NIST Releases Finalized Zero-Trust Architecture Guidance

NIST reorganized parts of the finalized guidance, adding a section on the tenets of zero trust, such as securing communication regardless of network location, as well as considering data sources and computing services as resources for the technology.

The document also adopted longstanding federal language around zero-trust architecture approaches like data enclaves versus micro-segmentation, Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop.

“It points to the fact of why are we doing micro-segmentation, which is all about the data and the data access,” Frazier said. “So when you’re thinking about building out your micro-segments, you’re looking at am I slicing and dicing my access to particular data, which is really served up through particular applications.”

Enclaves are essentially bubbles around data access that, like micro-segments, are focused on data rather than network rights, he added.

NIST’s finalized guidance further ties zero-trust architecture in with other federal constructs like its Cybersecurity Framework and the Continuous Diagnostics and Mitigation program. The release also comes on the heels of finalized Trusted Internet Connections 3.0 security architecture concepts, which it aligns with, Frazier said.

The guidance will also align with the National Cybersecurity Center of Excellence reference architecture. Originally expected in June, that effort is possibly six months behind due to the “extreme telework situation” the coronavirus pandemic has caused, Frazier said.


Read more at: Fed Scoop