NIST Special Publication 1800-35 (SP 1800-35) is a comprehensive guide developed by the National Institute of Standards and Technology (NIST) to help organizations implement a Zero Trust Architecture (ZTA) in modern enterprise environments. This publication is the result of collaborative work between NIST’s National Cybersecurity Center of Excellence (NCCoE) and 24 industry vendors, aimed at demonstrating end-to-end zero trust solutions using commercially available technologies.
Purpose and Scope
SP 1800-35 provides practical guidance and reference implementations for deploying zero trust principles to secure distributed enterprise resources—across on-premises, cloud, and hybrid environments. The guide is available as both a high-level PDF overview and a detailed web-format document. The PDF offers summaries of project goals, reference architectures, and findings, while the web version contains in-depth technical details, implementation steps, and mappings to security frameworks.
Key Features
The publication demonstrates 19 sample zero trust implementations, each showing how different technologies and approaches can be integrated to achieve ZTA goals. Solutions were developed in partnership with major vendors such as AWS, Cisco, Microsoft, Palo Alto Networks, IBM, Okta, Zscaler, and others. However, NIST does not endorse any specific product or service. The guide covers a wide range of scenarios, including hybrid workforce, remote access, multi-cloud integration, and secure partner collaboration. Each implementation is mapped to established frameworks like the NIST Cybersecurity Framework (CSF) versions 1.1 and 2.0, NIST SP 800-53r5, and requirements from Executive Order 14028 (EO-Critical Software).
Core Zero Trust Concepts Addressed
• Identity, Credential, and Access Management (ICAM): Enhanced identity governance and continuous authentication are foundational to the demonstrated architectures.
• Microsegmentation and Least Privilege: The architectures leverage network segmentation and strict access controls to limit lateral movement and reduce attack surfaces.
• Continuous Monitoring: Emphasizes the need for ongoing diagnostics, monitoring of device posture, user behavior, and environmental context to maintain security in dynamic environments.
• Secure Access Service Edge (SASE) and Software-Defined Perimeter (SDP): Integrates modern network security paradigms to support secure, distributed access.
19 example implementations
| # | Implementation Name / Category | Key Focus / Use Case Example |
|---|---|---|
| 1 | Enhanced Identity Governance (EIG) Crawl – Build 1 | Identity, Credential, and Access Management (ICAM) |
| 2 | Enhanced Identity Governance (EIG) Crawl – Build 2 | Federated Identity, Centralized Access |
| 3 | Enhanced Identity Governance (EIG) Crawl – Build 3 | Mobile Device Security, Endpoint Management |
| 4 | Enhanced Identity Governance (EIG) Run – Build 1 | ICAM with Cloud Integration |
| 5 | Enhanced Identity Governance (EIG) Run – Build 2 | Hybrid Workforce, Multi-Cloud Access |
| 6 | Enhanced Identity Governance (EIG) Run – Build 3 | Secure Partner/Guest Collaboration |
| 7 | Software-Defined Perimeter (SDP) – Build 1 | Microsegmentation, Dynamic Policy Enforcement |
| 8 | Software-Defined Perimeter (SDP) – Build 2 | Network Segmentation, Access Control |
| 9 | Software-Defined Perimeter (SDP) – Build 3 | Application-Level Security |
| 10 | Secure Access Service Edge (SASE) – Build 1 | Cloud-Delivered Security for Remote Workforces |
| 11 | Secure Access Service Edge (SASE) – Build 2 | Branch Office Security, SD-WAN |
| 12 | Secure Access Service Edge (SASE) – Build 3 | Public Wi-Fi Access, Unmanaged Devices |
| 13 | Hybrid/Multi-Cloud – Build 1 | Access Control Across AWS, Azure, On-Premises |
| 14 | Hybrid/Multi-Cloud – Build 2 | Data Flow Management Between Clouds |
| 15 | Hybrid/Multi-Cloud – Build 3 | Secure SaaS Integration |
| 16 | Remote/Mobile Access – Build 1 | BYOD, Mobile Workforce |
| 17 | Remote/Mobile Access – Build 2 | Secure Public Wi-Fi, Endpoint Protection |
| 18 | Federated/Guest Access – Build 1 | Partner and Guest Collaboration |
| 19 | Service-to-Service Security – Build 1 | API Security, Machine Identity Management |
You can read the full guide here.
