NIST Needs Tech Providers Help Developing Zero-Trust Practice Guide

The National Institute of Standards and Technology has laid out components of a comprehensive zero-trust system and is asking product developers to come together and build it.

The end result will be the foundation of a practice guide in a series of special publications. Prospective participants will be evaluated on a first-come, first-serve basis according to a notice posted in the Federal Register Wednesday with kick off happening within the month.

“Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than [30 days after the posting date],” the notice reads.

Entities with commercial offerings essential to zero trust—the buzzy premise that an organization’s internal network is not an inherently safe space—have an opportunity to demonstrate their wares in collaboration with NIST and other vendors, the notice said.    

The popularity of a zero trust approach to security has grown along with the adoption of cloud services and an increase in network-connected devices. Demarcation of the perimeter is no longer clear and the persistence of insider threat has increased focus on the need to carefully manage user identity and limit access to sensitive data and operations.    

But the term zero trust has also become a marketing opportunity, with companies eager to lay claim to its features.

In the notice, and in a description of its overarching project, NIST specifically describes the elements of a zero trust system. A few examples include a policy engine, which would handle “the ultimate decision to grant, deny, or revoke access to a resource for a given subject;” functional components such as a strategy, technology and governance to protect endpoints; and analytics that involve monitoring traffic and threat intelligence feeds. 

Bob Stevens, vice president of the Americas for mobile security firm Lookout, offered some insight into the importance of interoperability across the elements. 

“Proactive security is critical as threats quickly evolve,” he told Nextgov. “Approaches like threat hunting assist in this, but the data must support the device from which the event comes.” 

Interested organizations would have to abide by the terms of a Cooperative Research and Development Agreement, which limits how their involvement in the project can be used in advertising. 

“Collaborator shall not use the names of NIST, the [National Cybersecurity Center of Excellence] or the Department of Commerce on any advertisement, product or service, which is directly or indirectly related to this Agreement without prior written approval by NIST,” reads a template agreement. “Nothing in this section prohibits Collaborator from referencing or referring to any publically available NIST or NCCoE reports and materials provided Collaborator does not imply an endorsement of any product or service.”