SP 1800-35, Implementing a Zero Trust Architecture

<!DOCTYPE html> <html lang="en-us" xml:lang="en-us"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://csrc.nist.gov/pubs/sp/1800/35/2prd","20230924000436","https://web.archive.org/","web","/_static/", "1695513876"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <meta charset="utf-8"/> <title>SP 1800-35, Implementing a Zero Trust Architecture | CSRC</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8"/> <meta http-equiv="content-style-type" content="text/css"/> <meta http-equiv="content-script-type" content="text/javascript"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <meta name="msapplication-config" content="/CSRC/Media/images/favicons/browserconfig.xml"/> <meta name="theme-color" content="#000000"/> <meta name="google-site-verification" content="xbrnrVYDgLD-Bd64xHLCt4XsPXzUhQ-4lGMj4TdUUTA"/> <meta description="A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission. Each access request is evaluated by verifying the context available at access time, including criteria such as the requester’s identity and role, the requesting device’s health and credentials, the sensitivity of the resource, user location, and user behavior consistency. If the enterprise’s defined access policy is met, a secure session is created to protect all information transferred to and from the resource. A real-time and continuous policy-driven, risk-based assessment is performed to establish and maintain the access. In this project, the NCCoE and its collaborators use commercially available technology to build interoperable, open, standards-based ZTA implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. This NIST Cybersecurity Practice Guide explains how commercially available technology can be integrated and used to build various ZTAs."/>  <meta name="dcterms.title" content="NIST Special Publication (SP) 1800-35 (Withdrawn), Implementing a Zero Trust Architecture"/> <meta name="dcterms.description" content="A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission. Each access request is evaluated by verifying the context available at access time, including criteria such as the requester’s identity and role, the requesting device’s health and credentials, the sensitivity of the resource, user location, and user behavior consistency. If the enterprise’s defined access policy is met, a secure session is created to protect all information transferred to and from the resource. A real-time and continuous policy-driven, risk-based assessment is performed to establish and maintain the access. In this project, the NCCoE and its collaborators use commercially available technology to build interoperable, open, standards-based ZTA implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. This NIST Cybersecurity Practice Guide explains how commercially available technology can be integrated and used to build various ZTAs."/>  <meta name="dcterms.date.created" schema="ISO8601" content="2023-07-19"/> <meta name="dcterms.identifier" content="https://csrc.nist.gov/pubs/sp/1800/35/2prd"/> <meta name="dcterms.language" scheme="DCTERMS.RFC1766" content="EN-US"/>  <meta name="citation_title" content="Implementing a Zero Trust Architecture"/> <meta name="citation_publication_date" content="2023/07/19"/> <meta name="citation_technical_report_number" content="NIST Special Publication (SP) 1800-35 (Withdrawn)"/> <meta name="citation_technical_report_institution" content="National Institute of Standards and Technology"/> <meta name="citation_keywords" content="enhanced identity governance (EIG),identity, credential, and access management (ICAM),zero trust,zero trust architecture (ZTA)"/> <meta name="citation_language" content="en"/> <meta name="citation_abstract_html_url" content="https://csrc.nist.gov/pubs/sp/1800/35/2prd"/>   <meta name="og:site_name" content="CSRC | NIST"/> <meta name="og:type" content="article"/> <meta name="og:url" content="https://web.archive.org/web/20230924000436im_/https://csrc.nist.gov/pubs/sp/1800/35/2prd"/> <meta name="og:title" content="NIST Special Publication (SP) 1800-35 (Withdrawn), Implementing a Zero Trust Architecture"/> <meta name="og:description" content="A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission. Each access request is evaluated by verifying the context available at access time, including criteria such as the requester’s identity and role, the requesting device’s health and credentials, the sensitivity of the resource, user location, and user behavior consistency. If the enterprise’s defined access policy is met, a secure session is created to protect all information transferred to and from the resource. A real-time and continuous policy-driven, risk-based assessment is performed to establish and maintain the access. In this project, the NCCoE and its collaborators use commercially available technology to build..."/> <meta name="article:tag" content="enhanced identity governance (EIG),identity, credential, and access management (ICAM),zero trust,zero trust architecture (ZTA)"/> <meta name="article:published_time" content="2023-07-19"/> <meta name="og:image" content="https://web.archive.org/web/20230924000436im_/https://csrc.nist.gov/CSRC/media/images/CSRC-logo-open-graph.png"/> <link rel="apple-touch-icon" sizes="180x180" href="/web/20230924000436im_/https://csrc.nist.gov/images/icons/apple-touch-icon.png"/> <link rel="icon" type="image/png" href="/web/20230924000436im_/https://csrc.nist.gov/images/icons/favicon-32x32.png" sizes="32x32"/> <link rel="icon" type="image/png" href="/web/20230924000436im_/https://csrc.nist.gov/images/icons/favicon-16x16.png" sizes="16x16"/> <link rel="manifest" href="/web/20230924000436/https://csrc.nist.gov/images/icons/manifest.json"/> <link rel="mask-icon" href="/web/20230924000436im_/https://csrc.nist.gov/images/icons/safari-pinned-tab.svg" color="#000000"/> <link href="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/favicons/favicon.ico" type="image/x-icon" rel="shortcut icon"/> <link href="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/favicons/favicon.ico" type="image/x-icon" rel="icon"/> <link href="/web/20230924000436cs_/https://csrc.nist.gov/dist/app.css" rel="stylesheet"/>  <style> .grecaptcha-badge { visibility: hidden; } </style> <script async type="text/javascript" id="_fed_an_ua_tag" src="https://web.archive.org/web/20230924000436js_/https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=nist&subagency=csrc&pua=UA-66610693-15&yt=true&exts=xsd,xml,wav,mpg,mpeg,avi,rtf,webm,ogg,ogv,oga,map,otf,eot,svg,ttf,woff"></script> <style id="antiClickjackCss"> body > * { display: none !important; } #antiClickjack { display: block !important; } </style> <noscript> <style id="antiClickjackNoScript"> body > * { display: block !important; } #antiClickjack { display: none !important; } </style> </noscript> <script type="text/javascript" id="antiClickjackScript"> if (self === top) { // no clickjacking var antiClickjack = document.getElementById("antiClickjackCss"); antiClickjack.parentNode.removeChild(antiClickjack); } else { setTimeout(tryForward(), 5000); } function tryForward() { top.location = self.location; } </script>  <script async src="https://web.archive.org/web/20230924000436js_/https://www.googletagmanager.com/gtag/js?id=G-TSQ0PLGJZP"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-TSQ0PLGJZP'); </script> </head> <body> <div id="antiClickjack" style="display: none;"> <strong style="font-size: 1.6rem;">You are viewing this page in an unauthorized frame window.</strong> <p>This is a potential security issue, you are being redirected to <a href="https://web.archive.org/web/20230924000436/https://csrc.nist.gov/">https://csrc.nist.gov</a>.</p> </div> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion container"> <header class="usa-banner__header"> <noscript> <p style="font-size: 0.85rem; font-weight: bold;">You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.</p> </noscript> <img class="usa-banner__header-flag" src="/web/20230924000436im_/https://csrc.nist.gov/images/usbanner/us_flag_small.png" alt="U.S. flag">   <span class="usa-banner__header-text">An official website of the United States government</span> <button id="gov-banner-button" class="usa-accordion__button usa-banner__button" data-toggle="collapse" data-target="#gov-banner" aria-expanded="true" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here's how you know</span> </button> </header> <div class="usa-banner__content usa-accordion__content collapse in" role="tabpanel" id="gov-banner" aria-expanded="true"> <div class="row"> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20230924000436im_/https://csrc.nist.gov/images/usbanner/icon-dot-gov.svg" alt="Dot gov"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> </div> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20230924000436im_/https://csrc.nist.gov/images/usbanner/icon-https.svg" alt="Https"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<img class="usa-banner__lock" src="/web/20230924000436im_/https://csrc.nist.gov/images/usbanner/lock.svg" alt="Dot gov">) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </div> </section> <nav id="navbar" class="navbar"> <div id="nist-menu-container" class="container"> <div class="row">  <div class="col-xs-6 col-md-4 navbar-header"> <a class="navbar-brand" href="https://web.archive.org/web/20230924000436/https://www.nist.gov/" target="_blank" id="navbar-brand-image"> <img src="/web/20230924000436im_/https://csrc.nist.gov/CSRC/media/images/svg/nist-logo.svg" alt="National Institute of Standards and Technology" width="110" height="30"> </a> </div> <div class="col-xs-6 col-md-8 navbar-nist-logo"> <div class="form-inline hidden-sm hidden-xs"> <form name="site-search" id="site-search-form" action="/web/20230924000436/https://csrc.nist.gov/search" method="GET"> <label for="search-csrc-query" class="element-invisible">Search</label> <input autocomplete="off" class="form-control" id="search-csrc-query" name="keywords" type="text" size="15" maxlength="128" placeholder="Search CSRC"/> <input type="hidden" name="ipp" value="25"/> <input type="hidden" name="sortBy" value="relevance"/> <input type="hidden" name="showOnly" value="publications,projects,news,events,presentations,glossary,topics"/> <input type="hidden" name="topicsMatch" value="ANY"/> <input type="hidden" name="status" value="Final,Draft"/> <button type="submit" id="search-csrc-submit-btn" class="form-submit"> <span class="element-invisible">Search</span> <i class="fa fa-search"></i> </button> </form> </div> <span id="nvd-menu-button" class="pull-right"> <a href="#" id="nvd-menu-button-link"> <span class="fa fa-bars"></span> <span id="nvd-menu-full-text">CSRC MENU</span> </a> </span> </div> </div> </div> <div class="form-inline hidden-md hidden-lg"> <form name="site-search-mobile" id="site-search-form-mobile" action="/web/20230924000436/https://csrc.nist.gov/search" method="GET"> <label for="search-csrc-query-mobile" class="element-invisible">Search</label> <input autocomplete="off" class="form-control" id="search-csrc-query-mobile" name="keywords" type="text" size="15" maxlength="128" placeholder="Search CSRC"/> <button type="submit" id="search-csrc-submit-btn-mobile" class="form-submit"> <span class="element-invisible">Search</span> <i class="fa fa-search"></i> </button> </form> </div> <div class="main-menu-row container">  <div id="main-menu-drop" class="col-lg-12" style="display: none;"> <ul> <li><a href="/web/20230924000436/https://csrc.nist.gov/projects">Projects</a></li> <li> <a href="/web/20230924000436/https://csrc.nist.gov/publications"> Publications <span class="expander fa fa-plus" id="main-menu-pubs-expander" data-expander-name="publications" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="publications" id="main-menu-pubs-expanded"> <div class="row"> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/drafts-open-for-comment">Drafts for Public Comment</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/draft-pubs">All Public Drafts</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/final-pubs">Final Pubs</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/fips">FIPS <small>(standards)</small></a></p> </div> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/sp">Special Publications (SP<small>s</small>)</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/ir">IR <small>(interagency/internal reports)</small></a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/cswp">CSWP <small>(cybersecurity white papers)</small></a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/itl-bulletin">ITL Bulletins</a></p> </div> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/project-description">Project Descriptions</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/journal-article">Journal Articles</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/conference-paper">Conference Papers</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/publications/book">Books</a></p> </div> </div> </div> </li> <li> <a href="/web/20230924000436/https://csrc.nist.gov/topics"> Topics <span class="expander fa fa-plus" id="main-menu-topics-expander" data-expander-name="topics" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="topics" id="main-menu-topics-expanded"> <div class="row"> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Security-and-Privacy">Security & Privacy</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Applications">Applications</a></p> </div> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Technologies">Technologies</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Sectors">Sectors</a></p> </div> <div class="col-lg-4"> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Laws-and-Regulations">Laws & Regulations</a></p> <p><a href="/web/20230924000436/https://csrc.nist.gov/Topics/Activities-and-Products">Activities & Products</a></p> </div> </div> </div> </li> <li><a href="/web/20230924000436/https://csrc.nist.gov/news">News & Updates</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/events">Events</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/glossary">Glossary</a></li> <li> <a href="/web/20230924000436/https://csrc.nist.gov/about"> About CSRC <span class="expander fa fa-plus" id="main-menu-about-expander" data-expander-name="about" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="about" id="main-menu-about-expanded"> <div class="row"> <div class="col-lg-6"> <p> <strong><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division">Computer Security Division</a></strong><br/> <ul> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division/Cryptographic-Technology">Cryptographic Technology</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division/Secure-Systems-and-Applications">Secure Systems and Applications</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division/Security-Components-and-Mechanisms">Security Components and Mechanisms</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division/Security-Engineering-and-Risk-Management">Security Engineering and Risk Management</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Computer-Security-Division/Security-Testing-Validation-and-Measurement">Security Testing, Validation, and Measurement</a></li> </ul> </p> </div> <div class="col-lg-6"> <p> <strong><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Applied-Cybersecurity-Division">Applied Cybersecurity Division</a></strong><br/> <ul> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Applied-Cybersecurity-Division/Cybersecurity-and-Privacy-Applications">Cybersecurity and Privacy Applications</a></li> <li><a href="/web/20230924000436/https://csrc.nist.gov/Groups/Applied-Cybersecurity-Division/National-Cybersecurity-Center-of-Excellence">National Cybersecurity Center of Excellence (NCCoE)</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/nice/">National Initiative for Cybersecurity Education (NICE)</a></li> </ul> </p> <p> <a href="/web/20230924000436/https://csrc.nist.gov/contact"> Contact Us </a> </p> </div> </div> </div> </li> </ul> </div> </div> </nav> <section id="itl-header" class="has-menu"> <div class="container"> <div class="row"> <div class="col-sm-12 col-md-8"> <div class="hidden-xs hidden-sm" id="itl-header-lg"> <a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/itl" target="_blank" id="itl-header-link">Information Technology Laboratory</a> </div> <div class="hidden-xs hidden-sm" id="csrc-header-lg"> <a href="/web/20230924000436/https://csrc.nist.gov/" id="csrc-header-link-lg">Computer Security Resource Center</a> </div> </div> <div class="col-sm-12 col-md-4"> <div class="hidden-xs hidden-sm hidden-md"> <a id="logo-csrc-lg" href="/web/20230924000436/https://csrc.nist.gov/"><img id="img-logo-csrc-lg" src="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/nist-logo-csrc-white.svg" alt="CSRC Logo" class="csrc-header-logo"></a> </div> <div class="hidden-lg"> <a id="logo-csrc-sm" href="/web/20230924000436/https://csrc.nist.gov/"><img id="img-logo-csrc-sm" src="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/nist-logo-csrc-white.svg" alt="CSRC Logo" class="csrc-header-logo"></a> </div> </div> </div> </div> </section> <div id="body-section" class="container"> <div class="publications-detail"> <ol class="breadcrumb"> <a href="/web/20230924000436/https://csrc.nist.gov/publications" class="breadcrumb-link">Publications</a> </ol> <h3 id="pub-header-display-container"> <span id="pub-header-full-display"> NIST SP 1800-35 <small>(2nd Preliminary Draft)</small> </span> <i class="fa fa-exclamation-triangle text-danger" id="pub-header-withdrawn" title="This draft publication has been withdrawn. See details below."></i> </h3> <div class="alert alert-danger" role="alert" id="pub-to-be-withdrawn-message"> <i class="fa fa-exclamation-triangle text-danger" id="pub-withdrawn-triangle" title="This draft publication has been withdrawn."></i> Further development of this draft has ceased (<span id="pub-withdrawn-date">August 22, 2023</span>). </div> <h1 id="pub-title">Implementing a Zero Trust Architecture</h1> <div class="page-social-buttons" id=""page-social-buttons""> <a href="https://web.archive.org/web/20230924000436/https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fcontent.csrc.e1c.nist.gov%2Fpubs%2Fsp%2F1800%2F35%2F2prd" class="social-facebook"><i class="fa fa-facebook fa-fw" aria-hidden="true"></i><span class="sr-only">Share to Facebook</span></a> <a href="https://web.archive.org/web/20230924000436/https://twitter.com/share?url=https%3A%2F%2Fcontent.csrc.e1c.nist.gov%2Fpubs%2Fsp%2F1800%2F35%2F2prd" class="social-twitter"><i class="fa fa-twitter fa-fw" aria-hidden="true"></i><span class="sr-only">Share to Twitter</span></a> </div> <p class="hidden-lg hidden-md">     <a href="#pubs-documentation" class="btn btn-lg btn-info" id="pub-topics-anchor-sm">Documentation</a>     <a href="#pubs-topics" class="btn btn-lg btn-info" id="pub-topics-anchor-sm">Topics</a> </p> <div class="row"> <div class="col-md-8 col-sm-12 publication-panel"> <p> <strong>Date Published:</strong> <span id="pub-release-date" data-date-type="citation">July 19, 2023</span><br/> <strong>Comments Due:</strong> <span id="pub-comments-due">September 4, 2023 (public comment period is CLOSED)</span><br/> <strong>Email Questions to:</strong> <span id="pub-comments-email"> <a href="https://web.archive.org/web/20230924000436/mailto:nccoe-zta-project@list.nist.gov?Subject=Comment on 3rd Preliminary Drafts of SP 1800-35B/C">nccoe-zta-project@list.nist.gov</a> </span><br/> </p> <h4>Announcement</h4> <p id="pub-announcement"><p>The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) has published the third version of volumes B and C of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture” and is seeking the public's comments on their contents.</p><p>This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, <a href="/web/20230924000436/https://csrc.nist.gov/publications/detail/sp/800-207/final"><i>Zero Trust Architecture</i></a>. </p><p style="margin-left:0px;"><strong>The updated versions of volumes B and C describe ten ZTA implementations, demonstrating how blends of commercially available technologies can be integrated and brought into play to build various types of ZTAs. </strong>We will continue to update the volumes of NIST SP 1800-35 appropriately as needed as we make significant progress on the project.</p><p style="margin-left:0px;">As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud.</p></p> <div class="bs-callout bs-callout-success pub-abstract-callout"> <h4 id="pubs-abstract-header">Abstract</h4> <div class="hidden-sm hidden-xs hidden-xxs" id="pub-detail-abstract-info"><p>A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission. Each access request is evaluated by verifying the context available at access time, including criteria such as the requester’s identity and role, the requesting device’s health and credentials, the sensitivity of the resource, user location, and user behavior consistency. If the enterprise’s defined access policy is met, a secure session is created to protect all information transferred to and from the resource. A real-time and continuous policy-driven, risk-based assessment is performed to establish and maintain the access. In this project, the NCCoE and its collaborators use commercially available technology to build interoperable, open, standards-based ZTA implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, <em>Zero Trust Architecture</em>. This NIST Cybersecurity Practice Guide explains how commercially available technology can be integrated and used to build various ZTAs.</p></div> <div class="hidden-lg hidden-md"> <div id="pub-detail-abstract-min"> A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any... <a href="#pubs-abstract-header" id="pub-detail-abs-show">See full abstract</a> </div> <div id="pub-detail-abstract-all" style="display: none;"> <p>A zero trust architecture (ZTA) focuses on protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission. Each access request is evaluated by verifying the context available at access time, including criteria such as the requester’s identity and role, the requesting device’s health and credentials, the sensitivity of the resource, user location, and user behavior consistency. If the enterprise’s defined access policy is met, a secure session is created to protect all information transferred to and from the resource. A real-time and continuous policy-driven, risk-based assessment is performed to establish and maintain the access. In this project, the NCCoE and its collaborators use commercially available technology to build interoperable, open, standards-based ZTA implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, <em>Zero Trust Architecture</em>. This NIST Cybersecurity Practice Guide explains how commercially available technology can be integrated and used to build various ZTAs.</p><br/> <a href="#pubs-abstract-header" id="pub-detail-abs-hide">Hide full abstract</a> </div> </div> <h4>Keywords</h4> <span id="pub-keywords-container" data-total="4"> <span id="pub-keyword-0">enhanced identity governance (EIG)</span>; <span id="pub-keyword-1">identity, credential, and access management (ICAM)</span>; <span id="pub-keyword-2">zero trust</span>; <span id="pub-keyword-3">zero trust architecture (ZTA)</span> </span> </div> <h5>Control Families</h5> <p> <span id="pub-control-fam-container" data-total="4"> <span id="pub-control-fam-0">Access Control</span>; <span id="pub-control-fam-1">Identification and Authentication</span>; <span id="pub-control-fam-2">Risk Assessment</span>; <span id="pub-control-fam-3">System and Communications Protection</span> </span> </p> </div> <div class="col-md-4 col-sm-12"> <div class="bs-callout bs-callout-success" id="pubs-documentation"> <h4>Documentation</h4> <p> <strong>Publication:</strong><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2023-07/zta-nist-sp-1800-35b-preliminary-draft-3.pdf" id="pub-local-download-link"><i class="fa fa-download"></i> NIST SP 1800-35B 3prd (pdf)</a><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2023-07/zta-nist-sp-1800-35c-preliminary-draft-3.pdf" id="pub-local-download-link"><i class="fa fa-download"></i> NIST SP 1800-35C 3prd (pdf)</a><br/> </p> <p> <strong>Supplemental Material:</strong><br/> <span id="pub-supp-container" data-total="5"> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2022-12/zta-nist-sp-1800-35a-preliminary-draft-2.pdf" id="pub-supp-link-0"><i class="fa fa-download"></i> NIST SP 1800-35A 2prd (pdf)</a><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2022-12/zta-nist-sp-1800-35d-preliminary-draft-2.pdf" id="pub-supp-link-1"><i class="fa fa-download"></i> NIST SP 1800-35D 2prd (pdf)</a><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2022-12/zta-nist-sp-1800-35e-preliminary-draft.pdf" id="pub-supp-link-2"><i class="fa fa-file"></i> NIST SP 1800-35E iprd </a><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture" id="pub-supp-link-3"><i class="fa fa-file"></i> Project homepage </a><br/> <a href="https://web.archive.org/web/20230924000436/https://www.nccoe.nist.gov/sites/default/files/2022-12/zta-nist-sp1800-35-comment-form.xlsx" id="pub-supp-link-4"><i class="fa fa-file-excel-o"></i> Comment template (xlsx)</a><br/> </span> </p> <p> <strong>Document History:</strong><br/> <span id="pub-history-container" data-total="2"> 08/09/22: <a href="/web/20230924000436/https://csrc.nist.gov/pubs/sp/1800/35/iprd" id="pub-history-link-0" data-current-document="false">SP 1800-35 (Draft)</a><br/> 07/19/23: <span id="pub-history-link-1" data-current-document="true">SP 1800-35 (Draft)</span><br/> </span> </p> </div> <div class="bs-callout bs-callout-danger" id="topicsCallout-lg"> <h4>Topics</h4> <strong id="pub-cat-0">Security and Privacy</strong> <p> <a id="pub-cat-top-0-0" href="/web/20230924000436/https://csrc.nist.gov/topics/security-and-privacy/identity-and-access-management/access-authorization">access authorization</a>, <a id="pub-cat-top-0-1" href="/web/20230924000436/https://csrc.nist.gov/topics/security-and-privacy/identity-and-access-management/access-control">access control</a>, <a id="pub-cat-top-0-2" href="/web/20230924000436/https://csrc.nist.gov/topics/security-and-privacy/identity-and-access-management/authentication">authentication</a>, <a id="pub-cat-top-0-3" href="/web/20230924000436/https://csrc.nist.gov/topics/security-and-privacy/risk-management/controls/security-controls">security controls</a>, <a id="pub-cat-top-0-4" href="/web/20230924000436/https://csrc.nist.gov/topics/security-and-privacy/zero-trust">zero trust</a> </p> <strong id="pub-cat-1">Technologies</strong> <p> <a id="pub-cat-top-1-0" href="/web/20230924000436/https://csrc.nist.gov/topics/technologies/networks/firewalls">firewalls</a>, <a id="pub-cat-top-1-1" href="/web/20230924000436/https://csrc.nist.gov/topics/technologies/servers">servers</a> </p> <strong id="pub-cat-2">Applications</strong> <p> <a id="pub-cat-top-2-0" href="/web/20230924000436/https://csrc.nist.gov/topics/applications/communications-and-wireless">communications & wireless</a>, <a id="pub-cat-top-2-1" href="/web/20230924000436/https://csrc.nist.gov/topics/applications/telework">telework</a> </p> <strong id="pub-cat-3">Laws and Regulations</strong> <p> <a id="pub-cat-top-3-0" href="/web/20230924000436/https://csrc.nist.gov/topics/laws-and-regulations/executive-documents/executive-order-14028">Executive Order 14028</a> </p> </div> </div> </div> </div> <div id="footer-pusher"></div> </div> <footer id="footer"> <div class="container"> <div class="row"> <div class="col-sm-6"> <span class="hidden-xs"> <a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/" title="National Institute of Standards and Technology" rel="home" target="_blank" class="footer-nist-logo" id="footer-nist-logo-link"> <img src="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/nist-logo-brand-white.svg" alt="National Institute of Standards and Technology logo" id="footer-nist-logo"/> </a> </span> <div class="row footer-contact-container"> <div class="col-sm-12" id="footer-address"> <strong>HEADQUARTERS</strong><br> 100 Bureau Drive<br> Gaithersburg, MD 20899 </div> </div> </div> <div class="col-sm-6"> <ul class="social-list text-right" style="display: block;"> <li class="field-item service-twitter list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://twitter.com/NISTCyber" class="social-btn social-btn--large extlink ext" id="footer-social-twitter-link"> <i class="fa fa-twitter fa-fw"><span class="element-invisible">twitter</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> <li class="field-item service-facebook list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://www.facebook.com/NIST" class="social-btn social-btn--large extlink ext" id="footer-social-facebook-link"> <i class="fa fa-facebook fa-fw"><span class="element-invisible">facebook</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> <li class="field-item service-linkedin list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://www.linkedin.com/company/nist" class="social-btn social-btn--large extlink ext" id="footer-social-linkedin-link"> <i class="fa fa-linkedin fa-fw"><span class="element-invisible">linkedin</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> <li class="field-item service-instagram list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://www.instagram.com/usnistgov/" class="social-btn social-btn--large extlink ext" id="footer-social-instagram-link"> <i class="fa fa-instagram fa-fw"><span class="element-invisible">instagram</span></i> <span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> <li class="field-item service-youtube list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://www.youtube.com/user/USNISTGOV" class="social-btn social-btn--large extlink ext" id="footer-social-youtube-link"> <i class="fa fa-youtube fa-fw"><span class="element-invisible">youtube</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> <li class="field-item service-rss list-horiz"> <a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/news-events/nist-rss-feeds" class="social-btn social-btn--large extlink" id="footer-social-rss-link"> <i class="fa fa-rss fa-fw"><span class="element-invisible">rss</span></i> </a> </li> <li class="field-item service-govdelivery list-horiz last"> <a href="https://web.archive.org/web/20230924000436/https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3" class="social-btn social-btn--large extlink ext" title="Subscribe to CSRC and publication updates, and other NIST cybersecurity news" id="footer-social-govdelivery-link"> <i class="fa fa-envelope fa-fw"><span class="element-invisible">govdelivery</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a> </li> </ul> <p class="text-right"> Want updates about CSRC and our publications? <a href="https://web.archive.org/web/20230924000436/https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3" class="btn btn-lg btn-primary" style="background-color: #12659c!important; border-color: #12659c!important;" id="footer-subscribe-link">Subscribe</a> </p> </div> </div> <div class="row hidden-sm hidden-md hidden-lg"> <div class="col-sm-12"> <a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/" title="National Institute of Standards and Technology" rel="home" target="_blank" class="footer-nist-logo" id="footer-bottom-nist-logo-link"> <img src="/web/20230924000436im_/https://csrc.nist.gov/CSRC/Media/images/logo_rev.png" alt="National Institute of Standards and Technology logo" id="footer-bottom-nist-logo"/> </a> </div> </div> <div class="row"> <div class="col-sm-6"> <p> <a href="/web/20230924000436/https://csrc.nist.gov/about/contact" id="footer-contact-us-link">Contact Us</a> | <a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/about-nist/our-organization" style="display: inline-block;" id="footer-org-link">Our Other Offices</a> </p> </div> <div class="col-sm-6"> <span class="pull-right text-right"> Send inquiries to <a href="https://web.archive.org/web/20230924000436/mailto:csrc-inquiry@nist.gov?subject=CSRC Inquiry" style="display: inline-block;" id="footer-inquiries-link">csrc-inquiry@nist.gov</a> </span> </div> </div> <div class="row"> <div class="footer-bottom-links-container" id="footer-bottom-links-container"> <ul> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/privacy-policy">Site Privacy</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/oism/accessibility">Accessibility</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/privacy">Privacy Program</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/oism/copyrights">Copyrights</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.commerce.gov/vulnerability-disclosure-policy">Vulnerability Disclosure</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/no-fear-act-policy">No Fear Act Policy</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/foia">FOIA</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/environmental-policy-statement">Environmental Policy</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/summary-report-scientific-integrity">Scientific Integrity</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.nist.gov/nist-information-quality-standards">Information Quality Standards</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.commerce.gov/">Commerce.gov</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.science.gov/">Science.gov</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://www.usa.gov/">USA.gov</a></li> <li><a href="https://web.archive.org/web/20230924000436/https://vote.gov/">Vote.gov</a></li> </ul> </div> </div> </div> </footer> <script type="text/javascript" src="/web/20230924000436js_/https://csrc.nist.gov/dist/js/quick-collapse.js"></script> <script type="text/javascript" src="/web/20230924000436js_/https://csrc.nist.gov/dist/app.bundle.js"></script> </body> </html>

CINXE.COM

SP 1800-35, Implementing a Zero Trust Architecture | CSRC