TL;DR
NSA’s newly-released guidance on Zero Trust implementation reflects a growing urgency: attackers are getting smarter and attack volumes are escalating.
NSA’s guidance affirms the basic principles of Zero Trust - “never trust, always verify,” “assume breach,” and "verify explicitly.” They also outline many specific activities to implement the seven pillars of Zero Trust.
This blog presents practical takeaways and first steps for using NSA’s 1000+ pages of guidance.
Zero trust network architecture has been around as a concept since 2009, but it’s remained more of an ideal than a reality for many. Our 2025 State of Cloud Network Security report found that only 8% of surveyed organizations had implemented Zero Trust practices.
The rise of GenAI and Agentic AI, the crippling costs of data breaches, and the escalation of ransomware and advanced persistent threat (APT) groups show that the paradigm shift of Zero Trust is a priority. In response, the NSA has released extensive guidance for Zero Trust implementation.
NSA’s guidance is very thorough: they’ve issued a Primer and Discovery Phase, and more recently a Part One, and Part Two. These documents add up to more than a thousand pages.
Intimidated by the sheer amount of words and jargon in these documents? Use this blog as a template to take your first steps.
Getting Started
While NSA’s Zero Trust model differs structurally from CISA’s Zero Trust Maturity Model (ZTMM) 2.0, both frameworks align on core principles—NSA expands on CISA’s work by providing deeper, operational guidance for implementation in high-security and complex environments.
Here’s a brief background on Zero Trust. The framework has three assumptions:
Never trust, always verify – A Zero Trust Network Architecture treats every user, device, data flow, and workload as untrusted. Its foundation is default-deny, least-access privilege, and continuous authorization and authentication.
Assume Breach – Zero Trust assumes that a breach has already occurred and establishes proactive measures to shut it down and limit blast radius. It constantly monitors, logs, and audits activity and network traffic for suspicious activity.
Verify explicitly – Zero Trust demands dynamic and static verification for access to resources.
Here’s an overview of the guidelines the NSA released:
NSA’s Primer and Discovery documents provide the rationale, framework, and background for Zero Trust and why it matters.
Phase One and Phase Two give organizations specific activities and outcomes for implementing Zero Trust with granular policies, from logging to multi-factor authentication.
Phase One establishes critical security capabilities necessary for Zero Trust.
Phase Two shows how organizations can move to ongoing Zero Trust operations.
Phase Three and Four will further help organizations on their journey to Zero Trust maturity.
In general, the implementation guidance distills down to awareness, inventory, planning, and execution.
User: Who’s Who in Your Network
The User pillar of Zero Trust examines the “who’s” in your network: who has access to what, and for how long? This area includes human users, AI agents, access control lists, identity providers, and single sign-on (SSO). The new User guidance in NSA’s Part One and Part Two focuses on continuous authentication and authorization on a per-session basis.
As you approach this pillar, ask:
Who has access to my network, and how do I establish that access?
How can I make sure users have enough permission to do their jobs without over-permissioning?
How can I terminate access after a session?
How can I detect suspicious user activity?
Critical issue: The User pillar comes down to identity, but many identity controls in current networking practice are ephemeral, such as IP addresses. Plan to establish dynamic identity controls that rely on workload, not IPs, to enforce security policies.
Device: What’s Connected to Your Network?
The Device pillar of Zero Trust focuses on what connects to your network: endpoints and devices. NSA’s guidance focuses on inventorying your devices, setting up deny-by-default policies, and implementing endpoint detection and response (EDR) and extended detection and response (EXR).
Questions to ask yourself and your team here:
Have we listed all physical and virtual devices in our environment?
Can we check device health in real-time before giving network access?
Are we handling BYOD (bring your own device) and IoT (internet of things) devices with the right safety controls?
Do we have unified endpoint management covering all device types?
Are endpoint detection and response tools linked with our compliance framework?
Other issues to consider:
NSA focuses on endpoint detection and response (EDR) systems as the solution, but those can be fooled – and give security teams a false sense of security.
This will come up later with the Visibility & Analytics pillar, but how can you track endpoints across a dynamic and distributed environment?
Application & Workload: What are the Micro-Perimeters of Your Network?
The Application & Workload pillar of Zero Trust concerns your new cloud workloads: virtual machines, Kubernetes workloads, and serverless functions. Every one of those workloads has a micro-perimeter that requires protection. NSA’s guidance discusses securing software development and integration, DevSecOps, and vulnerability management.
Questions to ask:
Have we listed all applications and set up sorting systems?
Is safety built into our CI/CD pipelines from the start?
Do we keep software bills of materials for all applications?
Are vulnerability management processes automated and watched without gaps?
Can we enforce resource allowance for all application and service resources?
Elephants in the room:
Kubernetes and serverless workloads are ephemeral; they spin up and down very quickly. How can you make sure your security policies cover those?
This will come up with the Network & Environment pillar, but can you inspect the east-west traffic between your workloads, where threat actors like to move laterally?
Data: How is Data Protected In and Through Your Network?
The Data pillar of Zero Trust focuses on the data flows through your network: north/south that leaves and enters your network, and east-west within your network. NSA’s guidance concentrates on data governance, data tagging, data encryption and rights, data loss prevention (DLP), and enforcement points. Questions to ask:
Do we have a full list of data holdings and their spots?
Have we set up enterprise-wide data tagging and sorting standards?
Are data protection tools enforced at all enforcement points?
Can we watch file activity and spot unauthorized data access or theft?
Is sensitive data encrypted?
Critical question: NSA’s guidelines recommend “encryption standards that meet Enterprise compliance,” but they don’t address a common issue: many standards like MACsec leave huge gaps that threat actors know about. Encryption can also inhibit network performance. As you address the Data pillar, look into encryption strategies that provide pervasive protection without creating a bad user experience.
Network & Environment: How is Your Network Structured?
The Network & Environment pillar of Zero Trust is all about the structure and traffic flows across your network: what communicates with what? NSA’s guidance suggests an overhaul of data flows, granular control access rules, macro and microsegmentation, and software-defined networking (SDN).
Questions to ask:
Have we split control, management, and data planes in our network setup?
Are we using macro-segmentation at datacenter and building levels?
Can we roll out micro-segmentation for applications and devices?
Do our policies deny access by default across all network segments?
Is all data in transit shielded with the right encryption?
Implementation issue: NSA suggests macro- and microsegmentation standards, but those are difficult to implement in different clouds with disparate hierarchies and structures. How can you unify and centralize network management in hybrid and multicloud deployments? Even if you operate in a single cloud, how can you enforce segmentation policies?
Automation & Orchestration: What are you Automating?
The Automation & Orchestration pillar of Zero Trust focuses on the implementation of policies in your network. NSA’s guidance discusses policy decision points (PDPs), policy orchestration, critical process automation, machine learning, API (application programming interface) standardization, and more.
This pillar is where AI comes in, as AI agents are beginning to participate in network operations and defense.
Questions to ask:
Which hand-done safety tasks can we automate to boost response times?
Have we built organization access profiles and safety profiles?
Are our tools linked through standard APIs?
Can we automatically grant and remove access based on policy changes?
Do we have orchestrated workflows for incident response and fixing problems?
Critical questions: As you examine Automation & Orchestration, remember that automations and agentic AI need context to make individual decisions. How can you provide that context while still holding to security policies and access guidelines?
Visibility & Analytics: How Do You Monitor Your Network?
The Visibility and Analytics pillar of Zero Trust establishes guidelines for development, networking, and security teams’ awareness of what is going on in the network, across clouds and environments. Questions to ask here:
Can we gather and read logs at scale from all systems and devices?
Have we set up baseline behaviors for users and devices?
Are our analytics tools able to link alerts with asset identities?
Do we blend cyber threat intelligence feeds into our detection capabilities?
Can we spot unusual patterns that point to possible safety incidents?
Critical question:
This has come up in almost every other pillar, but complex hybrid and multicloud deployments contain visibility gaps because cloud service providers only show what is going on within their own clouds. How can you maintain visibility in these environments?
Another issue: Visibility is crucial, but without a way to prioritize alerts and activity, security teams can become overwhelmed. How can you monitor and analyze network activity without burnout?
How Aviatrix Zero Trust for Workloads Implements NSA Mandates
Without real implementation at the network layer, Zero Trust remains a well-intentioned framework rather than an operational reality—especially in hybrid and multicloud environments where policies must be enforced consistently, not interpreted differently by each platform.
NSA’s guidance is remarkably specific and provides excellent guidance for network, security, and development teams. However, 1000+ pages of documentation provide only recommendations and leave the real work to you. The missing layer here is enforcement.
Aviatrix Cloud Native Security Fabric (CNSF) provides that missing enforcement layer by implementing Zero Trust at the network layer. CNSF includes Aviatrix Zero Trust for Workloads (ZTW) and Zero Trust for Networking, which take you from Zero Trust guidance to runtime enforcement.
Here’s how CNSF fills the gap for each pillar:
Zero Trust Pillar | Aviatrix CNSF Enforcement |
|---|---|
User | Each workload has a dynamic identity instead of an ephemeral one like an IP address or CIDR block. Human users, AI agents, virtual machines, Kubernetes containers, and serverless functions are all tagged and governed by consistent, cross-cloud security policies. |
Device | CNSF integrates with your existing security stack, including EDR, NGFWs, to provide network-wide visibility and runtime control for all devices. |
Application & Workload | As mentioned above, CNSF uses stable markers of identity to track ephemeral workloads like Kubernetes containers and serverless functions. It also protects workloads by monitoring east-west or inter-workload traffic to prevent lateral movement. |
Data | CSNF covers the Data pillar by providing high-performance encryption (HPE) for your network data as well as centralized visibility and control over data flows. It also prevents data exfiltration through egress filtering. |
Network & Environment | CNSF embeds security into the fabric of your network using Zero Trust principles like macro and microsegmentation. |
Automation & Orchestration | CNSF completes this pillar by providing centralized control and distributed enforcement for your security policies, standardizing your automations across clouds and environments. Infrastructure as Code through Terraform and Policy as Code keep your automations repeatable, scalable, and consistent. |
Visibility & Analytics | Aviatrix CoPilot provides runtime visibility and analytics over traffic flows, anomalies, and gateways across clouds and environments, storing audit-ready logs for analysis. Our partnership with Wiz also makes this visibility user-friendly by prioritizing alerts rather than bombarding security teams with too much information to react to. |
Learn more about how Aviatrix Zero Trust for Workloads can turn Zero Trust into a reality for your network. Schedule a demo today.
Take our free Workload Attack Path Assessment to see the hidden blind spots in your network.
