U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

[Project Description] Implementing a Zero Trust Architecture

Date Published: March 2020
Comments Due: May 14, 2020 (public comment period is CLOSED)
Email Questions to: zta-nccoe@nist.gov

Planning Note (4/13/2020): The public comment period has been extended to May 14, 2020 (originally April 14).


Alper Kerman (NIST), Oliver Borchert (NIST), Scott Rose (NIST), Eileen Division (MITRE), Allen Tan (MITRE)


The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a draft project description that will focus on implementing a zero trust architecture. 

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries. Enterprises must evolve to provide secure user access to company resources from any location and device, protect interactions with business partners, and shield client-server as well as interserver communications.

A zero trust cybersecurity approach removes the assumption of trust from users and networks. It focuses on accessing resources in a secure manner regardless of network location, user, and device, enforcing rigorous access controls and continually inspecting, monitoring, and logging network traffic. This requires data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around an organization’s digital resources.

Zero trust evaluates access requests and network traffic behaviors in real time over the length of open connections while continually and consistently recalibrating access to the organization’s resources. Designing for zero trust enables enterprises to securely accommodate the complexity of a diverse set of business cases by informing virtually all access decisions and interactions between systems.

This NCCoE project will demonstrate a standards-based implementation of a zero trust architecture. Publication of this project description begins a process that will further identify project requirements and scope, as well as the hardware and software components for use in a laboratory environment. In the laboratory, the NCCoE will build a modular, end-to-end example zero trust architecture(s) that will address a set of cybersecurity challenges aligned to the NIST Cybersecurity Framework. This project will result in a freely available NIST Cybersecurity Practice Guide.



cybersecurity; enterprise; network security; zero trust; zero trust architecture
Control Families

None selected


Project Description

Supplemental Material:
Submit Comments (other)
Project homepage (other)

Document History:
03/17/20: White Paper (Draft)
10/21/20: White Paper (Final)