NCCoE Issues New Guide for Deploying Zero Trust Architectures

Share this blog

The demand for zero trust architectures has long been well understood. However, while the “why” is clear, it’s the “how” that’s far less straightforward. As they pursue a move to zero trust, many teams struggle with devising the specific tools, tactics, and approaches that are optimally aligned with their organizations. Read on to learn more about vital new resources that offer much-needed guidance for teams looking to adopt zero trust in their organizations.

Introduction: The Pressing Demands for Zero Trust

The need for zero trust architectures continues to get more pressing as the notion of a defensible security perimeter becomes an increasingly distant memory. Particularly since the advent of the pandemic, the reality is that sensitive enterprise data can be anywhere.

Consequently, the legacy focus on trying to keep the bad actors “out” is now a non-starter. Zero trust architectures represent a key imperative, an approach that’s truly aligned with current realities.

Introducing the Zero Trust Architecture Project

Back in 2018, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) launched the Zero Trust Architecture project. Through this project, the NCCoE is focused on helping enterprises and government agencies establish end-to-end, zero-trust architectures that reduce the risk of cyber attacks. As part of this project, the NCCoE has been developing an array of resources, including extensive guides for practitioners.

The preliminary draft of the NCCoE’s practice guide was released on December 21, 2022. This draft includes the second version of NIST Special Publication (SP) 1800-35A-D and the first version of volume E, entitled “Implementing a Zero Trust Architecture.” This guide outlines how teams can employ commercially available technology to establish zero trust implementations that are interoperable and standards-based.

Back in February 2022, Zimperium was selected by the NCCoE to work on this project. We’re honored to be collaborating with the NCCoE and other technology providers to help advance the knowledge and guidance available in this critical area. Through this effort, we’re working to develop practical, interoperable cybersecurity approaches that show how the components of zero trust architectures can securely mitigate risks and address compliance requirements in various industry sectors.

As part of this effort, we’re helping build several samples of zero trust architecture solutions that demonstrate how teams can secure access to corporate resources. The proposed example solutions will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase the robust security potential of zero trust.*

These solutions will enforce corporate security policies dynamically and in near real-time. With these solutions, teams will be able to ensure that only authenticated, authorized users and devices will be able to access sensitive assets. At the same time, these solutions will flexibly enable a complex, diverse set of business use cases, including support for remote workforces, cloud services, partners, and third-party contractors.

Conclusion

We encourage anyone who’s involved in managing security for their organization to review this draft. This guide will provide solid, proven guidelines for establishing effective zero trust implementations. Commercial mobile network operators, potential private zero trust network operators, and teams managing zero trust enabled technology will find this publication particularly valuable. In addition, the NCCoE is accepting public comments until February 6, 2023. We encourage you to share your feedback and insights. Finally, to receive updates about our progress, please visit the Zero Trust Architecture project page, where you can join the zero trust architecture community of interest.

About the National Cybersecurity Center of Excellence

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges.

Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards and best practices to develop modular, adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland. Information is available at: https://www.nccoe.nist.gov.

About Zimperium

Zimperium, Inc. is a global leader in mobile device and application security. Zimperium zIPS™ is an advanced mobile threat defense solution for enterprises, providing persistent, on-device protection on Android, Chrome OS, and iOS-powered mobile endpoints. Leveraging advanced machine learning, zIPS detects threats across the kill chain, including those targeting devices, networks, and applications. By design, zIPS protects end-user privacy, ensuring that Federal agencies comply with zero trust principles and privacy mandates. For more information or to schedule a demo, contact us today.

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these
products. The guide presents the characteristics and capabilities of those products, which an
organization’s security experts can use to identify similar standards-based products that will fit with
their organization’s existing tools and infrastructure.

Jim Kovach
Author: Jim Kovach
Mobile Security Specialist, Public Sector. View the author's experience and accomplishments on LinkedIn.