NIST defines zero trust architecture, releases use cases

Most agencies already have elements of zero trust and will operate within a hybrid architecture as legacy technology is modernized, according to NIST.
(Getty Images)

The National Institute of Standards and Technology wants feedback on its definition of zero trust security architecture and potential deployments — outlined in a draft special publication released Monday.

Zero trust refers to the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources, NIST says in the new guidance.

No implicit trust is given to systems based on their location, and user and device authentication is required prior to establishing a connection. This is particularly important as more employees work remotely and data is migrated to the cloud.

While zero trust architecture (ZTA) isn’t a foreign concept to agencies, more research and standardization is needed to improve their overall security posture, according to NIST.


“[M]any organizations already have elements of a ZTA in their enterprise infrastructure today,” reads the document. “Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions.”

In addition to providing a ZTA roadmap, the document highlights a number of use cases including agencies with satellite facilities, multi-cloud environments and contracted services.

ZTAs still face unique cyberthreats like a compromised policy engine or policy administrator — which approved connections between resources — denial of service attacks or network disruption targeting those components, and insider threats among them.

The Federal Information Security Management Act, Trusted Internet Connection 3.0, and Continuous Diagnostics and Mitigation programs all play into zero trust because they restrict data and service access to authorized parties, the end goal being to eliminate all unauthorized access. Access control enforcement should be as granular as possible, according to NIST.

Most agencies will operate within a hybrid architecture as legacy information technology is modernized, NIST adds. While it’s possible to build a pure ZTA using a ground-up, greenfield approach, large agencies will require multiple tech refresh cycles and migrate one business process at a time.


“After enough confidence is gained in the workflow policy set, the enterprise enters the steady operational phase,” reads the report. “The network and systems are still monitored, and traffic is logged, but responses and policy modifications are done at a lower tempo as they should not be severe.”

Public comments on the document are due by Nov. 22.

Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts