NIST SPECIAL PUBLICATION 1800- 35C Implementing a Zero Trust Architecture Volume C: How -To Guides Gema Howell Alper Kerman Murugiah Souppaya National Institute of Standards and Technology Gaithersburg, MD Jason Ajmo Yemi Fashina Parisa Grayeli Joseph Hunt Jason Hurlburt Nedu Irrechukwu Joshua Klosterman Oksana Slivina Susan Symington Allen Tan The MITRE Corporation McLean, VA Peter Gallagher Aaron Palermo Appgate Coral Gables, FL Adam Cerini Conrad Fernandes AWS (Amazon Web Services) Arlington, VA Kyle Black Sunjeet Randhawa Broadcom Software San Jose, CAAaron Rodriguez Micah Wilson Cisco Herndon, VA Corey Bonnell Dean Coclin DigiCert Lehi, UT Ryan Johnson Dung Lam F5 Seattle, WA Neal Lucier Tom May Forescout San Jose, CA Tim Knudsen Google Cloud Mill Valley, CA Harmeet Singh Krishna Yellepeddy IBM Armonk, NY Corey Lund Farhan Saifudin Ivanti South Jordan, UTHashim Khan Tim LeMaster Lookout Reston, VA James Elliott David Pricer Mandiant Reston, VA Clay Taylor Tarek Dawoud Microsoft Redmond, WA Vinu Panicker Okta San Francisco, CA Andrew Keffalas Norman Wong Palo Alto Networks Santa Clara, CA Rob Woodworth Shawn Higgins PC Matic Myrtle Beach, SC Bryan Rosensteel Ivan Anderson Ping Identity Denver, COWade Ellery John Petrutiu Radiant Logic Novato, CA Frank Briguglio Ryan Tighe SailPoint Austin, TX Chris Jensen Joshua Moll Tenable Columbia, MD Jason White Trellix, Public Sector Reston, VA Jacob Rapp Paul Mancuso VMware Palo Alto, CA Joe Brown Jim Kovach Zimperium Dallas, TX Bob Smith Syed Ali Zscaler San Jose, CA August 2022 PRELIMINARY DRAFT This publication is available free of charge from h ttps://www.nccoe.nist.gov/projects/implementing -zero -trust -architecture PRELIMINARY DRAFT NIST SP 1800- 35C: Implementing a Zero Trust Architecture ii DISCLAIMER 1 Certain commercial entities, equipment, products, or materials may be identified by name or company 2 logo or other insignia in order to acknowledge their participation in this collaboration or to describe an 3 experimental procedure or concept adequately. Suc h identification is not intended to imply special 4 status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it 5 intended to imply that the entities, equipment, products, or materials are necessarily the best available 6 for the purpose. 7 While NIST and the NCCoE address goals of improving management of cybersecurity and privacy risk 8 through outreach and application of standards and best practices, it is the stakeholder’s responsibility to 9 fully perform a risk assessment to i nclude the current threat, vulnerabilities, likelihood of a compromise, 10 and the impact should the threat be realized before adopting cybersecurity measures such as this 11 recommendation. 12 National Institute of Standards and Technology Special Publication 180 0-35C, Natl. Inst. Stand. Technol. 13 Spec. Publ. 1800 -35C, 83 pages, ( August 2022), CODEN: NSPUE2 14 FEEDBACK 15 You can improve this guide by contributing feedback. As you review and adopt this solution for your 16 own organization, we ask you and your colleagues to share your experience and advice wi th us. 17 Comments on this publication may be submitted to: nccoe- zta-project@list.nist.gov . 18 Public comment period: August 9 , 2022 through September 9, 2022 19 All comments are subject to release under the Freedom of Information Act. 20 National Cybersecurity Center of Excellence 21 National Institute of Standards and Technology 22 100 Bureau Drive 23 Mailstop 2002 24 Gaithersburg, MD 20899 25 Email: nccoe@nist.gov 26 PRELIMINARY DRAFT NIST SP 1800- 35C: Implementing a Zero Trust Architecture iii NATIONAL CYBERSECURITY CENTER OF EXCELLE NCE 27