Zero Trust Architecture

Current Status

The NCCoE is currently reviewing letters of interest that were submitted in response to a Federal Register notice to participate in the development of an example solution for implementing a zero trust architecture. Thank you to all those who expressed interest in partnering with us on the project.

You can learn more about the NCCoE project on zero trust by reading the Implementing a Zero Trust Architecture Project Description. A brief overview of the project is also available in this two-page fact sheet.

Questions? Comments? Reach us at


The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved  traditional network boundaries. Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an information technology environment that could reduce an organization’s risk exposure in a “perimeter-less” world.

A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.

The concept of zero trust has been around for more than a decade, but technology to support it is now moving into the mainstream. A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.

Federal CIO Council Efforts        

Since late 2018, National Institute of Standards and Technology (NIST) and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture

In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.

The NCCoE project builds on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and using commercially available products.