Zero Trust Architecture

Current Status

This project is moving into the design and build phase. We have selected technology collaborators who have signed a Cooperative Research and Development Agreement with NIST.

You can learn more about the NCCoE project on zero trust by reading the Implementing a Zero Trust Architecture Project Description. A brief overview of the project is also available in this two-page fact sheet.

Questions? Comments? Reach us at nist-nccoe-zta@list.nist.gov.

Summary

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries. Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an information technology (IT) environment that could reduce an organization’s risk exposure in a “perimeter-less” world.

The NCCoE initiated this project in collaboration with industry participants to demonstrate several approaches to a zero trust architecture—applied to a conventional, general purpose enterprise IT infrastructure—which will be designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase the robust security features of zero trust architectures. For further reference, see the Federal Register Notice or the project description.

This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement the cybersecurity reference designs for zero trust.

Federal CIO Council Efforts        

Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST SP 800-207, Zero Trust Architecture

In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.

The NCCoE zero trust project builds on this body of knowledge. We continue to share lessons learned with the Federal CIO Council and look forward to their continued feedback to inform NCCoE cybersecurity guidance and identify future challenges in this space. 

 

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Amazon Web Services logo
Cisco
f5 logo
ForeScout logo
IBM logo
Microsoft logo