U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Implementing a Zero Trust Architecture

Conventional network security has focused on perimeter defenses, but many organizations no longer have a clearly-defined perimeter. To protect a modern digital enterprise, organizations need a comprehensive strategy for secure “anytime, anywhere” access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located.

End-to-end zero trust architecture implementations to help industry and government reduce the risk of cyber attack

The National Cybersecurity Center of Excellence (NCCoE) aims to remove the shroud of complexity around designing for zero trust with “how to” guides and example approaches to implementing a zero trust architecture for several common business cases.
Status: Soliciting Comments

The National Cybersecurity Center of Excellence has released the second preliminary draft of SP 1800-35 Vol. E, Implementing a Zero Trust Architecture, for public comment until October 31st, 2023.  Please note that Vol. A, B, and C are the previous versions and do not require reviews; also, Volume D is open for public comment until October 9th, 2023. 

This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture.  

Volume E provides a risk analysis and mapping of ZTA reference design security characteristics to cybersecurity standards and recommended practices. The updated version also includes mappings from the vendor products that have been implemented so far to the cybersecurity standards and recommended practices. 

The preliminary draft guide is available for download by specific volumes. Please submit your comments by completing the spreadsheet and then emailing it to nccoe-zta-project@list.nist.gov.

NIST SP 1800-35A: Executive Summary (2nd Preliminary Draft)Document Version NIST SP 1800-35A: Executive Summary (2nd Preliminary Draft)
NIST SP 1800-35B: Approach, Architecture, and Security Characteristics (3rd Preliminary Draft)Document Version NIST SP 1800-35B: Approach, Architecture, and Security Characteristics (3rd Preliminary Draft)
NIST SP 1800-35C: How-To Guides (3rd Preliminary Draft)Document Version NIST SP 1800-35C: How-To Guides (3rd Preliminary Draft)
NIST SP 1800-35D: Functional Demonstrations (3rd Preliminary Draft)Document Version NIST SP 1800-35D: Functional Demonstrations (3rd Preliminary Draft)
NIST SP 1800-35E: Risk and Compliance Management (2nd Preliminary Draft)Document Version NIST SP 1800-35E: Risk and Compliance Management (2nd Preliminary Draft)
Download Comment Template View the 2-page fact sheet

Project Abstract

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. The workforce is more distributed, with remote workers who need access to resources anytime, anywhere, and on any device, to support the mission. Organizations must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications.  

The NCCoE initiated this project in collaboration with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise information technology (IT) infrastructure on premises and in the cloud, which will be designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase the robust security features of zero trust architectures.  

This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement the cybersecurity reference designs for zero trust. 

Read the Project Description

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Federal CIO Council Efforts 

Since late 2018, National Institute of Standards and Technology (NIST) and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture.  

In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector. 

The NCCoE project builds on this body of knowledge. We continue to share lessons learned with the Federal CIO Council and look forward to their continued feedback to inform NCCoE cybersecurity guidance and identify future challenges in this space. 

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself





Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D)

NIST | NCCoE
Concept art illustrating a network based on zero trust.