1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Drag to adjust the number of frozen columns
Deliverable Title
Description/ Abstract
Category
Format
Priority
Status
Workstreams
Target Technical Audience
Lead Authors
Lead Contributors & Reviewers
Notes
Release Target
References
Document Link
Peer Review Date
Peer Review End Date
Peer Review Notes
Production Phase Notes
Final Review Notes
Publish Date
Distribution Plan
Publish Notes
PR Promotion Notes
Zero Trust Implementation Primer - The Five Step Process

The objective of this document is to provide background, an overview and general guidance for executing the 5 step Zero Trust implementation approach described in the NSTAC Report to the President on Zero Trust and Trusted Identity Management, formulated and socialized by John Kindervag. Separate CSA research documents are being developed for each of the five steps to elaborate the guidance in more detail and supporting SME panel discussions are or will be recorded and made available.

Guidance
Document
Recording
2
Execution (Development)
ZT9
ZT1
ZT2
ZT3
ZT4
ZT5
ZT6
ZT7
ZT8

ZT Practitioners & Project teams

Jonathan Flack

Alex Sharpe?

Related deliverables: Data Pillar - Defining the ZT Protect Surface Network Pillar - Mapping ZT Transaction Flows Start with a simple outline (executive summary) and evolve incrementally towards providing topical (matrix-style?) guidance for all the pillars and workstreams for all 5 steps and including a maturity model perspective. Could include a sample use case or an illustrative (fictionalized) case study - either embedded or as a companion document.
Spring 23

Source doc: https://docs.google.com/document/d/1yMH8vcT0ROwtXG4n8uYPibNLspjAul3Opiut0xnyuKg/edit?usp=share_link

Zero Trust Guidance for IoT

This paper recommends an approach for adapting zero-trust (ZT) principles to the Internet of Things (IoT) devices. This includes a recommended device security profile and a recommended set of network services that can be used to enable ZT at the edge. Suggested requirements are identified within this document to support the tailoring of the recommended approach within organizations.

Guidance
Document
1
Execution (Development)
ZT4
Other CSA Workgroup
Srinivas Akella, JJ Minella, Josh Woodruff
Collaborative/joint deliverable between ZT Device & IoT WGs
2024
9/27/2024
10/31/2024
Zero Trust Guidance for Small and Medium Size Businesses (SMBs)

The objective of this document is to provide foundational guidance for Small and Medium-sized Businesses (SMBs) in their journey to evaluate approaches to manage identified risks through the implementation of a Zero Trust strategy to protect their organization.  This guidance is aligned with the five step Zero Trust implementation process described in the NSTAC Report to the President of the United States on Zero Trust and Trusted Identity Management (pg. 7), originally formulated and socialized

Guidance
Document
Blog
Recording
1
Peer Review
ZT2
ZT1
  • Primary Audience: SMB Owners, IT/Security Teams, vCISOs, Buyers and Providers of Outsourced/Managed IT and Security Services

Frank DePaola

Contributors: Sam Aiello, Sue Bergamo, Kevin Dillaway

Deliverable requested by WG members (esp. in the ZT1+2 WG) on several occasions. Create an SMB focus within the WG and some sort of discussion forum and draft doc (shell) to capture SMB considerations and recommendations during the course of research WG execution. As thinking matures, host and record an SMB ZT panel? Here are the challenges facing SMBs that need to be considered in the development of guidelines and principles: Limited resources - SMBs don't have the financial resources to inv
2024

CISA Releases New Handbook to Address Technology Risks

https://docs.google.com/document/d/1SBNkqZA0Ac3SJyMWE9JdTcu5ddT7yeSrHWH1BccoP5o/edit?tab=t.0#heading=h.30j0zll
11/15/2024
12/15/2024

Release in early 2025

Zero Trust Privacy Assessment and Guidance

With increasing digitisation data, including personal data, is stored on networked devices in the form of web applications, shared drives, cloud systems and so on. Whilst digitisation reduces paper footprint, it increases the risk of data exposure when unauthorized entities access the networked devices. Unauthorized access is not limited to external entities. Internal entities may acquire access to such data either via mistakes in access controls or via malicious action. Irrespective of the mann

Guidance
Document
Recording
2
Peer Review
ZT7
ZT2
Other CSA Workgroup

Information Security Architects, Data Privacy and Protection Architects, Zero Trust project teams, CISOs and CPOs

Diego Diviani

Steve Foster, Kevin Dillaway

Reference: NIST Cybersecurity and Privacy Reference Tool (CPRT) GDPR?
2024

See Useful References section in the document

https://docs.google.com/document/d/1RlnM1yEg4KZyCSQYtKJR2upWf3BCxKoXoH7ptXKPPNM/edit?tab=t.0#heading=h.jila3fjjswb1
11/25/2024
12/27/2024
ZT Automation & Orchestration and Visibility & Analytics Overview

Subtitle: Defining and Implementing the Cross-Cutting Capabilities needed for Zero Trust 

Guidance
Document
1
Execution (Development)
ZT8

Lars Ruddigkeit, Richard, Chandra

Madhav Chablani

Spring 23
Leveraging ZT to Enterprise Information in LLM Environments

Guidance for safe enterprise enablement of AI/ML apps while protecting sensitive organizational information (IP, PII, etc.) using Zero Trust principles

Guidance
Blog
Document
1
Execution (Development)
ZT7
Other CSA Workgroup
Special ZT Focus Group

ZT and AI Practitioners, Organizational AI Policy Makers

VB Malik, Shruti

Proposed by Jim Least privilege, separation of duties ZT guiding principles: Monitor everything
2024

5 Step process, Protect Surface doc

Context-Based Access Control for Zero Trust

Traditional access decision-making is agnostic of both Zero Trust and context. Historically, access to assets and resources is based on trust. Digital identities are entrusted to a particular entity, entitlements are assigned to that identity or group containing identities, and every access request to a resource is checked only against those entitlements. Later, Role-Based Access Controls (RBAC) enhanced this model by assigning entitlements to roles. This helped because as entities changed profi

Guidance
Document
Slides
1
Publication (Editorial Review & Design)
ZT3
ZT8

Primary Audience: Identity and Access Management Architects, Zero Trust Architects, Security Operations Team

Shruti Kulkarni

Paul Simmonds, Hani Raouda

CBAC can leverage/employ RBAC and ABAC
2024

See Useful References section in the doc

https://docs.google.com/document/d/1oA25T25GjqmamGQ6DUNfvG8DATKQQIVmI3j1mbOCXDY/edit?tab=t.0
10/28/2024
11/27/2024
Analyzing Log Data with AI Models

System event logs are present everywhere. From a zero trust perspective, logs are a part of visibility and analytics cross cutting capability. Seen from an architectural perspective, logs are just data which is an aggregation of events from one or more logs sources (for example operating systems, APIs, Identity Provider, databases). Logs on their own do not hold information. Logs contain a rich set of raw data, which when analyzed and correlated can reveal potential threats, threats that have ma

Guidance
Document
Slides
2
Proposed
ZT7
ZT8
ZT9

Primary audience: Information Security Managers/Information Security Officers, ZT Implementers, Security Operations

Shruti Kulkarni

incident detection event correlation Eliminate false positives? behavioral analytics identify vulnerabilities? threats? Asset discovery? assess current state security maturity? SEIM vs. AI? + time synch
2024

CEF Standard

8/31/2024

Target peer review for RSA time frame?

6/30/2024

Add an accompanying webinar or two, including some solution provider perspectives on what folks can do/are actually doing.

Step 3: Build A Zero Trust Architecture

This document provides guidance for completing the third step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

Guidance
Document
Recording
1
Execution (Development)
ZT9

Jason Garbis

Spring 23
Step 4: Create Zero Trust Policy

This document provides guidance for completing the fourth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

Guidance
Document
Recording
1
Execution (Development)
ZT9

Jerry Chapman

Spring 23
Step 5: Monitor and Maintain the Zero Trust Environment

This document provides guidance for completing the fifth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

Guidance
Document
Recording
1
Execution (Development)
ZT8
ZT9
ZT3

Chandra, Lars, Jerry, Shruti

Spring 23
SDP Guidance Updates

Update SDP Arch & Spec docs w/latest ZT

Guidance
Document
2
Proposed
ZT5
Spring 23
Zero Trust Guidance for a Resilient Enterprise Environment

Subtitle: Organizational and Architectural Guidance for Achieving Operational Resiliency

Guidance
Document
Blog
Slides
Recording
1
Execution (Development)
Special ZT Focus Group
ZT9
ZT2
ZT1
Other CSA Workgroup

Financial Services, Critical Infrastructure Owners, ZT Implementation Teams

Chris Steffen

Zero Trust Guidance for a Resilient Enterprise Environment
Spring 23

Many

Zero Trust Guidance for User Endpoint Devices

Guidance for securing user endpoint devices as well as generating and leveraging device security status and maturity signals in making ZT access control policy decisions.

Guidance
Document
1
Proposed
ZT4
Addresses a fundamental, vendor neutral guidance gap for this pillar
Q3 2025
CSA Zero Trust Program Management Guidance

Guidance for Initiating and Executing an Enterprise Zero Trust Strategy

Guidance
Document
Slides
Recording
2
Proposed
ZT1
ZT2

ZT Program Management Teams

DoD

2024
Zero Trust Guidance for Securing Cellular Networks

The rapid evolution of 5G and Open Radio Access Network (ORAN) architectures has redefined the cellular network landscape, enabling dynamic, cloud-native ecosystems that drive innovation and critical infrastructure. However, this shift has also introduced expanded attack surfaces, increased supply chain vulnerabilities, and heightened operational complexity. Traditional security models must evolve into a comprehensive Zero Trust paradigm to address these challenges.

Guidance
Document
Slides
Recording
2
Proposed
ZT5
ZT9
Special ZT Focus Group
  • Telecom Operators and Service Providers

Taha Sajid <sajidtaha386@gmail.com>

Milind Gunjan <milind.gunjan@gmail.com>

given the recent Chinese hacks I'm wondering if we could broaden the scope to include a more comprehensive view of mobile telecom infrastructure and not exclusively the newer 5G/ORAN technology and infrastructure? I'm thinking that would be very timely and an easier sell.
Q3 2025
ZT Maturity Assessment Guidance

over the 5 steps and security lifecycle

Guidance
Document
Slides
Recording
2
Proposed
ZT2
ZT9
Special ZT Focus Group
2024
17 records

Alert

Lorem ipsum
Okay