What is NIST SP 800-207?
NIST Special Publication 800-207 is the official reference document of the US National Institute of Standards and Technology for implementing a Zero Trust Architecture (ZTA). The publication describes the concepts, principles and functional building blocks for organisations seeking to apply Zero Trust in their IT and OT environments.
NIST SP 800-207 is not a technical standard but an architectural guide for those who wish to implement Zero Trust strategically and in a structured way.
π§ Key principles
- No implicit trust β trust is not based on network position or device location
- Access control based on identity and context β every access requires verification and a policy check
- Continuous evaluation β trust is determined dynamically based on behaviour, risk and status
- Visibility and analysis β logging, monitoring and anomaly detection are essential
- Securing all communications β between users, applications and systems
π Fundamental components
| Component | Function in a Zero Trust Architecture |
|---|---|
| Policy Enforcement Point (PEP) | Enforces access decisions and performs authentication |
| Policy Decision Point (PDP) | Determines whether access is allowed based on rules |
| Trust Algorithm / Risk Engine | Assesses trust based on identity, behaviour, location |
| Continuous Diagnostics & Monitoring | Real-time visibility of users, devices and connections |
| Resource / Asset | The target of access: application, service or OT component |
This architecture is applicable to traditional IT environments as well as industrial networks (ICS/OT).
π Relevance for OT environments
| ZTA principle | Application in industrial environments |
|---|---|
| Identity-based access | Access to SCADA, HMI or Engineering Stations is strictly governed |
| Segmentation per asset group | Microsegmentation between SCADA, Historian and field components |
| Continuous verification | Sessions of remote engineers are monitored and time-limited |
| Logging and analysis | Every connection and action is recorded for forensic analysis |
In OT, applying NIST SP 800-207 depends on stability requirements, network architecture and supplier capability.
π Implementation steps according to NIST SP 800-207
- Inventory resources β know what systems, applications and users exist
- Identify access paths β who has access to what, and how?
- Implement authentication and authorisation β for all users and devices
- Restrict access via policies β use dynamic rules per risk or role
- Monitor behaviour and decisions β detect anomalies or policy violations
- Manage trust relationships continuously β not a βset-and-forgetβ model
π Related documents
| Document | Relevance |
|---|---|
| IEC 62443-3-3 | Technical security requirements that align with ZTA principles |
| ISO 27001 | General information security management controls |
| NIS2 | European requirement for access management and segmentation |
| NIST SP 800-160 Vol. 2 | Engineering principles for cyber resilience of industrial systems |
π In summary
NIST SP 800-207 provides a robust framework for thinking and working in line with Zero Trust principles. For OT environments, this model helps to design controlled, transparent and secure access to industrial systems β without relying on the internal network alone.