What Is NIST SP 800-207?

NIST (National Institute of Standards and Technology) Special Publication 800-207 is a series of cybersecurity measures and guidelines highlighting the core components of Zero Trust principles. Specifically, the initiative provides federal agencies with detailed recommendations on how to maintain and protect the agency and citizens’ private data.  

The publication follows an increased priority in Zero Trust systems, which safeguard individual resources rather than network segments. ZT initiatives provide added security in modern enterprise networks that include cloud-based assets and remote users. In short, Zero Trust shifts focus away from protecting the network perimeter and takes away access from anyone and everyone until it can be certain of who you are. After you are granted access ZT principles require security teams to continuously monitors how you’re using and distributing data.

Zero Trust strictly follow a set of seven tenets that regulate user access and data management across all enterprises. These include: 

Rigorously enforce authentication and authorization – All resources require mandatory authentication, often paired with technologies such as multi-factor authentication (MFA), before granting access. According to Zero Trust principles, no account has implicit access without explicit permission.  

Maintain data integrity – Enterprises measure and monitor the security and integrity of all owned and associated assets, assess their vulnerabilities, patch levels, and other potential cybersecurity threats.  

Gather data for improved security – Enterprises should collect current information from multiple sources, such as network infrastructure and communication, to regulate and improve security standards. 

Consider every data source and computing device as a resource – Enterprises should consider any device with access to an enterprise-level network as a resource.  

Keep all communication secured regardless of network location – Physical network locations alone should never imply trust. People connecting via enterprise and non-enterprise networks must undergo the same security requirements for resource access.  

Grant resource access on a per-session basis – Enterprises should enforce a least-privilege policy: a user should only be granted the minimum privileges required to complete a task. Every access request requires evaluation and, when granted, does not immediately provide access to other resources. Users will need to submit a separate request for subsequent data access.  

Moderate access with a dynamic policy – Enterprises need to protect resources with a transparent policy that continuously defines resources, accounts, and the type of privileges linked to each account. The process may involve attributes, such as device characteristics (i.e., software versions) and network locations.

NIST 800 (SP) 800-207 functions through three core logical components to establish and maintain a ZTA. These components include: 

Policy Engine (PE) 

The PE provides the final decision in granting access to a resource.  

Policy Administrator (PA) 

The PA establishes access to a resource.  

Policy Enforcement Point (PEP) 

PEPs serve as a system gateway for activating, monitoring, and terminating connections between authorized users and their accessed resources.  

Enterprises may implement varied deployments of NIST (SP) 800-207 based on the company’s network settings. Because ZT is a set of principles, it can be applied in various ways and adapted for various systems.   

Device Agent/Gateway-Based Deployment 

Under this variation, enterprises divide the PEP into two components residing either on or directly in front of a resource. Requests for data access pass through a local agent, are submitted to the proxy, and finally passed through a policy engine for verification. If validated, the policy administrator establishes an encrypted communication channel between the device owner and relevant resources gateway.  

The device agent/gateway-based deployment variation functions best in an enterprise that runs a robust device management program alongside discrete resources that communicate with the PEP.  

Enclave-Based Deployment 

Under enclave-based deployments, enterprise gateway components reside at the boundary of resource enclaves, which usually serve a single business function. The model works optimally for enterprises that utilize micro-services on the cloud, such as database lookups. Such enterprises may use legacy systems and similar network layouts that prevent the use of individual gateways.  

Resource Portal-Based Deployment 

The resource portal-based deployment model applies the PEP as a single component gateway for data requests. Resource portal-based deployment provides convenience for users, as device agents do not need to install software components. As such, the model works best for enterprises running BYOD policies and other remote network collaborations.  

Device Application Sandboxing 

Device application sandboxing refers to the practice of enabling vetted applications and processes to run compartmentalized (in a sandbox) on assets. Applications request access from the PEP while refusing access from other applications on the asset. One advantage of this model involves the segmentation of individual applications, which provides added security against malware that may compromise host assets.  

Forcepoint and Zero Trust  

Forcepoint is uniquely positioned to help Federal contractors meeting the NIST SP 800-207 requirements and align their strategies with Zero Trust principles. Forcepoint has decades of experience working with commercial and government customers to develop effective, risk-based programs to protect data, intellectual property, and information systems.  

Our full and integrated security portfolio helps agencies implement a practical approach to Zero Trust. Our unique combination of products requires explicit permission for every user trying to enter the network. However, our solution goes beyond access control; with Forcepoint you can stop threats from moving throughout your network, control the usage of data, and allow security teams to continuously access risk.  

As a key component of Zero Trust implementation, Forcepoint Private Access provides Zero Trust Network Access to private applications. Private Access allows remote workers to work safely while remaining protected against potentially compromised devices and prevents the loss of sensitive information and intellectual property.  

NIST (SP) 800-207 provides enterprises with systematic guidelines for updating their network cybersecurity in a world where remote work prevails, and traditional network defenses are inadequate.   

Zero Trust principles contribute to improved enterprise security postures, and NIST (SP) 800-207 can support enterprises with optimal configurations according to their business needs.