Main NIST 1800-35 landing page: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
"Conventional network security has focused on perimeter defenses, but many organizations no longer have a clearly-defined perimeter. To protect a modern digital enterprise, organizations need a comprehensive strategy for secure “anytime, anywhere” access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located."
The ZT9 workgroup is reviewing this document and is taking the lead in assembling an aggregate set of CSA comments to submit to NIST.
Link to ZT9 CSA comments aggregation spreadsheet
NIST is particularly interested in feedback on the following questions:
- How well do the practices in this guide relate to existing practices leveraged by your organization?
Are there significant gaps between the sets of practices that this guide should address?
- How do you expect this guide to influence your future practices and processes?
- How do you envision using this guide? What changes would you like to see to increase/improve that use?
- What suggestions do you have on changing the format of the provided information?
------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
[email protected]
------------------------------
Original Message:
Sent: Aug 06, 2024 10:08:27 AM
From: Michael Roza
Subject: NIST SP 1800-35 Implementing a Zero Trust Architecture: High-level Overview 4th Preliminary Draft for comment
Hi All,
The NIST National Cybersecurity Center of Excellence (NCCoE) has released the fourth version of our preliminary draft practice guide, Implementing a Zero Trust Architecture (NIST SP 1800-35), for public comment. This publication outlines results and best practices from the NCCoE effort to work with 24 vendors to demonstrate end-to-end zero trust architectures.
As an enterprise's data and resources have become distributed across on-premises and multiple cloud environments, protecting them has become increasingly challenging. Many users need options to access information across the globe, at all hours, across devices. The NCCoE is addressing these unique challenges by collaborating with industry participants to demonstrate 17 sample zero trust architecture implementations (applied to a conventional, general-purpose enterprise IT infrastructure).
Detailed technical information for each sample implementation can serve as a valuable resource for technology implementers by providing models they can replicate. The lessons learned from the implementations and integrations can help organizations save time and resources.
Starting with this release, we are introducing our traditional NIST SP 1800-35 document in two formats; one "High-Level Document in PDF Format" and one "Full Document in Web Format."
The PDF document is meant to serve as introductory reading and provide insight into the project effort (since it provides a high-level summary of project goals, reference architecture, various ZTA implementations, and findings).
The web-format document provides in-depth details about the technologies leveraged, their integrations and configurations, and the use cases and scenarios demonstrated. It also contains information on the implemented security capabilities and their mappings to the NIST Cybersecurity Framework (CSF) versions 1.1 and 2.0, NIST SP 800-53r5, and security measures outlined in "EO-Critical Software" under Executive Order 14028.
We welcome your input and look forward to your comments by September 30, 2024.
PDF Version
https://www.nccoe.nist.gov/sites/default/files/2024-07/zta-nist-sp-1800-35-preliminary-draft-4.pdf
Web Version
https://pages.nist.gov/zero-trust-architecture/index.html
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, Exec MBA,
------------------------------