The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries. Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an information technology (IT) environment that could reduce an organization’s risk exposure in a “perimeter-less” world.
The NCCoE initiated this project in collaboration with industry participants to demonstrate several approaches to a zero trust architecture—applied to a conventional, general purpose enterprise IT infrastructure—which will be designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase the robust security features of zero trust architectures. For further reference, see the Federal Register Notice or the project description.
This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement the cybersecurity reference designs for zero trust.
Federal CIO Council Efforts
Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST SP 800-207, Zero Trust Architecture.
In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
The NCCoE zero trust project builds on this body of knowledge. We continue to share lessons learned with the Federal CIO Council and look forward to their continued feedback to inform NCCoE cybersecurity guidance and identify future challenges in this space.