NIST SP 800-207 ZERO TRUST ARCHITECTURE
33
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-207
6.3 ZTA and Federal Identity, Credential, and Access Management Architecture
Subject provisioning is a key component of ZTA. The policy engine cannot determine if
attempted connections are authorized to connect to a resource if the PE has insufficient
information to identify associated subjects and resources. Strong subject provision and
authentication policies need to be in place before moving to a more zero trust–aligned
deployment. Enterprises need a clear set of subject attributes and policies that can be used by a
PE to evaluate access requests.
The Office of Management and Budget (OMB) issued M-19-17 on improving identity
management for the Federal Government. The goal of the policy is to develop “…a common
vision for identity as an enabler of mission delivery, trust, and safety of the Nation” [M-19-17].
The memo calls on all federal agencies to form an ICAM office to govern efforts related to
identity issuance and management. Many of these management policies should use the
recommendations in NIST SP 800-63-3, Digital Identity Guidelines [SP800-63]. As ZTA is
heavily dependent on precise identity management, any ZTA effort will need to integrate the
agency’s ICAM policy.
6.4 ZTA and Trusted Internet Connections 3.0
TIC is a federal cybersecurity initiative jointly managed by OMB, DHS, and the General
Services Administration (GSA), and is intended to establish a network security baseline across
the Federal Government. Historically, TIC was a perimeter-based cybersecurity strategy which
required agencies to consolidate and monitor their external network connections. Inherent in TIC
1.0 and TIC 2.0 is the assumption that the inside of the perimeter is “trusted,” whereas ZTA
assumes that network location does not infer “trust” (i.e., there is no “trust” on an agency’s
internal network). TIC 2.0 provides a list of network-based security capabilities (e.g. content
filtering, monitoring, authentication, and others) to be deployed at the TIC Access Point at the
agency’s perimeter; many of these capabilities are aligned with ZT principles.
TIC 3.0 has been updated to accommodate cloud services and mobile devices [M-19-26]. In TIC
3.0, it is recognized that the definition of “trust” may vary across specific computing contexts
and that agencies have different risk tolerances for defining trust zones. In addition, TIC 3.0 has
an updated TIC Security Capability Handbook, which defines two types of security capabilities:
(1) Universal Security Capabilities that apply at the enterprise level, and (2) PEP Security
Capabilities that are network-level capabilities to be applied to multiple policy enforcement
points (PEPs), as defined in TIC use cases. The PEP Security Capabilities may be applied at any
appropriate PEP located along a given data flow instead of at a single PEP at the agency
perimeter. Many of these TIC 3.0 security capabilities directly support ZTA (e.g., encrypted
traffic, strong authentication, microsegmentation, network and system inventory, and others).
TIC 3.0 defines specific use cases that describe the implementation of trust zones and security
capabilities across specific applications, services, and environments.
TIC 3.0 is focused on network-based security protections, whereas ZTA is a more inclusive
architecture addressing application, user, and data protections. As TIC 3.0 evolves its use
cases, it is likely that a ZTA TIC use case will be developed to define the network protections to
be deployed at ZTA enforcement points.