The National Institute of Standards and Technology (NIST) released a zero trust planning guide May 6 for Federal administrators that provides an overview of how the NIST Risk Management Framework (RMF) can be used to develop and implement a zero trust architecture (ZTA).
The cybersecurity white paper – authored by Scott Rose from NIST’s Wireless Networks Division in its Communications Technology Lab – gives Federal enterprise admins, system operators, and IT security officers a brief intro to zero trust and how the RMF can be used for zero trust implementation.
“Enterprise administrators and system operators need to be involved in the planning and deployment for a ZTA to be successful,” Rose wrote. “ZTA planning requires input and analysis from system and workflow owners as well as professional security architects. Zero trust cannot be simply added onto an existing workflow but needs to be integrated into all aspects of the enterprise.”
“The RMF lays out an approach that includes a set of steps and tasks that is integrated into enterprise risk analysis, planning, development, and operations,” he added. “Administrators who normally do not perform the steps and tasks detailed in the RMF may find that they will need to become familiar with them as they migrate to a ZTA.”
The planning guide provides a process for utilizing the RMF for ZTA implementation, as well as walks Federal administrators through how the seven steps of the RMF relate to the zero trust implementation process.
The guide also emphasizes that zero trust is a cybersecurity strategy and practice, and not a single technology solution and that an organization will need to utilize the cooperation of cybersecurity planners, management, administrators, and operations to be successful.
