NIST Publishes Final version of SP 1800-35: Implementing a Zero Trust Architecture 

NIST published the final version of SP 1800-35: Implementing a Zero Trust Architecture. This publication is a practical guide designed to help organizations navigate the complexities of ZTA implementation. 

The preliminary drafts of SP 1800-35 were released in various volumes (A, B, C, D, E) over time, with updates as recent as July and December 2023 and 2022. The final version consolidates this extensive body of work, providing both a “High-Level Document” for a quick overview and a “Full Document in Web Format” for in-depth technical details on leveraged technologies, integrations, and configurations.  

The journey to this final publication involved an extensive, four-year collaborative effort by the NIST National Cybersecurity Center of Excellence (NCCoE) with 24 industry partners. This collaboration culminated in 19 distinct sample ZTA implementations, all built using commercial, off-the-shelf (COTS) technologies.  These 19 examples serve as valuable, replicable models, offering detailed technical information, sample configurations, integration steps, and test results for a wide range of real-world scenarios, including multi-cloud platforms, branch offices, and remote access via public Wi-Fi. 

Essential Components of a Zero Trust Architecture 

The NIST SP 1800-35 guide organized its example implementations into a “crawl, walk, run” model with increasing levels of implementation of zero trust principles and components. There is not a “one size fits all” for implementing a zero trust architecture; each environment is unique and implementing zero trust is a continual n incremental journey.   

To aid in understanding the breadth of core and supporting components necessary for a robust ZTA, the following table lists zero trust components and outlines their functions. 

Component	Function
Policy Engine (PE)	Makes the ultimate decision to grant, deny, or revoke access to a resource for a given subject, calculating trust scores based on enterprise policy and information from supporting components.
Policy Administrator (PA)	Carries out the PE’s policy decision by sending commands to the PEP to establish and terminate communication paths between the subject and the resource, and generates session-specific tokens.
Policy Enforcement Point (PEP)	Acts as a guard for the trust zone, enabling, monitoring, and terminating connections between subjects and resources based on commands from the PA.
Policy Information Points (PIPs)	Provide necessary telemetry and information for the Policy Decision Point (PDP) to make informed decisions.
Identity Management	Creates and manages enterprise user and device accounts, identity records, role information, and access attributes, enforcing least privilege.
Access and Credential Management	Uses authentication methods (SSO, MFA) to verify subject identity and authorization, including continuous access evaluation and risk-based conditional access.
Federated Identity	Aggregates and correlates all attributes related to an identity or object, allowing secure access across different domains.
Identity Governance	Uses policy-based, centralized, automated processes to manage user identity and access control functions, including segregation of duties, role management, and auditing.
Multi-factor Authentication (MFA)	Grants user access only after successfully presenting two or more pieces of evidence to an authentication mechanism.
EDR/EPP (Endpoint Detection and Response/Endpoint Protection Platform)	Provides strategies, technology, and governance for endpoint protection, including XDR solutions for automated monitoring, analysis, detection, and remediation.
Host firewall	Prevents individual endpoints from receiving explicitly unpermitted traffic, protecting against malware and malicious traffic.
Malware protection	Scans endpoint software for known malware signatures or uses non-signature-based methods to detect malicious code.
Vulnerability/threat mitigation	Monitors endpoint software and configurations for known vulnerabilities, providing alerts and remediation recommendations.
Host intrusion protection	Monitors an endpoint for suspicious activity indicating an attempted intrusion, stopping malicious activity and logging events.
UEM/MDM (Unified Endpoint Management/Mobile Device Management)	Secures and manages a wide range of employee devices and operating systems from a single console.
Endpoint compliance	Ensures an endpoint has the required hardware, firmware, software, and configurations, and no unauthorized elements, as per enterprise policy.
Application protection (Endpoint)	Manages and protects data within an application by enforcing specific protection policies.
Data protection enforcement (Endpoint)	Ensures data stored on the device is protected according to enterprise policies.
CDM (Continuous Diagnostics and Mitigation)	Gathers information about enterprise assets and their current state, applies configuration and software updates, and provides asset information to the PE.
Data discovery	Scans and classifies digital assets, including unstructured data.
Data classification and labeling	Describes an organization’s data security levels to the system and applies those labels to the data.
Data encryption	Protects data from unauthorized disclosure while at rest and in transit.
Data integrity	Protects data from unauthorized modification while at rest and in transit.
Data availability	Protects the ability of authorized users to access data in a timely manner and guards against unauthorized deletion.
Data access protection	Restricts access to/actions on data based on permanent or transient attributes of the accessing entity, with the ability to revoke access.
Auditing and compliance (Data)	Proves that data security policies are in effect and delivering desired protections.
SIEM (Security Information and Event Management)	Collects and consolidates security information and event data, correlates and analyzes data to detect anomalies, and logs data for compliance.
SOAR (Security Orchestration, Automation, and Response)	Collects and monitors alerts from security systems, and executes predefined incident response workflows to automate responses.
Vulnerability scanning and assessment	Scans and assesses enterprise infrastructure and resources for security risks, identifies vulnerabilities, and provides remediation guidance.
Network discovery	Discovers, classifies, and assesses the risk posed by devices and users on the network.
Security controls validation	Validates implemented ZTA cybersecurity controls through visibility into network traffic and transaction flows.
Identity monitoring	Monitors subject identities to detect and alert on indicators of compromised user accounts/credentials or sign-in risks.
Security monitoring (Analytics)	Monitors and detects malicious or suspicious user actions based on directory signals.
Application protection and response (Analytics)	Protects specific applications from phishing, spam, malware, and other attacks.
Cloud access permission manager	Provides visibility and control of permissions used by identities in various cloud services.
Security analytics and access monitoring	Monitors cloud resource access sessions for conformance to policy.
Network monitoring (Analytics)	Aggregates and analyzes network telemetry from network devices to provide network visibility for detecting and responding to threats.
Traffic inspection	Intercepts, examines, and records relevant traffic transmitted on the network. 16
Endpoint monitoring (Analytics)	Discovers all IP-connected endpoints and continuously collects, examines, and analyzes software versions, configurations, and other information about hosts.
Threat intelligence	Uses information about known or emerging vulnerabilities, attacks, and other menaces to inform defense decisions.
User behavior analytics	Monitors and analyzes user behavior to detect unusual patterns or anomalies that might indicate an attack.
Firmware assurance	Continuously monitors IT device firmware.
Application connector	A component deployed as the front-end for an internal resource to act as a proxy, controlling access without making the resource visible on the network.
Cloud workload protection	Secures cloud workloads from known security risks, monitors traffic to/from cloud and web applications, and provides real-time alerts.
Cloud security posture management	Continuously assesses the security posture of cloud resources.
Resource Management	Ensures the resource is authenticated and its endpoint conforms to enterprise policy upon being brought online.
Session Establishment	Establishes a secure session if access is approved by the Policy Engine.
Continuous Session Evaluation	Performs ongoing evaluation of access requests, continuous session evaluation, periodic reauthentication, and periodic endpoint hygiene verification.

Implementing a Zero Trust Architecture requires a robust portfolio of integrated solutions, as well as significant policy, governance, and processes.  We at FRC have curated products and services designed to help organizations achieve their ZTA goals, leveraging the insights from NIST SP 1800-35 and our customers.

Our OEM partners, including Okta, Zscaler, Trellix, Cribl, Tines, IGEL, Elastic, AttackIQ, Chainguard, Owl Cyber Defense, Armis, ServiceNow, and RSA, provide the cutting-edge technologies essential for building and maintaining a strong Zero Trust posture. We invite you to connect with us to discuss how our solutions can be tailored to your specific ZTA journey. 

Explore our full Zero Trust approach and resources here: FRC Zero Trust Architecture