Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Project Description (Initial Public Draft)

Implementing a Zero Trust Architecture

Date Published: March 2020
Comments Due: May 14, 2020 (public comment period is CLOSED)
Email Questions to:

Planning Note (04/13/2020): The public comment period has been extended to May 14, 2020 (originally April 14).


Alper Kerman (NIST), Oliver Borchert (NIST), Scott Rose (NIST), Eileen Division (MITRE), Allen Tan (MITRE)


The National Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on a draft project description that will focus on implementing a zero trust architecture. 

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries. Enterprises must evolve to provide secure user access to company resources from any location and device, protect interactions with business partners, and shield client-server as well as interserver communications.

A zero trust cybersecurity approach removes the assumption of trust from users and networks. It focuses on accessing resources in a secure manner regardless of network location, user, and device, enforcing rigorous access controls and continually inspecting, monitoring, and logging network traffic. This requires data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around an organization’s digital resources.

Zero trust evaluates access requests and network traffic behaviors in real time over the length of open connections while continually and consistently recalibrating access to the organization’s resources. Designing for zero trust enables enterprises to securely accommodate the complexity of a diverse set of business cases by informing virtually all access decisions and interactions between systems.

This NCCoE project will demonstrate a standards-based implementation of a zero trust architecture. Publication of this project description begins a process that will further identify project requirements and scope, as well as the hardware and software components for use in a laboratory environment. In the laboratory, the NCCoE will build a modular, end-to-end example zero trust architecture(s) that will address a set of cybersecurity challenges aligned to the NIST Cybersecurity Framework. This project will result in a freely available NIST Cybersecurity Practice Guide.



cybersecurity; enterprise; network security; zero trust; zero trust architecture
Control Families

None selected


Project Description (pdf)

Supplemental Material:
Submit Comments
Project homepage

Document History:
03/17/20: Project Description (Draft)
10/21/20: Project Description (Final)