NSA’s Zero-Trust Guidelines: An Explainer

The NSA believes that organizations should adopt a crawl, walk, run approach where zero-trust migration is gradual. It should be a careful transition that does not undermine its security posture.

Sam Bocetta

May 4, 2022

8 Min Read
NSA’s Zero-Trust Guidelines: An Explainer
(Source: Pixabay)

As software and technology rapidly advance, keeping track of what security protocols to implement can be daunting. As such, the zero-trust security model has gained much traction in recent years. It endeavors to provide security measures that are immune to past, current, and future trends in cybersecurity.

In February 2021, the NSA released guidance on embracing a zero-trust security model. Its purpose is to help organizations adopt, implement, and understand zero trust security’s key principles.

The following guide will review this guidance and simplify some of its more abstruse concepts. Additionally, it will provide additional tips and explanations to help you implement a zero-trust security protocol.

Zero-Trust Security: An Overview

Zero trust security is a philosophy and security approach that requires IT leaders and employees to rethink their perspectives and relationships with cybersecurity. It forces you to assume that a threat has already occurred, and thus, the bad actor has breached the network. This premise alone forces you to reevaluate the architecture of your network.

Many organizations have network infrastructures that have yet to embrace a breach mentality. Essentially, their focus is to prevent breaches instead of handling them when they occur. This can leave them exposed, particularly to lateral movements by bad actors.

The zero-trust security model is data-centric. There is less attention placed on the physical infrastructure of IT and more on “transport.” Essentially, what matters most to cybercriminals is your digital assets, which are largely represented in data. Thus, it’s important to secure where your data originates, how it travels, and where it is ultimately stored.

Zero trust enforces tight access controls and privileges. Users are given strict access to your organization’s digital assets - they can only see and access components of the infrastructure that allows them to perform their assigned tasks. This approach is often referred to as granular risk-based access control.

While the adoption of zero-trust security has increased over the last few years, many organizations still have yet to leverage it to secure their digital infrastructure.

Why Does the NSA Care About Business Network Security Infrastructure?

The NSA’s key mission is to eliminate threats to national security systems and the Defense Industrial Base. But what does this have to do with local businesses? One way the NSA hopes to increase its ability to prevent threats to national security is by establishing open relationships between government and industry.

This allows for bi-directional security intelligence sharing. These partnerships take advantage of all available talent and expertise to improve security across the nation.

In the last few years, we’ve seen an exponential increase in cybercrime incidents, from malware attacks increasing to 358% in 2020 to ransomware damage costs rising to nearly $20 billion in 2021. Data has become an important commodity.

From the negative financial implications to the damage to a company’s online reputation, cybercrime’s effects on business have been well-documented. However, cybercrime doesn’t just affect the private sector.

As more people rely on technology and we see more developments in trends such as cryptocurrency, IoT, and the Metaverse, cybercrime has become a national security concern.

This concern spurned the Department of Defence’s zero-trust security journey in 2019. Since then, it’s been highly focused and increasingly persistent in ensuring that it can learn all it can on zero trust and all related technology. 

The last few years saw many cybersecurity vendors begin to offer tools to implement zero-trust security protocols, which is why it has seen such a rise in popularity.

Implementing Zero Trust According to the NSA

Firstly, the NSA recommends that companies, customers, and users educate themselves on what zero trust means. This process involves demystifying some of zero trust’s key concepts and addressing all of its misconceptions.

Tackling Misconceptions Regarding Zero Trust Security

Firstly, zero trust is not a singular purchasable software solution that can solve all your cybersecurity concerns through a single click. It is a collection of capabilities, principles, and protocols that must be integrated accordingly.

Zero trust security is not instantaneous. Some experts describe it as a journey. Adopting a successful zero-trust security framework can take years, depending on the organization’s size and resources.

The NSA believes that organizations should adopt a crawl, walk, run approach where zero-trust migration is gradual. It should be a careful transition that does not undermine its security posture.

It is recommended that organizations begin their zero-trust security journey by first applying the most basic principles. Once the organization discerns its mission outcomes, it can lay down a reliable foundation and then move on to applying more sophisticated concepts and policies.

Accordingly, zero-trust security requires patience and continuous careful planning. Its purpose is to provide companies with a framework that can provide long-term security for their digital assets. You need to understand your users, devices, and how your data flows. Furthermore, it will require you to establish the right access control policies and procedures within your network infrastructure and combine them.

The First Steps to Implementing Zero-Trust Security: The Crawl Phase

According to the NSA, the first thing companies should do during the preliminary phase (or the crawl phase) of integrating zero-trust security is to analyze their data flow. Several studies show that only 50-60% of companies know where all their data is contained. It’s important to ascertain how your data travels through your organization and where it is stored.

Does your data live exclusively in the cloud or on-premises servers? Is the data encrypted? You must be able to answer these questions as they will help you understand how secure your data already is.

Once you can discern the nature of your data, you need to understand your network – the tunnels your data travels through. You need to figure out who is on your network and then discern who is supposed to be on our network and what access privileges they should be limited to. 

For instance, if you use an active directory, have you ensured that it’s up to date and users who no longer work in your company have been removed from it? Outdated or unmaintained active directories are immense risks to cyber-security.

These are the first areas that organizations should address as they slowly implement a zero-trust approach.

Additionally, as organizations adopt remote and hybrid work environments, they must aggressively authenticate and monitor all internal and external devices that connect to the network. This includes the access points they latch onto. 

Furthermore, not every application on allowed devices should be able to access the network, especially if these applications are outdated or deprecated.

The crawl phase of the zero-trust security implementation requires you to investigate the dynamics between your data, network, users, devices, and applications. These are the most tangible aspects of your company’s security. It will give you an initial understanding of your organization’s potential cyber-attack surfaces.

The User Perspective

One of the biggest concerns for organizations and users is that it will interfere with speed and productivity. However, according to the NSA, zero-trust security should not impede the user experience. In fact, the change should be almost imperceptible, or the user should be able to notice an improvement in network and application speed.

That said, implementing zero-trust security does require a change in the user's relationship with network security. For instance, how the user signs in to the network will most likely change.

Originally, all users needed to sign into a network was their name and password. Zero trust enforces multi-factor authentication (MFA), meaning there will be more than one mode of authentication to access network resources. For example, you may be required to enter your password and a one-time pin sent to your smartphone or email address.

Multi-factor authentication is highly recommended as part of the zero-trust reference architecture by the Department of Defense (DoD), National Security Strategy (NSS), and the Defense Industrial Base.       

Adopting this MFA and zero-trust security environment will require a change in user habits. Some may see it as inconvenient; however, many may find the additional security comforting.


Because zero trust limits which devices can communicate or connect, it reduces the noise floor for network administrators. This makes it easier to track, analyze and manage traffic. According to Randy Resnick, The NSA’s Zero Trust Strategic Lead, zero trust should not be feared but embraced. Zero trust’s overall benefits are so massive that we may see fewer incidents of major cybercrime reported in the news as more organizations adopt it in the next five years.

Related articles:

About the Author(s)

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights