NIST Releases Draft Zero-Trust Architecture Guide

Agencies looking to adopt zero-trust security architecture can expect to see new guidance roll out throughout this summer.

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) works with government agencies, industry organizations and academic institutions to create example solutions for pressing cybersecurity concerns, and in recent years turned its focus to zero trust, said NCCoE Security Engineer and Project Manager Alper Kerman during an RSA Conference panel.

Under its Implementing a Zero Trust Architecture project, NCCoE has been working to identify the core components of a zero-trust approach, as well as demonstrate different ways for achieving it, using commercially available technologies. The effort aims to show how a zero-trust architecture could work for different scenarios such as an employee or guest user trying to access online resources, or a contractor trying to access an on-premise resource, Kerman said.

Now in early June, NCCoE has released a draft guide, with more to follow.

“We want to be able to figure out what would be the minimum viable solution that would give us some level of zero-trust orchestration,” Kerman said.

There are three key aspects of a zero-trust architecture: enhanced identity governance (EIG), micro segmentation and software-defined perimeters, he said. Organizations may find it easier to focus more heavily on one or another, depending on their workflows, while still including elements of the other two, per NIST.

For the project, NCCoE is first demonstrating zero-trust example scenarios that focus on EIG techniques and is releasing preliminary drafts of its guidance on this method.

On June 3, NCCoE released a draft high-level overview document intended to help leadership consider their planning. NCCoE will be following up with two more detailed and technical guides, with those drafts slated for release in July and August.


Zero trust isn’t a specific standard but rather “a set of principles used in designing and implementing and operating an infrastructure,” said NIST Computer Scientist…