IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

RSA 2022: NIST Releases Draft Zero-Trust Architecture Guide

NIST’s National Cybersecurity Center of Excellence has released the first of several preliminary drafts outlining ways that organizations can implement zero-trust architectures.

Agencies looking to adopt zero-trust security architecture can expect to see new guidance roll out throughout this summer.

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) works with government agencies, industry organizations and academic institutions to create example solutions for pressing cybersecurity concerns, and in recent years turned its focus to zero trust, said NCCoE Security Engineer and Project Manager Alper Kerman during an RSA Conference panel.

Under its Implementing a Zero Trust Architecture project, NCCoE has been working to identify the core components of a zero-trust approach, as well as demonstrate different ways for achieving it, using commercially available technologies. The effort aims to show how a zero-trust architecture could work for different scenarios such as an employee or guest user trying to access online resources, or a contractor trying to access an on-premise resource, Kerman said.

Now in early June, NCCoE has released a draft guide, with more to follow.

“We want to be able to figure out what would be the minimum viable solution that would give us some level of zero-trust orchestration,” Kerman said.

There are three key aspects of a zero-trust architecture: enhanced identity governance (EIG), micro segmentation and software-defined perimeters, he said. Organizations may find it easier to focus more heavily on one or another, depending on their workflows, while still including elements of the other two, per NIST.

For the project, NCCoE is first demonstrating zero-trust example scenarios that focus on EIG techniques and is releasing preliminary drafts of its guidance on this method.

On June 3, NCCoE released a draft high-level overview document intended to help leadership consider their planning. NCCoE will be following up with two more detailed and technical guides, with those drafts slated for release in July and August.


Zero trust isn’t a specific standard but rather “a set of principles used in designing and implementing and operating an infrastructure,” said NIST Computer Scientist Scott Rose.

Following these principles is intended to help an organization prevent a hacker who penetrates one aspect of an organization from then moving freely through the network to compromise other systems and data. It can help prevent events like an infamous 2017 incident in which hackers got access to a casino’s network by compromising its Internet-connected fish tank.

“The whole goal of zero trust is to limit that lateral movement… so if one of your hosts has been compromised it doesn’t spread,” Rose said.

Zero trust is a departure from older approaches in which users authenticated themselves once to join a network, then were allowed to access most data and systems. In an organization that has embraced zero trust, however, users can only access data and systems necessary to their jobs and must re-authenticate themselves each time.


Organizations can use a variety of solutions and approaches to arrive at zero trust, but there are some core common elements.

If a user requests to access part of an organization’s environment, the organization should have mechanisms in place that collect information about the user, assess that information to decide whether the user can be trusted and should have the access request granted or should be rejected as suspicious, and carry out that decision, Kerman said. These steps could involve reviewing logs, user behavior information — such as if they’ve visited “weird” sites recently — and other data to see if the request or user seems suspicious.

Different systems come together to make this happen.

“One thing we learned… is in reality, you’re not going to have a single piece of equipment called your ‘policy engine.’ That kind of master control process doesn’t exist. You’ll have a system of systems,” Rose said.

For example, an organization might rely on one system for endpoint detection and response, but another for identity, credential and access management (ICAM), with each one making determinations about whether to grant access requests for their particular arena.

That creates some complexities, because there may not be one centralized place to view logging data and there could be challenges making different systems interoperable, for example. But it also means governments can mix and match systems, making use of some that they already have.

It also prevents agencies from being locked into a single vendor — an important concern for governments that don’t want to have to replace everything if they lose a technology partner, Rose said.


Organizations looking to adopt zero trust can get started by first analyzing their operations, including looking at the business processes, resources, and workflows they have to see where decisions are being — or should be — made about granting users access to systems.

Next, they should identify any areas where they may need to create or add new processes, policies or technologies for managing and understanding access.

The path to zero trust is a long, gradual one, Kerman reminded, and organizations should spend the next six to 12 months chipping away at any easy-to-address gaps in identity, compliance and monitoring.

“What you want to do is tackle what you can do,” he said. “Focus on low-hanging fruit.”
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.