NIST SPECIAL PUBLICATION 1800-35A Implementing a Zero Trust Architecture V olume A: Executive Summary Alper Kerman Murugiah Souppaya National Institute of Standards and Technology Rockville, Maryland Dr. Parisa Grayeli Susan Symington The MITRE Corporation McLean, Virginia June 2022 PRELIMINARY DRAFT This publication is available free of charge from https://www.nccoe.nist.gov/projects/implementing- zero-trust-architecture PRELIMINARY DRAFT NIST SP 1800 -35A: Implementing a Zero Trust Architecture 1 Executive Summary 1 As an enterprise’s data and resources have become distributed across the on -premises environment and 2 multiple cloud s, protecting them has become increasingly challenging . Many users need access from 3 anywhere, at any time, from any device to support the organization’s mission. Data is programmatically 4 stored, transmitted, and processed across different organizations ’ environments , which are distr ibuted 5 across on-premises and the cloud to meet ever-evolving business use cases. It is no longer feasible to 6 simply protect data and resources at the perimeter of the enterprise environment and assume that all 7 users , devices , applications, and services within it can be trusted . 8 A zero -trust architecture (ZTA) enables secure authorized access to each individual resource , whether 9 located on -premises or in the cloud, for a hybrid workforce and partners based on a n organization’s 10 defined access policy. For each access request, ZTA explicitly verifies the con text available at access 11 time —this includes the requester’s identity and role, the requesting device ’s health and credentials , and 12 the sensitivity of the resource . If the defined policy is met , a secure session is created to protect all 13 information transferred to and from the resource . A real-time and continuous policy-driven, risk-based 14 assessment is performed to establish and maintain the access. 15 This guide summarizes how the National Cybersecurity Center of Excellence (NCCoE) and its 16 collaborators are using commercially available technology to build interoperable, open standards -based 17 ZTA implementations that align to the concepts and principles in NIST Special Publication ( SP) 800-20 7, 18 Zero Trust Architectur e. As the project progresses, this preliminary draft will be updated, and additional 19 volumes will also be released for comment. 20 CHALLENGE 21 Organizations would like to adopt a ZTA, but they have been facing some challenges which may include: 22  Leveraging existing invest ments and balancing priorities while making progress toward a ZTA 23  ZTA deployment requiring leveraging integration of many deployed existing technologies of 24 varying maturit ies and identifying technology gaps to build a complete ZTA 25  Concern that ZTA might negatively impact the opera tion of the environment or end -user 26 experience 27  Lack of common understanding of ZTA across the organization , gauging the organization’s ZTA 28 maturity , determining which ZTA approach is most suitable for the business , and developing an 29 implementation plan 30 This preliminary practice guide can help your organization:  Identify milestones for gradually integrating ZTA into your environment, based on the demonstrat ed examples and using a risk-based approach, to:  Support teleworkers with access to resource s regardless of user location or user device (managed or unmanaged)  Protect resources regardless of their location (on-premises or cloud -based )  Limit the insider threat (insiders are not automatically trusted ) PRELIMINARY DRAFT NIST SP 1800 -35A: Implementing a Zero Trust Architecture 2 This preliminary practice guide can help your organization:  Limit breaches (reduce attackers ’ ability to move laterally in the environment)  Protect sensitive corporate information with data security solution