The National Institute of Standards and Technology (NIST), in collaboration with the Federal CIO Council’s architecture subgroup, released a draft report on zero-trust architectures and the use cases and deployment models where zero-trust can improve cybersecurity.
The report, released September 23, is not meant to serve as official guidance or an implementation guide, but as a “technology-neutral set of terms, definitions, and logical components of network infrastructure using a [zero-trust] strategy,” it says.
Among the use cases the report highlights are networks with remote employees and cloud services. With increasing use of cloud, and Federal agencies having offices across the country, a zero-trust architecture has strong appeal for government organizations.
The report also illustrates how zero-trust fits into existing Federal regulations. The authors highlight synergies with the NIST Risk Management Framework, the Federal Identity, Credential, and Access Management (ICAM) Architecture, the Continuing Diagnostics and Mitigation (CDM) program, and the Trusted Internet Connections (TIC) 3.0 policy, among others.
“When complemented with existing cybersecurity policies and guidance; identity, credential, and access management (ICAM); continuous monitoring; and general cyber hygiene, ZTA may reinforce an organization’s security posture and protect against common threats,” the authors said.
The report also describes the different architectures that agencies can implement, and how they can migrate to a zero trust architecture. The report notes that agencies can have hybrid architectures as they migrate across multiple technology refreshes, and offers advice on how to handle the challenges.