NIST SP 800-207 provides the Federal government's zero trust reference architecture; DoD, the IC, and others have used this as a starting point for their own reference architectures that define zero trust. The first few years of effort, since the publication of EO 14028 and NSM-8, have been devoted mostly to educating people about what zero trust is and what it means, and laying the groundwork for zero trust, and current architectures serve those purposes well. As we shift our attention away from definition and toward implementation, current architectures leave something to be desired; they're not designed to answer critical questions, such as what is working and what is not, what is most important, and where to invest scarce resources first or next. DHS is developing an approach to zero trust architecture that seeks to answer these questions, and we could use the help of zero trust practitioners across the Federal government to refine and expand this approach, which we think will serve these purposes for any organization that is busy implementing zero trust. The next phase of zero trust implementation categorically requires hard work; we can do that work better if we do it together.
- Tags
-