Adopting Zero Trust principles significantly reduces cybersecurity risks by ensuring only the right people, under the right circumstances, gain access to your resources.
But, navigating the journey to Zero Trust Architecture (ZTA) can feel overwhelming. With the release of NIST Special Publication 1800-35, there's finally a clear, practical guide to help organizations implement Zero Trust effectively.
We’ve distilled the essential insights and takeaways into this concise, easy-to-follow guide. Here's everything you need to know about NIST SP 1800-35.
What is NIST SP 1800-35 and Why It Matters
The National Institute of Standards and Technology (NIST) has long played a leading role in setting cybersecurity guidance for the public and private sectors.
This guide is the culmination of a four-year collaborative effort between NIST’s National Cybersecurity Center of Excellence (NCCoE), federal agencies, and industry partners. Its goal? Provide real-world, lab-tested guidance for how to design and implement Zero Trust systems.
Unlike previous publications that focused on conceptual models, this document outlines practical steps using actual technologies in simulated environments. That means it’s no longer just a question of “what is Zero Trust?” but rather, “how do we do it?”
NIST SP 1800-35 is based on real technologies, interoperable open standards, and 19 separate implementation builds across four core ZTA approaches:
Enhanced Identity Governance (EIG)
Software-Defined Perimeter (SDP)
Microsegmentation
Secure Access Service Edge (SASE)
It’s not a theoretical whitepaper — it’s a how-to manual for organizations that are ready to make Zero Trust real.
5 Key Takeaways about ZTA from NIST SP 1800-35
1. ZTA Addresses Traditional Perimeter-Based Security Risks
NIST makes it clear that traditional perimeter defenses are outdated. Modern enterprise environments span on-premises systems and multiple clouds, with users accessing resources from anywhere, on any device. Zero Trust explicitly rejects the assumption that internal entities can be trusted by default—every access request must be verified based on identity and context.
“It is no longer feasible to simply protect data and resources at the perimeter of the enterprise environment or to assume that all users, devices, applications, and services within it can be trusted.”
— Section 2.1, Motivation for the Project
“By protecting each resource individually and employing extensive identity, authentication, and authorization measures to verify a subject’s requirement to access each resource, zero trust can ensure that authorized users, applications, and systems have access to only those resources that they absolutely have a need to access in order to perform their duties, not to a broad set of resources that all happen to be within the network perimeter.”
— Section 7.1, Risks Addressed by the ZTA Reference Architecture
2. ZTA Means Real-Time, Context-Aware Access Enforcement
ZTA policies consider a wide range of context in real-time—identity, device posture, location, and even behavioral anomalies. Every request is judged dynamically to determine if access should be granted.
It is no longer enough to just check who someone is. Static policies won’t cut it. Continuous verification ensures access remains appropriate throughout the session, adjusting to shifting risk factors in real time.
This is a major shift from traditional session-based or login-time checks and reduces the window of opportunity for attackers by stopping lateral movement early.
“ZTA explicitly verifies the context available at access time—this includes both static user profile information or non-person entity information, such as the requester’s identity and role; and dynamic information, such as geolocation, the requesting device’s health and credentials, the sensitivity of the resource, access pattern anomalies…”
— Section 2.1, Motivation for the Project
3. A Modular, Phased Implementation Is to be Expected for ZTA
NIST SP 1800-35 acknowledges the reality: most organizations can’t shift to full Zero Trust overnight. The NCCoE built 19 ZTA example implementations and demonstrated a number of common use cases intentionally so that organizations can emulate these implementation models. By outlining crawl, walk, and run phases, NIST SP 1800-35 provides a flexible path toward implementation.
“This project began with a clean laboratory environment that we populated with various applications and services that would be expected in a typical enterprise to create several baseline enterprise architectures… We used a phased approach to develop example ZTA solutions. This approach was designed to represent how we believe most enterprises will evolve their enterprise architecture toward ZTA, i.e., by starting with their already-existing enterprise environment and gradually adding or adapting capabilities.”
— Section 3, Architecture and Builds
4. ZTA is Not a One and Done Deal
Just as how an organization’s goal may change, technology may upgrade or become obsolete, and the threat landscape is continuously changing, ZTA must also continue to change and adapt to this everchanging environment.
ZTA is complex in that there’s no one-size-fits-all solution, and it is definitely not a one-time project. Organizations must continue to monitor, validate, and update policies and technologies so that they remain effective.
"Creating a ZTA is not a one-time project but an ongoing process. The organization’s CISO or other security team members should perform ongoing validation of their ZTA access policies to ensure that they continue to be defined in a manner that supports the organization’s mission and business use cases while conforming with the principles of least privilege and separation of duties."
— Section 8.7 Continuously Improve and Evolve Due to Changes in Threat Landscape, Mission, Technology, and Requirements
5. ZTA Reduces Risk—But It’s Not a Silver Bullet
NIST SP 1800-35 reminds the reader that Zero Trust is not a cure-all.
While it significantly reduces lateral movement, limits insider threats, and tightens access based on role and context, organizations should still be aware that ZTA introduces its own complexities and requires continuous management. ZTA is a powerful tool, but not a “set-it-and-forget-it” solution.
“While implementing ZTA addresses many risks, it also has limitations. It cannot remove all risks, and the ZTA implementation itself may introduce additional risks that need to be addressed.”
— Section 7.1, Risks Addressed by the ZTA Reference Architecture
Zero Trust May Not Be Perfect…
… But, Zero Trust isn’t about perfection—it’s about reducing the attack surface, enforcing least privilege, and continuously reevaluating risk. But like any security strategy, its success depends on how well it’s maintained and monitored over time.
Read about the 5 Actionable Zero Trust Patterns from NIST SP 1800-35 (and How to Implement Them)
Where Pomerium Fits In
Leverage Pomerium, a solution aligned with Zero Trust principles to practically apply NIST's guidance without unnecessary complexity.
Pomerium simplifies the implementation of identity-aware, continuous, context-based authorization by seamlessly integrating with your existing systems and helping you rapidly achieve NIST’s recommended ZTA standards without extensive infrastructure overhaul.
Interested in taking your Zero Trust journey to the next level?
Explore how Pomerium can enhance your organization's security today.
-> Secure your first route with Pomerium
-> Read how companies apply policy in real-time
-> Request a demo
