NIST adds zero-trust ‘approaches’ to its security architecture guidance for agencies
The National Institute of Standards and Technology wants agencies to consider their approach to zero-trust security architecture when it re-releases a draft special publication for public comment — tentatively in early February.
NIST released the first draft in September, defining zero-trust as the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources.
The special publication is an attempt to provide agencies with a “conceptual framework” using vendor-neutral terms, Scott Rose, a computer scientist at NIST, said at Duo Security’s Zero Trust Security Summit presented by FedScoop. NIST added a section on approaches to its guidance after the first comment period resolved.
“It’s where the emphasis of zero-trust implementations lie — whether identity or the actual micro-segmentation or the underlying network itself,” Rose told FedScoop after his panel. “Every good solution has elements of all three, it’s just: What is the key turning point for the organization?”
NIST doesn’t want to dictate one approach without knowing whether agencies consider enhanced identity governance, micro-perimeters or software-defined networking most important, he added.
The original draft was a “good first step,” Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop.
“To me the first draft was kind of like the kitchen sink — they threw everything in there,” Frazier said. “They threw in all the buzzwords — the [Continuous Diagnostics and Mitigation program] and [Trusted Internet Connections 3.0] and all the things — and some of those things are related, and some a little less related.”
Frazier said he expects the guidance will be “streamlined” after vendors attempt to make their own additions to the document and then aligned with the National Cybersecurity Center of Excellence’s (NCCoE) reference architecture around the use cases, as well as TIC 3.0. TIC Program Manager Sean Connelly is one of the special publication’s authors for that reason.
Once the special publication is finalized, NIST plans follow-on documents diving deeper into the relationship between zero trust and technologies spanning microservices, identity management, and machine learning and artificial intelligence, Rose said.
A NIST test lab is already recreating some of the security architectures used by agencies and financial institutions to see if they make good zero-trust use cases. And a formal announcement is in the works for an NCCoE demonstration project in the spring, Rose said.
