NIST SP 800-207 (Zero Trust Architecture)

NIST Special Publication 800-207 ("Zero Trust Architecture"), published in August 2020, provides the authoritative federal definition of zero trust and a reference architecture for implementation. The document establishes seven core zero trust tenets: treat all data sources and computing services as resources; secure all communication regardless of network location; grant access to individual enterprise resources on a per-session basis; determine access by dynamic policy including observable state of client identity, application/service, and requesting assets; ensure all owned and associated devices are in the most secure state possible; collect information and use it to improve security posture; and never implicitly trust any actor. The document defines the Policy Decision Point (PDP) / Policy Enforcement Point (PEP) model as the central architectural construct, separating the control plane from the data plane.

Implementing 800-207 in an enterprise engineering context requires replacing perimeter-based network segmentation with identity-centric access controls enforced at every resource boundary. The PDP/PEP model maps concretely to: an identity provider (IdP) plus a continuous authentication engine as the Policy Engine (PE); an orchestration platform (e.g., service mesh with mTLS, or a cloud-native IAM system) as the Policy Administrator (PA); and application-layer proxies or API gateways as PEPs. Every service-to-service call must present cryptographic proof of identity (SPIFFE/SVID or equivalent) and be authorized against a real-time policy. Network microsegmentation using software-defined perimeters eliminates implicit east-west trust, which is the primary attack vector exploited in the SolarWinds and Colonial Pipeline incidents.

NIST 800-207 identifies three zero trust architecture approaches: enhanced identity governance (making identity the primary security perimeter), micro-segmented networks (using next-generation firewalls and SDN to create fine-grained network segments), and software-defined perimeters (requiring authentication before any network connection is established). Most enterprise deployments combine all three. The publication is the technical underpinning of CISA's Zero Trust Maturity Model (version 2.0, 2023) and OMB Memorandum M-22-09, which requires all federal agencies to achieve specific zero trust milestones by FY2024, including enforcing MFA phishing-resistant authentication and encrypting all DNS traffic.

We design zero trust architectures anchored in the NIST 800-207 PDP/PEP model, beginning with an identity inventory and trust mapping exercise that documents every human and machine identity, every resource, and every access path in scope. We then implement SPIFFE-based workload identity, enforce mTLS across service meshes, deploy continuous authorization policies in the control plane, and instrument telemetry pipelines that feed behavioral analytics for dynamic policy adjustment.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.