NIST SP 800-207 is a guidance publication from the National Institute of Standards and Technology (NIST). It belongs to the NIST SP 800 series which provides recommendations and best practices for information security and cybersecurity. Federal agencies, private sector organizations and other entities use this series to ensure the security of information systems.
NIST SP 800-207 introduces the concept of zero trust architecture (ZTA). Zero trust is a cybersecurity model that operates on the principle of “never trust, always verify,” meaning that no entity, whether inside or outside the network, is automatically trusted. NIST SP 800-207 focuses on strategies and components for implementing zero trust in an organization’s IT infrastructure, focusing on protecting resources by ensuring continuous verification and strict access control aligned to the principle of least privilege.
What is NIST SP 800-207 compliance?
NIST SP 800-207 framework compliance refers to an organization’s adherence to the ZTA components put forth in the guidance, including policy engine, policy administrator and policy enforcement points. Each of these components is meant to limit access to strongly verified identities to protect the integrity of enterprise resources and provide complete audit trails.
Because these three core systems are inextricably connected, NIST recommends instituting a trust algorithm, which is built on observable (entity and enterprise system) information in the ZTA. It builds on data access policies and is refined via the organization’s threat intelligence feed(s).
NIST recommends that controls put in place to grant access to systems be responsive not only to policies, but also to an overall trust score that can influence policy evaluation. This score can be calculated through a single evaluation of the algorithm, or it can dynamically change over time based on things like entity behavior patterns.
What are common use cases of NIST SP 800-207?
Use cases for NIST SP 800-207 is particularly relevant for organizations operating in highly regulated industries, such as finance, healthcare and government, where the protection of critical infrastructure and sensitive information is paramount. The framework is also useful for organizations undergoing digital transformation, as it supports secure adoption of new technologies and services including securing remote work environments, protecting cloud-based applications and services and safeguarding sensitive data across distributed networks.
What are the benefits and challenges of compliance ?
Compliance with NIST SP 800-207 offers several critical benefits, including enhanced security through a zero trust model that reduces the risk of breaches by continuously verifying users and devices. It also provides better protection for sensitive data and systems, regardless of their location, and ensures that organizations can effectively respond to emerging threats. Additionally, compliance helps organizations meet regulatory requirements and build a more resilient cybersecurity posture.
The challenges of transitioning away from a traditional perimeter-based security model to ZTA requires significant changes to existing infrastructure, extensive monitoring capabilities and the integration of advanced technologies like identity management systems, multi-factor authentication (MFA) and endpoint security solutions. Another challenge is the need for continuous monitoring and real-time data analysis to detect and respond to threats effectively, which can be resource-intensive
NIST tenets of zero trust
NIST’s ZTA components provide critical input on how organizations can address the identity security requirements to make appropriate access decisions:
NIST SP 800-207 Zero Trust Tenet 1: “All data sources and computing services are considered resources.”
- Extend ZT practices to all resources, including footprint devices, SaaS and personal devices loosely connected to the enterprise.
NIST SP 800-207 Zero Trust Tenet 2: “All communication is secured regardless of network location.”
- Apply consistent controls across enterprise-owned and remote networks.
NIST SP 800-207 Zero Trust Tenet 3: Access to individual enterprise resources is granted on a per-session basis.”
- Evaluate trust in the requester before granting access.
- Grant access with the least privileges needed to complete the task.
- Ensure authentication and authorization to one resource do not automatically grant access to a different resource.
NIST SP 800-207 Zero Trust Tenet 4: Access to resources is determined by dynamic policy.”
- Define policies with least privilege access for all resources and identities.
- Account equally for service / machine identities and human users.
- Approve access based on behavioral and environmental attributes.
NIST SP 800-207 Zero Trust Tenet 5: The enterprise monitors and measures the integrity and security posture of all owned and associated assets.”
- Patch/fix systems as needed for security and performance, including for personal devices loosely connected to the enterprise.
NIST SP 800-207 Zero Trust Tenet 6: All resource authentication and authorization are dynamic and strictly enforced before access is allowed.”
- Implement identity, credential and access management (ICAM) policies.
- Use MFA for access to some or all resources.
- Continual monitoring with policy-based reauthentication and reauthorization.
NIST SP 800-207 Zero Trust Tenet 7: “The enterprise collects as much information as possible about assets, network infrastructure and comms and uses it to improve its security posture.”
- Collect data about asset security posture, network traffic and access requests.
- Fine-tune access policies according to data collected.
NIST 800-207 Zero Trust Reference Architecture
What core competencies help organizations meet the zero trust tenets?
NIST SP 800-207 compliance starts with strong privileged access management controls, which are essential to establishing NIST’s three core architectural components. Strong identity management practices, such as MFA and role-based access control (RBAC), ensure that only authorized users can access resources. Organizations should also focus on network segmentation, continuous monitoring and logging of all access requests to detect anomalies and potential threats in real time. Integrating security automation and orchestration tools can help manage and respond to security incidents more efficiently.
Below are core competencies that can help organizations meet the central NIST tenets of zero trust. When in doubt, always seek guidance tailored to your unique environment.
- Built-in MFA and remote access; just-in-time access for external third parties and remote users.
- Unified authentication and authorization or integration with leading identity provider (IDP) and identity governance and administration (IGA)
- Per-session least privilege and separation of duties across endpoints, data centers and multi-cloud.
- Centralized vaulting and policy control for access used by IT, developers, workforce, endpoints and services.
- Multi-contextual analytics and identity threat detection and response (ITDR).
- One-click patch of components and secure management of accounts used for patching.
- Broad integration support for CDMs.
- Centralized audit to domain controller (DC)
- Step-up and continuous authentication, automatic authorization that change when risky behavior is detected.
- Session analytics and broad SIEM / CDM integrations.
- Automatic access policy adjustments with low and no-code automation workflows.