Open for Public Comment: NIST NCCoE Zero Trust Architecture Preliminary Draft Practice Guide (Vol D) NIST's National Cybersecurity Center of Excellence (NCCoE) has released the third version of volume D of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture" (ZTA) and is seeking the public's comments on its contents.
This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. Volume D provides a functional demonstration plan and the updated version includes demonstration results for ten builds.As an enterprise's data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero-trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud. The NCCoE is making volume D available (https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture) as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments by October 9th, 2023. Comments and questions for the team can be sent to [email protected].
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fellow
Email 1: [email protected]
Phone: 32 4 76 31 05 40
Here's the link to the NIST landing page for info and context on the full set of NCCOE ZT docs: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
Is there any interest in compiling an aggregate and harmonized set of CSA comments on this?
Erik, I would think yes. I am currently collecting my own comments.
An overall comment is that section 2 reads like a compliance statement. There are a significant number of UC that are repetitive in that they enumerate a large number of permutations yet the expect outcome is the same for each line.
I think it also has questions for O&A and V&A in terms of granularity and sources of signals and api to enforce controls.
Great. Here's a shared comment file that we can all use. Default access is Commenter. Let me know if you have comments you'd like to add in Edit mode.
Thanks for coördinating Eric
Can you make this accessible please Erik. For the benefit of the group, I believe there is a basic weakness in the Use Case A: Discovery and Identification of IDs, Assets, and Data Flows. Here is my comment, as clarity here is essential for subsequent sections. I would be interested in other ZTA practitioner views.
Scenario A-1: Discovery and authentication of endpoint assets – this section refers to a precondition that "The enterprise infrastructure is a macrosegmented local network with an "enterprise" segment with resources that can only be accessed by authorized Enterprise-IDs and a "guest" segment with access to the public internet only." This is now an out of date description for network segmentation. Enterprise segments and guest segments are no longer segregated by private network and public network. Network segmentation can apply to SaaS for both enterprise users and guest users. Third parties are often provided access by segment to functionality NOT over the public internet. For a start, the focus on network segment as being inferred from Enterprise ID and Guest ID is too vague. Presumably these are identity management precepts, not network segmentation access identifiers. As it currently reads, there is a confusion between network identification and access service identity management. This is important, because subsequently re-authentication is referred to. If authentication, authorization and access management are not adequately defined from the outset, the following sections are based on vague assumptions. This weakens the rest of the document.
It's set for commenting access for all ZT workgroup members and read access for anyone with the link.
The link is not working for me. I will therefore be sending my own comments. Collaboration is a valuable tool, however the link provided by Eric Johnson is not working.
You're certainly free to send your own comments in directly but if you provide more info about what you're doing (e.g. how you're logged in) and whats not working we'll help get it working for you.
Erik, the spreadsheet is read only. I've never had that experience previously with CSA spreadsheets. Did anyone else test it?
The spreadsheet link is working for me now, thanks @Erik Johnson
I encourage everone with ZTA experience to comment, both privately and as part of CSA. So important that practical experience and lessons learned off the horse's back are passed on.
Erik, having commented as the Software Defined Perimeter Working Group on NIST publications for years, I can assure you that as a group, we self organised, and managed to provide in depth commentary to many 800 Special Publications, and our collaboration produced a more powerful and succinct set of observations. Since the new CSA structure, it is difficult to get a cohesive set of experts together - maybe because you are now so popular. I have absolutely no problem commenting as a security company with a leading edge Zero Trust Identity Management Cybersecurity product, I make the point that fostering collaboration in a real sense in terms of getting the depth of expertise is a better playbook, produces more effective results. I won't labour the point, there is either something wrong with your google docs security posture or there isn't, if you want to do a collaborative diagnosis, by all means I am open to it.