Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Regulation, Standards and Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

NCCoE publishes SP 1800-35D on implementing a zero trust architecture, calls for feedback by Oct. 9

August 24, 2023
NCCoE publishes SP 1800-35D on implementing a zero trust architecture, calls for feedback by Oct. 9

The National Cybersecurity Center of Excellence (NCCoE) published the third preliminary draft of NIST Cybersecurity Practice Guide SP 1800-35 Vol. D, ‘Implementing a Zero Trust Architecture,’ and the draft will be available for public comment until Oct. 9th, 2023. The SP 1800-35D guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based zero trust architecture (ZTA) example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. 

The guide contains five volumes: 

▪NIST SP 1800-35A: Executive Summary on why the guide was written, the challenges it addresses, why it could be important to the organization, and the approach to solving this challenge. 

▪NIST SP 1800-35B: Approach, Architecture, and Security Characteristics on what was built and why. 

▪NIST SP 1800-35C: How-To Guides with instructions for building the example implementations, including the security-relevant details that would allow replication of all or parts of the project. 

▪NIST SP 1800-35D: Functional Demonstrations with use cases that have been defined to showcase ZTA security capabilities and the results of demonstrating them in a controlled laboratory setting with each of the example implementations.

▪NIST SP 1800-35E: Risk and Compliance Management covering risk analysis and mapping of ZTA security characteristics to cybersecurity standards and recommended practices. 

The agency added that Vol. A is the previous version and does not require reviews; while Vol. B and C are open for public comment until Sept. 4th, 2023. Also, the preliminary draft guide is available for download by specific volumes. Vol. D is important as it provides a functional demonstration plan, and the updated version includes demonstration results for ten builds.

The project identifies that the challenges to implementing a ZTA include leveraging existing investments and balancing priorities while making progress toward a ZTA via modernization initiatives, and integrating various types of commercially available technologies of varying maturities, assessing capabilities, and identifying technology gaps to build a complete ZTA. It also flags concern that ZTA might negatively impact the operation of the environment or end-user experience, along with the lack of common understanding of ZTA across the organization, gauging the organization’s ZTA maturity, determining which ZTA approach is most suitable for the business, and developing an implementation plan.

The NIST Cybersecurity Practice Guide will help users develop a plan for migrating to ZTA. “It demonstrates a standards-based reference design for implementing a ZTA and provides users with the information they need to replicate two different implementations of this reference design. Each of these implementations, which are known as builds, are standards-based and align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture,” it added. 

The reference design described in the practice guide is modular and can be deployed in whole or in part, enabling organizations to incorporate ZTA into their legacy environments gradually, in a process of continuous improvement that brings them closer and closer to achieving the ZTA goals that they have prioritized based on risk, cost, and resources. 

“NIST is adopting an agile process to publish this content. Each volume is being made available as soon as possible rather than delaying release until all volumes are completed,” according to the SP 1800-35D document. “Work continues on implementing the example solutions and developing other parts of the content. As a third preliminary draft, we will publish at least one additional draft for public comment before it is finalized.”

NIST SP 1800-35D also provides the use cases that have been defined to showcase ZTA security capabilities and the results of demonstrating them with each of the example implementations.

The document also includes a section intended to assist the lab operator through the set of ZTA scenarios and use cases that have been defined for demonstration in this project. To reduce the number of iterations, some potential demonstrations have been omitted because they are not sufficiently different from another demonstration that has been included. 

For example, if the requester’s access to a resource is blocked due to a non compliant on-premises resource, then it is sufficient to demonstrate this once with an on-premises-to-on-premises request; this demonstration does not need to be repeated making the request from a branch office or remote access location because the location of the requester in this demonstration is irrelevant. 

The lab demonstration playbook is not exhaustive for all enterprise operations,and it does not capture all possible demonstration cases. Several demonstration scenarios listed here are presented as a maximal approach to zero trust. This includes assumptions about user intent that may not always be determined in an actual operational setting. 

For example, subjects may be classified as compromised in some way so that all access requests are part of an intentional attack and not mistaken queries from valid (uncompromised) subjects. As such, some demonstrations may seem extreme for most enterprise operations. This is only to demonstrate the most extreme cases, as a less severe response such as logging and/or sending an alert to a human administrator is also possible. This collection of demonstration scenarios is still under development. 

Additional scenarios and use cases will be included in the next version as the implementations evolve and add capabilities. For this current draft of the document and as discussed in Volume B of this guide, the scenarios are limited to on-premises resources or public internet resources with only enhanced identity governance (EIG) considered. Subject endpoints are located on-premises or at branch or remote locations. Only EIG approach solutions are currently present in the builds.

The NIST SP 1800-35D includes a functional demonstration result summaries section that provides a summary of the demonstration results for each of the builds that was implemented as part of this project. The summary results are organized according to the build phases that were defined in NIST SP 1800-35B: Approach, Architecture, and Security Characteristics. Detailed results for each of the builds are provided in Appendices C, D, and E. For each build, summary results for use cases A-G are also provided.

Earlier this month, the NIST released a public draft of its NIST Cybersecurity Framework (CSF or Framework) 2.0 that revises the framework to benefit all sectors, apart from the critical infrastructure sector. The document provides guidance on reducing cybersecurity risks, providing a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or maturity, to understand, assess, prioritize, and communicate its cybersecurity efforts. Feedback on the CSF 2.0 public draft, and related implementation examples draft, may be submitted to the NIST by Nov. 4.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings