NIST Adds Zero-Trust ‘Approaches’ to its Security Architecture Guidance for Agencies

The National Institute of Standards and Technology wants agencies to consider their approach to zero-trust security architecture when it re-releases a draft special publication for public comment — tentatively in early February.

NIST released the first draft in September, defining zero-trust as the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources.

The special publication is an attempt to provide agencies with a “conceptual framework” using vendor-neutral terms, Scott Rose, a computer scientist at NIST, said at Duo Security’s Zero Trust Security Summit presented by FedScoop. NIST added a section on approaches to its guidance after the first comment period resolved.

“It’s where the emphasis of zero-trust implementations lie — whether identity or the actual micro-segmentation or the underlying network itself,” Rose told FedScoop after his panel. “Every good solution has elements of all three, it’s just: What is the key turning point for the organization?”

NIST doesn’t want to dictate one approach without knowing whether agencies consider enhanced identity governance, micro-perimeters or software-defined networking most important, he added.

Read more at: Fed Scoop