Governance & Risk Management , NIST Standards , Standards, Regulations & Compliance
18 Companies to Participate in NIST 'Zero Trust' ProjectFirms Will Demonstrate Their Architectures to Help Agency Develop Guidance
The National Institute of Standards and Technology has selected 18 technology companies to demonstrate "zero trust" security architectures as it prepares to draft guidance for use of the model by federal agencies, which the private sector can also follow.
See Also: Live Webinar | Protect and Govern Sensitive Data
The initiative is being led by NIST's National Cybersecurity Center of Excellence. The Cybersecurity Practice Guide, now in development, will adhere to NIST's SP 800-207 concepts for zero trust, the agency says.
In a cybersecurity executive order issued in May, President Joe Biden called on agencies to adopt the zero trust model, which states devices should not be trusted by default - even if they are on a corporate network or were previously verified. The model recommends checking the identity and integrity of devices and providing access to applications based on confidence of identity, device health and user authentication (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
The executive order directed federal agencies to develop a plan for zero trust implementation under an aggressive 60-day timeline.
Companies that will demonstrate for NIST their approaches to implementing zero trust are: Amazon Web Services, Appgate, Cisco Systems, F5 Networks, FireEye, Forescout Technologies, IBM, McAfee, Microsoft, MobileIron - an Ivanti company, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable and Zscaler.
The participating companies responded to a notice in the Federal Register to submit capabilities that aligned with zero trust. Respondents were selected based on relevant capabilities and pertinent product offerings, NIST says.
"We received an overwhelming response from the vendor community on this important project," says Natalia Martin, acting director of the NCCoE. "Implementing a zero trust architecture has become a federal cybersecurity mandate and a business imperative."
'Radical Transformation Needed'
"With sophisticated cyberattacks becoming increasingly commonplace, it’s clear that a radical transformation is needed in the way public and private industries approach security," says Bill Harrod, federal CTO of Ivanti, whose company, MobileIron, is participating in the NIST project. "That transformation needs to be grounded in zero trust principles and should be focused on cybersecurity modernization.
"The problem today is that zero trust approaches to security have been fragmented, inconsistent and difficult to implement, resulting in slow adoption that only exacerbates an already precarious situation."
John Kindervag, who created the zero trust model while working as an industry analyst for Forrester, says that although he's pleased by the focus on implementing the model at federal agencies, NIST's view of the model is too narrow, focusing too much on identity and access management. The zero trust model, he says, calls for an overarching strategy on IT security modernization.
Kindervag, who now serves as senior vice president of cybersecurity strategy at the security firm ON2IT, says he hopes NIST's eventual guidance is "not too prescriptive and tactical." Such an approach, he says, may inhibit innovation.
What Participants Will Do
NIST's National Cybersecurity Center of Excellence says the 18 companies participating in the zero trust project will provide examples of integrating commercial and open-source products that leverage cybersecurity standards and recommended practices.
"The proliferation of cloud computing, mobile device use and the internet of things has dissolved traditional network boundaries," NCCoE says. "Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an IT environment that could reduce an organization's risk exposure in a 'perimeter-less' world."
Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, notes: "With zero trust becoming a mandate in the federal space, it is very important to have this guidance from NIST, if for no other reason, to align best practices across federal entities."
Kron, currently a security awareness advocate for KnowBe4, adds: "This will likely trickle down further and influence behavior at the state and local government levels as well as in the private space. Guidance from NIST can make things a lot easier for the technical leadership and architects when designing these systems."
Software Security Measures
Earlier, as a result of the president's executive order, NIST listed security measures for "critical software" and standards for software testing (see: NIST Publishes 'Critical Software' Security Guidance). It also published its definition of critical software.
The moves are all part of an effort to enhance supply chain security in the aftermath of the SolarWinds attack and other incidents.