The newly finalized NIST 1800-35 Special Publication shows how the National Cybersecurity Center of Excellence (NCCoE) labs progressively implemented full Zero Trust Architecture (ZTA) by integrating network-layer enforcement, asset discovery, and real-time context. This Special Publication (SP) reinforces what Forescout has been saying for years: ZTA is a risk-based security strategy that emphasizes continuous validation, least privilege access, and explicit trust decisions across all enterprise assets, including users, assets, networks, applications and data. No single vendor, product, or platform can deliver Zero Trust by itself.

The NCCoE Zero Trust Architecture Project presents Enterprise Builds as practical, lab-based implementations of architectures that reflect progressive implementation stages, technologies, and enforcement capabilities using multiple vendors. They include:

  • Enhanced Identity Governance (EIG) Crawl builds
  • EIG Run builds
  • Software-defined Perimeter (SDP), microsegmentation, and Secure Access Secure Edge (SASE) builds

The NIST 1800-35 SP offers one of the most comprehensive and grounded implementation roadmaps we’ve encountered, describing a pragmatic and adaptive approach to ZTA. It outlines a phased, real-world approach to implementing ZTA across enterprise environments, beginning with visibility, progressing to enforcement, and ultimately delivering real-time, continuous control and governance. What makes this SP instrumental in driving outcomes right now is its emphasis on progressive security layering and enforcement as a guiding principle of architectural maturity.

 

What Is on the Network?

The early phases of the NIST 1800-35 SP Enterprise Builds begin with a not-so-simple question: what exactly is on the network? Without a complete inventory of devices, services, and traffic flows, organizations are forced to make access decisions based on educated guesswork. The NIST SP emphasizes the importance of automated discovery tools that identify and classify assets, monitor communications, and establish an evidentiary baseline of the total attack surface. The early Enterprise Builds show that even without full policy enforcement, gaining visibility alone reveals risks and exposures, including those from unmanaged endpoints (like IoT, shadow IT and rogue devices) and overlooked legacy communications.

 

Correlate and Contextualize

Once organizations discover their assets, they must next understand the context in which those assets operate. NIST’s reference architectures begin layering in components like posture assessment, threat intelligence, and security analytics to evaluate each asset’s risk in real-time. These phases are not about blocking risks and threats. They are about building the decision logic that enables precise and dynamic Zero Trust-level enforcement. Context includes:

  • Device health and vulnerability exposure
  • Role and privilege associated with the asset
  • Behavioral anomalies and deviations from expected patterns
  • Network location and traffic behavior.

The result is a dynamic access and risk model that will eventually feed policy engines for enforcement, segmentation, and dynamic access control.

 

Enforce with Precision

The more mature Enterprise Builds in the NIST SP go beyond visibility and posture assessment. They highlight real-time enforcement mechanisms like segmentation, software-defined perimeters, and dynamic policy enforcement points (PEPs). These controls allow agencies to:

  • Isolate suspicious devices automatically
  • Restrict east-west traffic based on risk
  • Adapt policies in real-time as threat conditions evolve

Telemetry from endpoints, network traffic flows, posture data, and security analytics continuously updates asset context. Ensuring that enforcement decisions aren’t made in isolation. At this stage in the progressive approach to ZTA implementation, organizations start unlocking the real operational benefits of ZTA.

Go deeper: Explore how adopting an adaptive approach to Zero Trust can help you roadmap the process and meet security mandates on time in this on-demand webinar.

Watch the webinar

Sustain and Evolve

Zero Trust is not a static achievement. The most mature Enterprise Builds in the NIST SP focus on continuous improvement, advising organizations to assess and re-assess enforcement policies and governance as:

  • The threat landscape evolves
  • New device types enter the network
  • Users and workloads move across on-prem and cloud environments.

By treating Zero Trust implementation as an iterative process that is always transforming itself based on the current threat landscape, organizations can position themselves to stay ahead of attackers who are constantly, relentlessly probing for blind spots.

 

A Layered, Adaptive Approach

The NIST 1800-35 Special Publication shows that effective ZTA requires the ability to observe, assess, and act at every layer of the security stack. Security teams looking to adopt Zero Trust can treat this document as a maturity model that starts with discovery. Then, it adds context. Next is enforcement based on risk. Finally, it evolves as threats change, and new ones emerge.

 

A Note on NIST SP 1800-35

Forescout is recognized in the NIST Special Publication 1800-35 as a technology collaborator contributing to multiple advanced ZTA builds. Forescout’s role includes delivering real-time asset discovery, device classification, network segmentation, and enforcement across connected environments and tools. The publication lists Forescout as a contributing vendor alongside other major players like Microsoft, Cisco, Zscaler, and Palo Alto. This acknowledgment confirms that the NCCoE used Forescout technologies to implement and demonstrate Zero Trust capabilities in its lab environment.

Forescout’s inclusion in multiple builds, especially in advanced enforcement phases like E3B2-B4, shows that the Forescout 4D Platform™ is a key enabler of Zero Trust. Forescout delivers a multi-layered approach to Zero Trust security, and our ability to interoperate with a rich ecosystem of vendors and tools positions Forescout as a foundational partner in real-world ZTA implementations.

We would like to thank the NCCoE and NIST for their leadership and collaboration, and we look forward to continuing to work together to secure the connected world.

Go deeper: Learn how to reach Zero Trust mandates with an adaptive approach in our detailed white paper.