VMware’s CRADA with NIST’s NCCoE for Zero Trust Architecture Implementations

June 24, 2022

Helping Industry & Government Reduce the Risk of Cyber Attacks

Diagram, shape</p>
<p>Description automatically generated

 

VMware and the NCCoE’s Zero Trust Architecture Project

VMware entered into a Cooperative Research & Development Agreement (CRADA) with the National Institute of Standards & Technology (NIST)’s National Cybersecurity Center of Excellence (NCCoE) group this past year, as they aim to remove the shroud of complexity around designing for zero trust with “how-to” guides and example approaches to implementing a Zero Trust Architecture (ZTA) for several common business cases that culminated into the June 2022 release of a Draft, Special Publication (SP) 1800-35.

Project Background

Since late 2018, NIST and NCCoE cybersecurity research teams have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in the publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture.

As a follow up a year later, the NCCoE and the Federal CIO Council co-hosted a ZTA Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.

Project Overview

In the NCCoE’s own project abstract, they detail the proliferation of cloud computing, mobile device use, and the Internet of Things (IoT) dissolving conventional network boundaries. Since today’s workforce is more distributed, with remote / Work from Home (WFH) staff who need access to resources anytime, anywhere, and on any device proliferate the landscape; thus, a solution architecture must evolve to provide secure access to those resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications.

The NCCoE initiated this project in collaboration with industry participants, like VMware, in order to demonstrate several approaches to a ZTA as applied to a conventional, general-purpose enterprise information technology (IT) infrastructure, both on-premises and within cloud-hosted environments, which will be designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture.

The example implementations integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to the robust security features of zero trust architectures. See the Figure below for VMware’s example overlay with SP 800-207:

image 119

Figure: Architectural Overlay of VMware solutions within the NIST SP 800-207 ZTA framework

Project Objectives

  • Demonstrate an example implementation of ZTA using commercially available technology components designed according to concepts in NIST’s special publication (SP) 800-207;
  • Demonstrate various examples of user access to enterprise or agency resources across boundaries, confined by policy-based security constraints orchestrated by zero trust principles through ‘lessons learned’ from previous engagements

Project Delivery

The scope of the project will result in a NIST 'Cybersecurity Practice Guide' including this first Special Publication draft and to be made publicly available as an example of a description for practical steps needed to implement the cybersecurity reference designs for zero trust for agencies or other organizations. Also, by taking the previous engagements and lessons learned into account, this NCCoE project will build upon those previous bodies of knowledge and continue to share lessons learned with the Federal CIO Council providing feedback to inform NCCoE cybersecurity guidance and identify future challenges in this space.

Collaborating Vendors

Organizations like VMware have been participating in this project and submitted their capabilities earlier in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (e.g. vendors and integrators). Respondents with those relevant capabilities or product components (A.K.A. “Technology Partners/Collaborators”) signed a CRADA to collaborate with NIST in a consortium to build this example solution.

Why VMware?

As VMware provides the NCCoE those references to our capabilities in the realm of Zero Trust Security solutions and technology from an industry perspective, we will also ensure that those relevant capabilities include a modern, multi-cloud collaboration and ZT integration aspect as a part of our entire portfolio.

Figure: VMware Anywhere Workspace Overlay of ZT solutions to enable NIST framework for FedGov WFH/HO

Each of the components of VMware Anywhere Workspace builds trust to empower today’s anywhere workforce with secure and frictionless experiences by:

  • Delivering unique integrations enabling tailored experiences and higher productivity for frontline, hybrid, and remote users, across heterogeneous environments including physical and virtual devices and multiple OS’s.
  • Enabling Zero Trust Network Access (ZTNA) with remote support for any device (BYO, third-party managed, or VMware-managed) for the hybrid workforce.
  • Facilitating flexible deployment options to obtain immediate value for prioritized use cases, so you can scale at your own pace to harness the full potential of an integrated platform.
  • Optimizing security and experience through an integrated approach that combines market-leading technologies essential for hybrid work. This integrated approach provides connected visibility and context, ensuring broader security coverage.

 Additional Resources

VMware Tech Zone Zero Trust Portal

VMware Tech Zone Public Sector Portal

NIST NCCoE Implementing ZTA Guide

Associated Content

From the action bar MORE button.

Filter Tags

Blog Announcement Intermediate Zero Trust Public Sector