The objective of this document is to provide background, an overview and general guidance for executing the 5 step Zero Trust implementation approach described in the NSTAC Report to the President on Zero Trust and Trusted Identity Management, formulated and socialized by John Kindervag. Separate CSA research documents are being developed for each of the five steps to elaborate the guidance in more detail and supporting SME panel discussions are or will be recorded and made available.
ZT Practitioners & Project teams
Jonathan Flack
Alex Sharpe?
Source doc: https://docs.google.com/document/d/1yMH8vcT0ROwtXG4n8uYPibNLspjAul3Opiut0xnyuKg/edit?usp=share_link
This paper recommends an approach for adapting zero-trust (ZT) principles to the Internet of Things (IoT) devices. This includes a recommended device security profile and a recommended set of network services that can be used to enable ZT at the edge. Suggested requirements are identified within this document to support the tailoring of the recommended approach within organizations.
The objective of this document is to provide foundational guidance for Small and Medium-sized Businesses (SMBs) in their journey to evaluate approaches to manage identified risks through the implementation of a Zero Trust strategy to protect their organization. This guidance is aligned with the five step Zero Trust implementation process described in the NSTAC Report to the President of the United States on Zero Trust and Trusted Identity Management (pg. 7), originally formulated and socialized
Frank DePaola
Contributors: Sam Aiello, Sue Bergamo, Kevin Dillaway
CISA Releases New Handbook to Address Technology Risks
Release in early 2025
With increasing digitisation data, including personal data, is stored on networked devices in the form of web applications, shared drives, cloud systems and so on. Whilst digitisation reduces paper footprint, it increases the risk of data exposure when unauthorized entities access the networked devices. Unauthorized access is not limited to external entities. Internal entities may acquire access to such data either via mistakes in access controls or via malicious action. Irrespective of the mann
Information Security Architects, Data Privacy and Protection Architects, Zero Trust project teams, CISOs and CPOs
Diego Diviani
Steve Foster, Kevin Dillaway
See Useful References section in the document
Subtitle: Defining and Implementing the Cross-Cutting Capabilities needed for Zero Trust
Lars Ruddigkeit, Richard, Chandra
Madhav Chablani
Guidance for safe enterprise enablement of AI/ML apps while protecting sensitive organizational information (IP, PII, etc.) using Zero Trust principles
ZT and AI Practitioners, Organizational AI Policy Makers
VB Malik, Shruti
5 Step process, Protect Surface doc
Traditional access decision-making is agnostic of both Zero Trust and context. Historically, access to assets and resources is based on trust. Digital identities are entrusted to a particular entity, entitlements are assigned to that identity or group containing identities, and every access request to a resource is checked only against those entitlements. Later, Role-Based Access Controls (RBAC) enhanced this model by assigning entitlements to roles. This helped because as entities changed profi
Primary Audience: Identity and Access Management Architects, Zero Trust Architects, Security Operations Team
Shruti Kulkarni
Paul Simmonds, Hani Raouda
See Useful References section in the doc
System event logs are present everywhere. From a zero trust perspective, logs are a part of visibility and analytics cross cutting capability. Seen from an architectural perspective, logs are just data which is an aggregation of events from one or more logs sources (for example operating systems, APIs, Identity Provider, databases). Logs on their own do not hold information. Logs contain a rich set of raw data, which when analyzed and correlated can reveal potential threats, threats that have ma
Primary audience: Information Security Managers/Information Security Officers, ZT Implementers, Security Operations
Shruti Kulkarni
CEF Standard
Target peer review for RSA time frame?
Add an accompanying webinar or two, including some solution provider perspectives on what folks can do/are actually doing.
This document provides guidance for completing the third step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.
Jason Garbis
This document provides guidance for completing the fourth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.
Jerry Chapman
This document provides guidance for completing the fifth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.
Chandra, Lars, Jerry, Shruti
Update SDP Arch & Spec docs w/latest ZT
Subtitle: Organizational and Architectural Guidance for Achieving Operational Resiliency
Financial Services, Critical Infrastructure Owners, ZT Implementation Teams
Chris Steffen
Many
Guidance for securing user endpoint devices as well as generating and leveraging device security status and maturity signals in making ZT access control policy decisions.
Guidance for Initiating and Executing an Enterprise Zero Trust Strategy
ZT Program Management Teams
DoD
The rapid evolution of 5G and Open Radio Access Network (ORAN) architectures has redefined the cellular network landscape, enabling dynamic, cloud-native ecosystems that drive innovation and critical infrastructure. However, this shift has also introduced expanded attack surfaces, increased supply chain vulnerabilities, and heightened operational complexity. Traditional security models must evolve into a comprehensive Zero Trust paradigm to address these challenges.
Taha Sajid <sajidtaha386@gmail.com>
Milind Gunjan <milind.gunjan@gmail.com>
over the 5 steps and security lifecycle