NIST SP 800-207
Zero Trust Architecture: tenets, components, and evidence

NIST SP 800-207 Zero Trust Architecture explained

NIST Special Publication 800-207, published in August 2020 and authored by Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly, is the authoritative reference standard for Zero Trust Architecture. The publication defines Zero Trust as a set of design principles, not a product. It names the architecture by what it does (treat every resource as untrusted by default, evaluate access per session against dynamic policy, monitor asset posture continuously) rather than by what it is built from, which is why the same reference reads against a programme deploying identity-aware proxies, a programme building software-defined perimeters, and a programme adopting micro-segmentation behind cloud-native gateways.

For internal security teams, AppSec teams, vulnerability management functions, GRC owners, security engineering teams, and CISOs, SP 800-207 is the vocabulary that lets a Zero Trust programme communicate consistently across architecture review boards, audit committees, federal customers, and security vendors. Programmes already operating against NIST CSF 2.0, NIST SP 800-53, or ISO 27001 do not need to migrate; SP 800-207 sits as the architectural overlay that the underlying control catalogues evidence.

The seven tenets of Zero Trust

SP 800-207 grounds Zero Trust in seven tenets that describe the operating posture rather than a product or a checklist. The tenets are the test a programme runs itself against: a design that violates a tenet is not Zero Trust under SP 800-207, regardless of what the vendor literature claims.

The three logical components: PE, PA, PEP

SP 800-207 splits the ZTA decision plane into three logical components. The Policy Engine and the Policy Administrator together form the Policy Decision Point (PDP), which the Policy Enforcement Point queries before each access decision. The decomposition is logical; an implementation can host the PE and PA inside one product, distribute them across multiple services, or replace either independently as the architecture evolves.

Trust algorithm inputs

The trust algorithm is the process the PE uses to grant, deny, or revoke access. SP 800-207 names the input categories the algorithm reads against. The algorithm can be criteria-based (binary checks against a fixed rule set, useful when the inputs are well-typed and the policy is regulator-grade) or score-based (weighted scoring against a confidence threshold, useful when behavioural and environmental signals carry meaningful but uncertain information). Mature programmes blend the two: a criteria check on the regulator-grade requirements, then a score-based read for the contextual nuance.

Three core deployment approaches

SP 800-207 names three approaches a programme can take to ZTA. The approaches are not mutually exclusive; most enterprise programmes blend two or three of them rather than adopting only one. The choice is driven by the legacy architecture in place, the identity and asset management maturity, and the rate at which the resource catalogue is changing.

ZTA deployment variations

Beyond the three approaches, SP 800-207 details four deployment variations that describe how the components physically sit relative to the subject and the resource. The variation choice depends on what the device fleet looks like, whether the resource can host a sidecar, and whether partner or contractor access is in scope. A real programme typically runs more than one variation across the resource catalogue.

Threats specific to Zero Trust Architecture

SP 800-207 documents the threats that arise from the ZTA model itself, not from the absence of it. The threats are not arguments against ZTA; they are the engineering requirements the architecture has to meet for the trust-shift from the network to the policy plane to net out positive. Programmes that adopt ZTA without designing against these threats inherit them in concentrated form.

CISA Zero Trust Maturity Model alignment

SP 800-207 is the reference architecture; the CISA Zero Trust Maturity Model (ZTMM) v2.0 is the maturity model the federal-civilian community and most non-federal programmes use to track progress. ZTMM organises Zero Trust across five pillars and three cross-cutting capabilities, with four maturity stages (Traditional, Initial, Advanced, Optimal). OMB Memorandum M-22-09 is the federal-side mandate that obliges United States federal civilian agencies to adopt the Zero Trust strategy. The DoD Zero Trust Reference Architecture is the defence-side companion. Non-federal programmes typically read ZTMM as the maturity inventory and SP 800-207 as the architectural reference.

Failure modes the reference architecture is designed to surface

SP 800-207 is forgiving on the choice of vendor, the choice of deployment approach, and the choice of identity provider. It is unforgiving about a small number of patterns that erode the integrity of the architecture and leave the programme with the appearance of Zero Trust rather than the operating posture. The patterns below are the recurring ones across early and mid-stage adoptions.

Evidence the architecture expects to see

A SP 800-207 programme is auditable when the evidence is produced as a side effect of the operating work rather than reconstructed at audit time. The minimum set below maps to the artefacts examiners, customer auditors, and federal customers most often ask against, and the same artefacts feed parallel reads under NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, and the CISA ZTMM scorecard when the underlying record is structured.

How SP 800-207 relates to CSF 2.0, SP 800-53, ISO 27001, and adjacent regimes

SP 800-207 is an architectural reference, not a control catalogue. The control evidence the architecture needs lives in the underlying catalogues a programme already operates against. The relationships below are the ones programmes most often need to read together.

• The NIST CSF 2.0 framework page covers the outcome framework that ZTA reads against. The PR (Protect) function maps directly to the access-control and identity-management work ZTA carries; the DE (Detect) function reads against the continuous monitoring SP 800-207 mandates; the GV (Govern) function carries the policy hierarchy and the executive accountability the architecture needs at scale.
• The NIST SP 800-53 framework page covers the control catalogue underneath. ZTA reads against the AC (Access Control), IA (Identification and Authentication), SC (System and Communications Protection), AU (Audit and Accountability), and SI (System and Information Integrity) families directly. Federal and federally regulated programmes typically operate SP 800-53 as the control set and SP 800-207 as the architectural overlay.
• The ISO 27001 framework page covers the certifiable Information Security Management System standard. ISO 27001 Annex A controls (A.5 access control, A.6 identity, A.7 authentication, A.8 asset management, A.5.7 threat intelligence) carry the underlying evidence SP 800-207 reads against, so an ISO 27001 ISMS already produces most of the artefact set the ZTA programme needs.
• The CISA Secure by Design framework page covers the principles and pledge for software manufacturers. Secure by Design and Zero Trust share the operating premise that defaults must be safe; software produced under Secure by Design reduces the burden ZTA carries by removing the unsafe defaults the architecture would otherwise have to constrain.
• The CIS Controls framework page covers the prioritised defensive actions. CIS Controls v8.1 carries the prescriptive guidance for identity (Control 5, Control 6), asset inventory (Control 1, Control 2), and access control (Control 12) that ZTA depends on, so a CIS Controls IG2 or IG3 baseline gives ZTA a strong foundation to read against.
• The SOC 2 framework page covers the AICPA Trust Services Criteria. SOC 2 examinations read against the same underlying access-control, authentication, and monitoring evidence ZTA needs; programmes operating SOC 2 already hold most of the CC6 (Logical and Physical Access) and CC7 (System Operations) artefacts ZTA expects.
• The CISA Cybersecurity Performance Goals framework page covers the prioritised baseline CISA recommends for critical infrastructure and any organisation with a comparable risk profile. CPGs v2.0 reads against the same identity, access-control, and continuous monitoring outcomes SP 800-207 expects; programmes adopting CPGs as the prioritised first wave land most of the prerequisite work ZTA reads against.
• The Zero Trust Architecture implementation guide covers the practitioner-side rollout: building the inventory, choosing the deployment approach, sequencing the PEP rollout, and operating the policy rule set against the changing resource catalogue. The implementation guide pairs with this reference page as the operational companion.

Where SecPortal fits in a SP 800-207 programme

SecPortal is the operating layer for the Zero Trust programme record, not a Policy Engine, Policy Administrator, or Policy Enforcement Point. The platform handles the strategy document, the inventory of subjects and resources at audit time, the asset posture findings from the SAST, authenticated DAST, and external scanning work, the continuous monitoring evidence, the policy review cadence, and the ZTMM scorecard refresh so the architecture evidence sits on one operating record rather than spread across a dozen tools and spreadsheets.

The asset posture inputs that feed the trust algorithm are where most of the day-to-day vulnerability work touches ZTA. Findings from authenticated scans against the resources the PEPs guard, external scanning against the internet-facing surface, and code scanning against the repositories that build the resources all read against the asset posture record the PE consumes. The remediation tracking workflow keeps the line from the finding through to the asset posture evidence auditable. The asset criticality scoring workflow carries the resource classification ZTA uses to attach the right policy rule set per resource class. The security leadership reporting workflow rolls the ZTMM scorecard refresh and the architecture posture into the leadership cadence the GOVERN function expects.

For internal teams running the programme, the internal security teams workspace bundles the platform with the engagement structure SP 800-207 expects across the cycle. For the security engineering function that owns the PEP rollout, the policy rule set, and the asset posture integrations, the security engineering teams workspace covers the build-side mechanics. For the AppSec function that owns the application-side access-control evidence the architecture reads against, the AppSec teams workspace carries the development-adjacent angle. For the security architecture function that owns the threat model, the design review queue, the control-to-architecture mapping, and the review evidence the ZTA tenet checklist reads against, the security architects workspace carries the design-side angle on the same engagement record the rest of the workspace operates from. For the GRC function that holds the audit-side evidence pack across CSF 2.0, SP 800-53, ISO 27001, and the CISA ZTMM scorecard, the GRC and compliance teams workspace carries the cross-framework reconciliation. For security leaders carrying the architecture accountability and the ZTMM scorecard cadence, the CISOs and security leaders workspace covers the program-level reporting model.

For the continuous monitoring discipline SP 800-207 mandates, the continuous monitoring capability and the authenticated scanning capability produce the cadence and coverage record the architecture reads against. For analytical context on how the maturity model evolves across cycles, the continuous control monitoring cadence research covers the operating discipline that pairs with the ZTMM scorecard refresh, and the security control drift research covers the erosion patterns the architecture is designed to surface.