NSA Issues Guidance on Zero-Trust Planning Requirements

NSA Issues Guidance on Zero-Trust Planning Requirements
TIC 3.0 Use Case Guide

The National Security Agency (NSA) has released a guidance on the zero-trust model for network security and said that systems leveraging the concept are better positioned to address threats but implementing the framework entails careful planning.

NSA said in its report that while the data-centric model for cybersecurity results in comprehensive monitoring, transitioning to such systems could provide risks of weakened security postures.

According to the guidance, adopting a mindset focused on zero trust requires an understanding of the modern threat landscape as well as a coordinated system for monitoring and management.

Other requirements include assuming malicious intent in networks, assuming risks for compromise in all devices, accepting the risky nature of access approvals and ensuring preparedness in conducting rapid damage analysis and recovery functions. 

NSA also cites persistent adherence to a zero-trust mindset as a key requirement for implementing the concept.

“Administrators and defenders may become fatigued with constantly applying default-deny security policies and always assuming a breach is occurring, but if the Zero Trust approach falters, then its cybersecurity benefits become significantly degraded or eliminated,” the report states.

You may also be interested in...

David McKeown

David McKeown: DOD Eyes Creation of Zero-Trust-Focused Portfolio Office

David McKeown, the Department of Defense's (DOD) equivalent of a chief information security officer, said DOD is looking to establish a portfolio management office that specializes in zero-trust cybersecurity. The office's creation would help DOD centralize and manage efforts to implement a zero-trust architecture, which strictly imposes requirements before one is able to access the defense network.