Understanding How NIST Shapes the Zero Trust Security Framework

Zero trust has become one of modern security’s most prominent strategies. Zero trust architecture is based on the fundamental idea that every network, user, and system must be verified consistently, instead of granting trust based on past access.

Although zero trust is a commonly accepted practice today, it’s important to understand the pivotal role that the National Institute of Standards and Technology (NIST) plays in defining zero trust architecture and other cybersecurity frameworks. In this article, we’ll explore how NIST zero trust guidelines shape this critical security framework and help organizations enact clear, actionable strategies that enhance their cybersecurity postures.

‍

NIST’s defining role in cybersecurity

NIST is a government agency under the jurisdiction of the United States Department of Commerce. As part of its mandate to promote U.S. innovation and industrial competitiveness, NIST seeks to advance measurement science, standards, and technology nationwide. It is also tasked with enhancing economic security and improving the quality of life for every American through management and oversight of the countless technologies that have become integral to everyday life and modern business. 

In the security space, NIST is the definitive leader of the guidelines that keep those technological advancements secure. Establishing NIST zero trust architecture as the modern standard was groundbreaking in that it revolutionized decades of established and accepted security practices.

‍

How the NIST zero trust model changed the game

In the past, organizations commonly adopted a perimeter-based approach to security, assuming that any device, user, system, or application situated within the organization’s network was trustworthy. This model meant relying on perimeter-protecting measures such as firewalls and VPNs, because it prioritized cyber attacks that originated from outside the network. Organizations felt comfortable trusting that any entity that had gained access had done so legitimately, and therefore should be trusted to maintain that access.

The cybersecurity landscape has changed drastically in recent years. Perimeter-based security does little to protect against other security concerns such as insider attacks and advanced persistent threats.

In 2024, 68% of breaches involved non-malicious human elements, like human error or falling victim to social engineering. It also does not account for the expansion of organizations’ attack surface; the rise of hybrid and remote work, alongside the popularity of bring-your-own-device policies, has caused most security perimeters to grow exponentially.

Failing to adequately address these security concerns can be expensive for organizations of all kinds. The average cost of a data breach reached a record-high $4.88 million in 2024, a 10% increase from 2023.

In response to changing network standards and the increasing sophistication and frequency of cyber attacks, NIST set out to develop new solutions that more accurately reflected the shape of modern technology infrastructure. As a result, the NIST zero trust model came to replace the perimeter security approach with guidelines built to support a single motto: “never trust, always verify.”

‍

7 key tenets of the NIST zero trust model

The NIST zero trust model is detailed in a document titled Zero Trust Architecture, officially known as NIST Special Publication (SP) 800-207. It was first released in August 2020 to give organizations a comprehensive implementation framework and measurement standard to assess their cybersecurity progress.

The source document lays out seven key tenets of zero trust architecture:

1. Resource recognition: All devices, data sources, and computing services are resources that need to be protected. This distinction establishes that both hardware — such as in-office desktop computers and on-premises servers — and software apps and SaaS platforms are considered resources. It also mentions that personal devices (like smartphones, tablets, and computers) can be included in zero trust policies if they have access to company-owned resources.
2. Secure communications: All network communications must be secured, regardless of where they originate. This means that access requests coming from within the enterprise’s network must pass the same stringent verification protocols as external requests.
3. Limited access: Every access request and requesting entity must be evaluated on their own merits. Trust is never granted based on position within the network or past access to other resources. This tenet also describes the principle of least privilege, which ensures that when access is granted, it is only granted to the extent and for the duration of time deemed absolutely necessary.
4. Dynamic policies: Organizations are responsible for continuously defining their resources and members, in addition to monitoring the access each member requires to specific resources. Establishing dynamic access policies that incorporate both a company’s fundamental makeup and its acceptable level of risk keeps the organization accountable to changing business needs and enterprise structures without sacrificing security.
5. Asset security: While zero trust demands constant verification of the entities requesting access to resources, organizations must also constantly verify the security of assets themselves. NIST recommends systems like continuous diagnostics and mitigation tools to continuously monitor the security of each device, app, and resource. Patches and fixes should be applied as needed, while vulnerabilities should be addressed on a case-by-case basis.
6. Continuous monitoring: Every step of the NIST zero trust model, including assessing access requests, scanning threats, and creating dynamic policies, must be continuously monitored and updated. Identity, credential, and access management systems and asset management systems are integral to zero trust architecture. This tenet stresses that even once access is granted through a zero trust system, entities must still be repeatedly authenticated and authorized.
7. Data collection: It’s important for organizations to invest in collecting as much accurate and detailed information as possible about the state of their assets, communications, and infrastructure. Collecting and carefully processing that data is what will allow organizations to continuously improve their security posture, inform dynamic policies, and support long-term zero trust strategies.

‍

Implementing the NIST zero trust guidelines

SP 800-207 identifies three common ways organizations can secure their IT infrastructure in accordance with NIST zero trust guidelines. NIST doesn’t suggest that these are the only possibilities; rather, organizations should adopt the methods that make the most sense for their specific infrastructure and demands. In many cases, the best implementation strategy will feature some combination of these methods and others.

Enhanced identity governance

This model keeps all resources accessible through an open network and verifies every request (and requester) individually before granting access. This might mean using multifactor authentication (MFA) to prove identity before logging into a web app, for example. Prioritizing authentication and authorization is helpful, but it does not stop attacks that progress through lateral movement from one app to another. Enhanced identity governance should be combined with other implementation strategies to complete a zero trust architecture.

Microsegmentation

This practice divides an organization’s network into smaller segments. It then protects each granular sub-segment with a gateway, such as an intelligent switch or next-generation firewall. Host-based microsegmentation presents an alternative to this principle by protecting endpoint assets instead of network subsegments. Because microsegmentation declares these protected zones trustworthy — however small they may be — it’s important to combine this method with an identity management practice to adhere to the tenets of zero trust.

Software-defined perimeters

This model creates protected boundaries around resources while still requiring identity checks before granting access. Organizations can employ overlay networks to build secure communications channels between resources and the entities accessing them. This granular identity-centric approach combines more of the tenets of zero trust than the previous two models do on their own. Still, software-defined perimeters can always be combined with microsegmentation, enhanced identity governance, or other zero trust architecture implementation strategies.

Align your organization with NIST zero trust standards

The NIST zero trust guidelines establish many detailed steps and requirements in order to help organizations better secure their IT infrastructure. However, the intricacy of NIST’s model and the many pathways to implementation can lead to a complex assortment of third-party systems, tools, and strategies.

Consolidating multiple tools into a unified platform makes it possible for organizations to achieve zero trust architecture and strengthen their cybersecurity postures from a holistic perspective. Learn more in our free e-book on how standalone tools create complexity and why you need to consolidate your IT security. 

‍