The National Institute of Standards and Technology (NIST) on Wednesday released a newly finalized guidance on how to build a Zero Trust Architecture (ZTA) – all with readily available off-the-shelf commercial products.
-
NIST releases a final practice guide to help cybersec professionals properly adopt a Zero Trust architecture on the enterprise level.
-
The publication provides real-world examples and ZTA best practices compiled with input from dozens of vendors and major tech companies.
-
The NIST guide includes two resources: an introductory reading on ZTA and an in-depth document designed to be used as a "foundational starting point" for any organization.
The new “Implementing a Zero Trust Architecture” guidance (NIST Special Publication (SP) 1800-35) was designed to teach the user how to build their own ZTA by example.
The guide provides 19 examples of Zero Trust architectures using off-the-shelf commercial technologies, a documented solutions map to various cybersecurity frameworks, and ZTA best practices, all created with input from two dozen industry collaborators and several major tech companies, the Institute said.
Led by the National Cybersecurity Center of Excellence (NCCoE), the teams were said to have taken four years meticulously “installing, configuring, and troubleshooting the example implementations.”
Each example is based on “real-world scenarios ” that large organizations would typically encounter, for example, an enterprise network with multiple cloud platforms, a branch office, and a coffee shop with public WiFi access for remote employees.
The argument for zero trust
For many security professionals, the new guidance is a welcome upgrade from the traditional (and sorely outdated) "network perimeter model," where once a threat gets inside the firewall, it can freely access the network’s internal data, applications, and other resources, NIST said in its news release.
In contrast, with Zero Trust architecture, instead of granting automatic access, each part of the network is segmented, and then even microsegmented, with the assumption that every user or device is a threat and therefore has the least-privileged access controls.
Segmentation, along with strict access controls that continuously evaluate conditions and verify requests, can also prevent hackers from freely roaming around a network, even if there is an intrusion, reducing the attack surface.
Brian Soby, co-founder and CTO at SaaS application security company AppOmni said, “One of the challenges with real-world Zero Trust implementations has always been the existence of multiple policy decision and policy enforcement points (PDP/PEPs)."
Providing an example, Soby pointed out that "the SaaS applications used by an organization are configured with their own logic about who may access which resources and enforce that configuration natively in the applications."
"The omission of these independent PDP/PEPs from the Zero Trust architecture has led to numerous real-world data breaches where attackers simply bypass incomplete Zero Trust implementations and go directly to applications to exploit insecure configuration or identities," he said.
Perimeter network out, Zero Trust in
The need for ZTA is a natural evolution of the network itself. Perimeter network architecture was developed when many networks were limited to a single location, such as a building or campus, NIST explained.
“Nowadays, a single organization may operate several internal networks, use cloud services, and allow for remote work, meaning there is no single perimeter,” it said.
Still, changing over to a ZTA can be a complex undertaking, which is why the new NIST guidance is so necessary.
“Switching from traditional protection to zero trust requires a lot of changes. You have to understand who’s accessing what resources and why,” said Alper Kerman, a NIST computer scientist and co-author of the publication.
“Also, everyone’s network environments are different, so every ZTA is a custom build. It’s not always easy to find ZTA experts who can get you there,” Kerman said, noting that the guidance can be used as a "foundational starting point for any organization constructing its own ZTA.”
The Institute said although NIST Special Publication (SP) 1800-35 provides the names of the commercial technologies used in the examples, the guide does not specifically endorse any particular product, and that many enterprise organizations will find they will already have a number of the technologies they need..
Your organization’s cybersecurity must protect everything from remote workers’ devices to data stored offsite in the cloud. You need a zero trust architecture, and NIST is offering 19 examples to get you started. https://t.co/jwimB4DzYE pic.twitter.com/HNCgVQDs6U
undefined National Institute of Standards and Technology (@NIST) June 11, 2025
Soby praised the new guidance for recognizing the reality of multiple policy-driven access points existing within the architecture and providing additional context to decision-making engines within the architecture.
“Security decisions can't be made in a bubble, and the essence of Zero Trust has always been an architecture that can adapt to changing context and user behaviors," Soby told Cybernews.
“This new guidance brings the thinking about Zero Trust closer to what must be done in reality to make it effective,” he said.
The Zero Trust guide includes two resources: the first is an introductory reading in PDF format about ZTA architecture, including project goals, implementations, references, and findings.
With mapping to the NIST Cybersecurity Framework (CSF 2.0), the second is a full web document containing in-depth details about ZTA “technologies leveraged, their integrations and configurations, and the use cases and scenarios demonstrated.”
Your email address will not be published. Required fields are markedmarked