NIST releases finalized zero-trust architecture guidance

The document adds a section on the tenets of the security philosophy and adopts longstanding federal language around approaches.
zero trust
(Getty Images)

The National Institute of Standards and Technology provided agencies with a foundation for security as they modernize IT in its finalized zero-trust architecture guidance released Tuesday.

NIST reorganized parts of the finalized guidance, adding a section on the tenets of zero trust, such as securing communication regardless of network location, as well as considering data sources and computing services as resources for the technology.

The document also adopted longstanding federal language around zero-trust architecture approaches like data enclaves versus micro-segmentation, Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop.

“It points to the fact of why are we doing micro-segmentation, which is all about the data and the data access,” Frazier said. “So when you’re thinking about building out your micro-segments, you’re looking at am I slicing and dicing my access to particular data, which is really served up through particular applications.”


Enclaves are essentially bubbles around data access that, like micro-segments, are focused on data rather than network rights, he added.

NIST’s finalized guidance further ties zero-trust architecture in with other federal constructs like its Cybersecurity Framework and the Continuous Diagnostics and Mitigation program. The release also comes on the heels of finalized Trusted Internet Connections 3.0 security architecture concepts, which it aligns with, Frazier said.

The guidance will also align with the National Cybersecurity Center of Excellence reference architecture. Originally expected in June, that effort is possibly six months behind due to the “extreme telework situation” the coronavirus pandemic has caused, Frazier said.

Meanwhile, the federal Chief Information Officers Council commissioned the American Council for Technology and Industry Advisory Council in 2018 to evaluate the potential for zero trust, and Phase 2 of the effort will involve outlining how agencies can implement the philosophy.

“The next step is to start putting together reference architectures in labs, start bringing in agencies to bring in their use cases, and even some enterprises,” Frazier said.

Latest Podcasts