference design and how the policy engine arbitrates between them is the candidate who walks out with an offer.
The seven pillars of the DoD Zero Trust Reference Architecture
The Reference Architecture v2.0 organizes all 152 capabilities into seven pillars. Each pillar has a small set of overlay capabilities — automation, orchestration, visibility, analytics, and governance , that cut across the others. Engineers tend to specialize in one or two pillars early in their career, then take Architect roles after they can credibly cover all seven.
| Pillar | What it controls | Common tooling in cleared programs (2026) |
|---|---|---|
| User | Identity, credentialing, conditional access, ICAM federation | Okta, Microsoft Entra ID, SailPoint, DoD CAC/PIV |
| Device | Endpoint posture, comply-to-connect, mobile device management | CrowdStrike, Microsoft Intune, Ivanti, DISA C2C |
| Application/Workload | Secure software supply chain, container security, runtime defense | Palo Alto Prisma Cloud, Wiz, Sigstore, DoD Iron Bank |
| Data | Tagging, rights management, encryption, loss prevention | Microsoft Purview, Varonis, Forcepoint, Thales CipherTrust |
| Network/Environment | Microsegmentation, software-defined perimeter, SASE | Illumio, Zscaler, Palo Alto Prisma Access, Cisco |
| Automation & Orchestration | SOAR, policy-as-code, infrastructure pipelines | Splunk SOAR, Tines, Ansible, Terraform |
| Visibility & Analytics | Telemetry, UEBA, SIEM, anomaly detection | Splunk, Microsoft Sentinel, Elastic, Exabeam |
Inside DISA Thunderdome and the Joint Warfighting Cloud Capability
Two programs are doing the heaviest lifting on DoD zero trust at scale, and any serious candidate should be able to discuss both. The first is Thunderdome, the Defense Information Systems Agency’s enterprise zero trust prototype, which DISA moved from prototype to production in 2024 under prime contractor Booz Allen Hamilton. The Thunderdome stack combines secure access service edge components, software-defined wide-area networking, and application security gateways into a single managed offering that DISA sells to combatant commands and defense agencies. The underlying technology stack leans heavily on Zscaler Internet Access and Zscaler Private Access, with Palo Alto Prisma Access as the alternate SASE stack inside parallel Service-specific prototypes.
The second is the Joint Warfighting Cloud Capability (JWCC), the $9 billion multi-vendor cloud contract awarded December 7 2022 to Amazon Web Services, Microsoft, Google, and Oracle. JWCC is the substrate the Department of Defense uses to host zero-trust-aligned workloads across the classification stack — Impact Level 2 through 6 per the DISA Cloud Computing Security Requirements Guide. Every JWCC task order requires the receiving program to articulate how it will satisfy the relevant Reference Architecture capabilities inside the chosen cloud, which is why JWCC migrations are the single biggest driver of cleared zero trust engineering hires through 2026 and 2027.
Why the FY27 deadline is being treated as a procurement event, not a target
The FY27 deadline is doing structural work in the cleared cyber labor market that a paper deadline shouldn’t be able to do. The reason is that the deadline is paired with quarterly reporting through the DoD CIO, an external audit channel through the Government Accountability Office, and contract language that program offices are folding into solicitations on the way to award. The combination turns “comply by FY27” into a current-quarter procurement event, which is the form that actually mobilizes hiring.
Randy Resnick, who directs the DoD Zero Trust Portfolio Management Office, has framed the deadline as a floor rather than a finish line across multiple public AFCEA TechNet Cyber and Federal News Network appearances during his PMO Director tenure. Target Level on the 91 Target capabilities is the minimum compliance bar; the Advanced tier on the 61 Advanced capabilities is the directional goal; sustainment of all 152 capabilities is the workload that defines DoD zero trust engineering employment through the back half of the decade. For cleared candidates that translates into a structural, not cyclical, demand curve , the kind every interviewer expects a senior ZT Architect to be able to read off the Reference Architecture index by capability number.
External oversight reinforces the deadline. The Government Accountability Office’s national-defense portfolio tracks DoD progress against the Strategy, with the July 2024 DOD Cyber Strategy product and follow-on briefings flagging the Data and Application/Workload pillars as components where the largest unfilled engineering headcount sits through FY27. The civilian-side analog matters too: OMB Memorandum M-22-09 put the federal civilian end-FY24 deadline on the calendar, and the agencies that missed it are now visibly behind, which gives the DoD timeline a salutary example to point at when components ask whether the deadline is real.
What it all means for hiring: the Data and Application/Workload pillars have the largest unfilled engineering headcount through FY27. Candidates with credible Microsoft Purview, Varonis, or container security experience (Wiz, Prisma Cloud, Sigstore-signed software bill of materials work) are commanding the top of their respective bands. Pure Network pillar candidates are still in demand but face more competition.
The four zero trust roles cleared programs are actually hiring for
Job titles still vary across primes and agencies, but four functional roles have stabilized over the last 18 months of postings on cybersecjobs.com and competing cleared boards. Cleared salary ranges below reflect the National Capital Region market for candidates with active TS/SCI; pay outside the Washington commuting area runs roughly 8 to 12 percent lower at the same skill level, with Colorado Springs and Huntsville being the most common exceptions.
| Role (2026) | Cleared base pay, NCR (2026) | Pillars owned | Typical years |
|---|---|---|---|
| Zero Trust Architect | $165,000 – $225,000 | All seven (governance lead) | 10+ |
| Zero Trust Engineer | $135,000 – $180,000 | Network + Application/Workload | 5 – 9 |
| Identity/IAM Lead | $125,000 – $170,000 | User + Device | 6 – 10 |
| Microsegmentation Engineer | $130,000 – $175,000 | Network + Visibility & Analytics | 5 – 8 |
The architect band sits squarely on top of the DC TS/SCI market average of $149,398 captured by ZipRecruiter’s cleared-cyber filings and the cybersecjobs.com 2026 internal survey. The spread reflects the premium primes pay candidates who can sign off on Authority-to-Operate packages without needing a separate cyber lead. Against the BLS May 2024 OEWS release for Information Security Analysts (SOC 15-1212) national median of $124,910 and 90th-percentile of $182,370, the cleared TS/SCI premium for Zero Trust Architects runs $40,000 to $65,000 at the top of band. For the architect-tier baseline that crosses into network architecture work, the BLS OEWS for Computer Network Architects (SOC 15-1241) sets the commercial reference at the same order of magnitude.
Engineer-level pay overlaps with senior security engineer ranges in the broader cleared market ($110,000 to $200,000 per cybersecjobs.com’s 2026 dataset), and the clearance premium for active TS/SCI on top of a commercial baseline still runs $30,000 to $45,000 per the 2024 ClearanceJobs Compensation Report. On the federal civilian side, Zero Trust Architect roles map to GS-14 and GS-15 billets; per OPM’s 2026 DC locality table, a GS-14 Step 5 lands at $169,029 and a GS-15 Step 5 at $198,884 — the federal civilian band a senior Architect with direct-hire-authority eligibility can target without leaving government service.
Tooling stack: Zscaler, Illumio, Palo Alto Prisma Access, Okta , and what to learn first
Four vendors dominate the cleared zero trust market because their products are FedRAMP High authorized, ship with DoD Impact Level 5 (and increasingly Impact Level 6) accreditations, and appear inside Thunderdome reference designs. Zscaler Internet Access and Zscaler Private Access cover the Network pillar’s secure-access-service-edge capabilities. Illumio Core handles east-west microsegmentation, with Illumio CloudSecure extending the same model into JWCC workloads. Palo Alto Prisma Access is the alternate SASE stack inside Thunderdome and several Service-specific zero trust prototypes. Okta Identity Cloud, including its Federal-only Okta for US Military tenant, handles the User pillar federation work — and increasingly device posture through Okta Verify when paired with CrowdStrike Falcon.
Engineers breaking into the field generally pick one Network pillar tool and one User pillar tool to specialize in first. The fastest path to a $135,000-plus offer is a CompTIA Security+ baseline (required by DoDM 8140.03, published October 2023, for IAT Level II compliance on most cyber billets), a vendor certification in either Zscaler Digital Transformation Engineer or Palo Alto PCNSE, and one cloud security credential , AWS Certified Security – Specialty or the Microsoft Azure Security Engineer Associate (AZ-500) — that proves you can carry the architecture into JWCC.
Certifications that move the needle on a zero trust resume
Cleared programs care about two layers of certifications: the DoD 8140-aligned baselines (CISSP, CASP+ / SecurityX, Security+) that prove the candidate can be assigned to a cyber work role at all, and the architecture and cloud credentials that prove the candidate can deliver Reference Architecture capabilities in production. CISSP from ISC2 ($749 exam fee, roughly 150 prep hours, 5 years experience) remains the dominant architect-level baseline. CCSP, also from ISC2 ($599 exam fee, 120 prep hours), is the cleanest cloud companion. AWS Certified Security – Specialty ($300 exam fee, 80 prep hours) and the Microsoft Azure Security Engineer Associate ($165 exam fee, 80 prep hours) are the cloud-specific credentials cleared hiring managers ask about most often when JWCC migration work is on the table.
Chase Cunningham, the former Forrester principal analyst who built the Zero Trust eXtended (ZTX) framework Forrester used to evaluate vendor maturity, has been blunt across his post-Forrester podcast and conference circuit about what cleared programs actually want to see on a resume. The credential stack is necessary but not sufficient. A CISSP plus an AZ-500 plus a Zscaler Digital Transformation Engineer credential clears the document filter; the candidate who wins the offer is the one who can walk a hiring panel through a specific Reference Architecture capability they have personally delivered, with the capability number named, the pillar tagged, and the rollback plan documented. Cunningham’s framing , that zero trust is a delivered capability outcome, not a credential collection — is the bar every senior architect interview probes for.
That sequencing is why cleared engineers who pair their 8140 baseline with vendor and cloud credentials, and who can name a specific capability they delivered in their previous role, dominate the offer rate. Credentials open the door; capability delivery, ideally with a Reference Architecture capability number quoted in the resume bullet, walks the candidate through it.
Frequently asked questions
Do I need an active TS/SCI to apply for a DoD Zero Trust Engineer role?
Most prime contractor postings require an active Top Secret with SCI eligibility at submission. A current Secret clearance can sometimes get you in the door at sub-tier integrators working below Impact Level 5, but the National Capital Region salary bands referenced above assume active TS/SCI. The clearance premium for TS/SCI on top of a Top Secret baseline still runs $30,000 to $45,000 per the 2024 ClearanceJobs Compensation Report.
Is Thunderdome only run by DISA, or are other agencies adopting it?
DISA operates Thunderdome as an enterprise managed service that other DoD components can subscribe to. Combatant commands and defense agencies are the primary current customers; several civilian agencies are observing the model but procuring through their own enterprise SASE contracts rather than subscribing directly. The Booz Allen Hamilton prime contract has expanded since the prototype phase to accommodate additional component subscriptions.
How is the 91 Target / 61 Advanced split scored on hiring panels?
Architect interviews routinely ask candidates to walk through the seven pillars and identify which capabilities they have personally delivered. Engineer interviews skew toward depth in one or two pillars rather than coverage; you are not expected to have shipped all 152. The DoD CIO’s public Zero Trust progress page is the canonical place to read the capability index by pillar before an interview.
Does prior experience with NIST SP 800-207 transfer to DoD zero trust work?
Yes , NIST SP 800-207 is cited as a foundational reference inside the DoD Zero Trust Reference Architecture, and most architects work fluently with both. Candidates with civilian zero trust experience generally need to add the seven-pillar vocabulary and the capability-numbering shorthand to translate cleanly. The fastest gap-closer is reading the Reference Architecture v2.0 PDF end to end with the NIST tenets as a mental crosswalk.
How does the DoD seven-pillar model compare to CISA’s five-pillar maturity model?
The CISA Zero Trust Maturity Model v2.0, published April 2023, uses five pillars (Identity, Devices, Networks, Applications & Workloads, Data) plus three cross-cutting capabilities (Visibility & Analytics, Automation & Orchestration, Governance). The DoD seven-pillar model separates User from Device and treats Automation & Orchestration and Visibility & Analytics as pillars rather than cross-cutting overlays. The conceptual coverage is identical; the schedule of execution differs. Federal civilian agencies report against CISA’s model per OMB M-22-09; DoD components report against the DoD model per the Reference Architecture.
Will demand drop after the FY27 deadline?
No, based on current Portfolio Management Office signaling. Target Level is a floor, not a finish line — the Resnick framing repeated across Federal News Network coverage and AFCEA TechNet Cyber appearances. Sustainment of the 152 capabilities, plus the next-generation overlays already in draft for the Advanced tier, will keep the cleared zero trust market structurally tight well past September 2027.
What this means through 2028
Two trends shape the cleared zero trust engineering hiring picture through 2028. The first is the FY27 deadline enforcement curve: program offices are folding Reference Architecture capability numbers directly into solicitations and contract language, and the credential-plus-capability filter is getting more rigid, not less. The second is the structural cleared-cyber workforce shortage, which has compounded across every year of the post-2020 hiring cycle and shows no sign of inverting before the back half of the decade. If FY27 enforcement tightens through 2026 and 2027, and the GAO continues to flag Data and Application/Workload pillar lag, the architect-band premium expands; if a future administration deprioritizes the Strategy or extends the deadline, the premium compresses. The falsifiable claim is the GAO oversight beat: if the next national-defense product on DoD ZT progress closes the data-pillar gap, the architect band sits where it is. If the gap widens, the architect band moves higher and the engineer-tier follows.
For a cleared engineer on the senior or architect track in 2026, that turns the next 18 months into one of the cleaner labor-market windows available in the cleared cyber career stack. The credentials are clear, the capabilities are numbered, the agencies and primes are named, and the deadline is in the contract. The work is mapping the pillar to the resume bullet and the resume bullet to the offer.
Where to look next
- DoD 8140 Framework Explained: Cyber Workforce Requirements
- TS/SCI Cyber Jobs in 2026: The Cleared Cybersecurity Career Guide
- Cleared Cybersecurity Career Path: SOC Analyst to CISO
- CISSP for Cleared Cyber Analysts: Cost, ROI, and Hiring Impact
- Threat Hunter Cleared Salary 2026: TS/SCI Premium Analysis
- Microsoft Sentinel for Cleared Cloud Security Skills Guide
- CrowdStrike for Cleared Endpoint Security Skills Guide
- Splunk for Cleared SOC Analysts Complete Skills Guide