Zero-Trust Implementation: Understanding NSA’s Phase One and Phase Two Guidance

What Are Phases One and Two of NSA's Zero-Trust Guidelines?

“The NSA’s Zero Trust Implementation Guidelines clearly define the specific activities required to achieve each target capability,” says an NSA official. “These prescribed actions translate zero-trust principles into tangible, operational measures — covering technical controls, architectural choices, process changes. and the validation steps needed to demonstrate progress and compliance. In effect, the guidelines move zero trust from conceptual theory to a set of practical, practitioner-ready implementation steps.”

“It’s really smart how they pulled out the Discovery activities as a starting point, because you’ve got to know your security environment first before beginning your zero-trust journey,” says Russ Smith, field CTO for Zscaler. “That really sets the stage for what we want to do in Phase One and Phase Two. In Phase One, you’re building your zero-trust foundation. These are the tasks we must complete. Phase Two then becomes where you can increase capabilities as budget and schedule allow.”

How Do Phases One and Two of NSA’s Guidance Build a Zero-Trust Foundation?

The NSA’s guidance is designed to help agencies with adopting and integrating 36 activities and 30 capabilities in Phase One and an additional 41 activities and 34 capabilities in Phase Two, all working to establish a firm zero-trust foundation to operate from. The NSA emphasizes modularity in its guidance, reflecting the flexible nature of the zero-trust approach.

“With zero trust, every organization is going to be in different levels of maturity, competency, skills and capabilities across their whole IT landscape,” says Jason Garbis, co-chair of the Zero Trust Working Group for the Cloud Security Alliance. “Some areas are well managed because they have the highest risk, and those are areas where you can very quickly leverage and benefit from a zero-trust architecture. Other areas are less mature, so you acknowledge that and begin to prioritize them in a way that supports your mission.”

Flexible implementation is important for other reasons. Some agencies have higher risk profiles than others, requiring more detailed security processes. Another important differentiator is available budget.

“It allows agencies with different budgets to make their own decisions about how they want to spend their money,” Smith says. “You don’t want to hold back these agencies that have made investments in security already. And for those agencies that are less mature, this modular approach allows them to improve their security where they need to and catch up.”

The flexible nature of the ZIGs also emphasizes that zero trust is a framework to be applied to a variety of situations. Effective use of it requires asking questions to build a unique roadmap for each agency.

“While the NSA’s ZIGs outline the specific activities required to reach each target capability, agencies still need a clear framework for how to think about and execute those activities,” an NSA official says. “A practical way to do this is by consistently applying the questions of who, when, where and how to each task. Using this lens transforms the ZIGs from a long list of activities into a structured, mission-aligned roadmap for operationalizing zero trust.”

Why Can’t DoD Agencies Rely on Legacy Tools for Zero Trust?

As they dig further into the NSA guidelines and build on their zero-trust framework, agencies should plan to make meaningful changes to their environment rather than maintaining the status quo.

“Many agencies will try to leverage what resources they currently have to align with zero trust,” says Travis Rosiek, public sector CTO for Rubrik. “But that approach does not uplift the security posture in any way. In many cases, adversaries already have a foothold in their systems. Agencies need to disrupt their environment and really change things in order to have an impact with zero trust.”

Adopting a zero-trust framework also better positions agencies to meet the evolving threat landscape and artificial intelligence’s growing role in it.

“AI is the biggest near-term challenge,” Rosiek says. “The use of AI by adversaries will outpace government organizations’ ability to implement it for security use. That being said, zero trust will help with addressing the volume and velocity of AI-assisted attacks. Agencies will want to leverage zero trust to be more dynamic and respond quicker, which will mitigate some of the AI advantages of adversaries.”

How Does Federal Identity Management Support Zero Trust?

Zero trust has an impact on every aspect of security policy, including identity, devices, applications and data. In particular, it requires that a great deal of discovery and planning go into understanding the end user’s role and defining access policies.

“An access policy is something that spans all the pillars,” Garbis says. “It defines which identities on which devices across which networks are allowed to access your applications and workloads and data under what circumstances and under what conditions. This forces you to think differently, to think holistically.”

Once zero trust gains a foothold within agencies, identity and access management becomes the primary security perimeter. Building up this process will be a primary focus area for many agencies in Phase One and Phase Two.

“With identity, you really have to have a good understanding of the user attributes and the device attributes that go into the decision-making process to grant or deny access,” Smith says. “First of all, how do I take those attributes and apply a policy against them? And then, also looking at the attributes or posture of the device: What is the device’s patch level? What software is on there? Identity and device attributes are really key.”

Once established, zero trust greatly simplifies important parts of the security practice.

“For the SOC team, zero trust shifts them to a default-deny model, so it significantly improves the signal to noise ratio,” says Jerry Chapman, co-chair of the Zero Trust Working Group for the Cloud Security Alliance. “Everything that’s happening is either allowed by policy, so it can be analyzed more deeply, or it’s going to be disallowed, and it can be ignored or reviewed for attempted access. With less background noise to tune out, it’s operationally easier both for automated and human analysts to act on observed activity or observed attempted activity.”

Click the banner below for the latest federal IT and cybersecurity insights.

How Can Federal Agencies Measure Zero-Trust Maturity?

Adopting and implementing the activities and capabilities outlined in Phase One and Phase Two will improve an agency’s security posture. But what metrics does an agency use to define success?

“The NSA’s zero-trust guidance provides capability-based milestones, implementation expectations, and defined architectural outcomes that agencies can use to assess their zero-trust maturity,” says an NSA official. “These elements function as practical metrics, helping agencies evaluate progress toward each required capability and determine whether their implementations meet the intended zero-trust outcomes.”

Without specific metrics to measure against, it can be challenging to determine if your zero-trust policies and efforts are working. One capability benchmark to consider in defining zero-trust success is achieving greater visibility into traffic.

“You need to be confident that you can see everything happening, from the user to the application, or from that Internet of Things device to that other IoT device,” Smith says. “You need to have that visibility. If you’re able to see that, you can start to feel very confident that the adversary is not interfering with that connection. Or, better yet, if the adversary can’t even see those resources, that is transformational for your organization.”

But even if agencies make strong progress in developing their zero-trust capabilities and activities, security teams need to have a few nonstandard tactics at their disposal.

“Remember that adversaries will have access to the Zero Trust Implementation Guidelines as well,” Rosiek says. “They have the playbook and the timeline for how long it will take you to get there. It will benefit you to have some trick plays ready and to do things a little differently than expected. Don’t do the bare minimum. Achieve the deadlines, but do it faster or do more than necessary, something to throw off the adversary. Try to change the battle rhythm and be unpredictable.”