What is NIST SP 800-207?

NIST SP 800-207 is the federal government's authoritative publication on Zero Trust Architecture. Published by the National Institute of Standards and Technology in August 2020, it defines Zero Trust concepts, describes the logical architecture (Policy Engine, Policy Administrator, Policy Enforcement Point), outlines deployment models, and identifies use cases and threats. It is the foundation for Executive Order 14028's federal Zero Trust mandate and serves as the vendor-neutral reference for public and private sector organizations implementing Zero Trust.

Is Zero Trust required for my organization?

Federal agencies are required to implement Zero Trust under EO 14028 and OMB M-22-09. Federal contractors, particularly those handling Controlled Unclassified Information (CUI), face increasing pressure to adopt Zero Trust through CMMC and DFARS requirements that align with Zero Trust principles. For private-sector organizations, Zero Trust is not yet a universal mandate, but regulatory trends across healthcare (HIPAA), finance (PCI DSS, GLBA), and state privacy laws increasingly favor the continuous verification and least-privilege access that Zero Trust provides.

How much does Zero Trust implementation cost for an SMB?

Costs vary significantly based on current security maturity, organizational size, and the scope of implementation. A 50-person organization with existing MFA and endpoint protection might invest $75,000 to $150,000 over 12 to 18 months to achieve Advanced maturity on the CISA model. Organizations starting from scratch may need $150,000 to $350,000 over 18 to 24 months. PTG's AI-powered tools and phased approach reduce these costs by automating control mapping, policy generation, and continuous monitoring, making Zero Trust accessible to organizations with limited security budgets.

Can we implement Zero Trust incrementally?

Yes, and NIST SP 800-207 explicitly recommends incremental implementation. Section 7 of the publication discusses migration strategies that allow organizations to overlay Zero Trust components onto existing infrastructure without a disruptive rip-and-replace. PTG's phased roadmap starts with identity (MFA, SSO) and device health (EDR), then progresses to network segmentation, dynamic policy, and AI-driven analytics. Each phase delivers measurable security improvements and compliance benefits.

How does Zero Trust relate to NIST SP 800-53?

Zero Trust Architecture implements and reinforces controls from multiple NIST SP 800-53 families, particularly AC (Access Control), IA (Identification and Authentication), SC (System and Communications Protection), SI (System and Information Integrity), and AU (Audit and Accountability). SP 800-207 does not replace 800-53; it provides an architectural approach that makes many 800-53 controls more effective through continuous enforcement rather than periodic assessment. Organizations with existing 800-53 implementations are well-positioned to adopt Zero Trust because the foundational controls are already in place.

What is the difference between Zero Trust and micro-segmentation?

Micro-segmentation is one of three deployment models described in SP 800-207, not a synonym for Zero Trust. Zero Trust is the overarching architectural paradigm that requires continuous verification for all access. Micro-segmentation is a network-centric technique that isolates resources on individual network segments, preventing lateral movement. A complete Zero Trust implementation combines micro-segmentation with identity governance and software-defined perimeters, along with the Policy Engine, Policy Administrator, and Policy Enforcement Point components that drive access decisions.

Does Zero Trust eliminate the need for firewalls and VPNs?

Not immediately, and possibly not entirely. SP 800-207 acknowledges that traditional security components may persist during Zero Trust migration and may continue to serve roles within a Zero Trust Architecture. Firewalls can function as Policy Enforcement Points. VPN tunnels can provide encrypted transport between PEPs. What Zero Trust eliminates is the implicit trust these devices historically conferred: being inside the VPN no longer grants broad network access, and passing through the firewall no longer means a request is trusted.

How does PTG help organizations implement Zero Trust?

PTG provides end-to-end Zero Trust advisory and implementation services. The engagement begins with a readiness assessment using the CISA Zero Trust Maturity Model and a gap analysis against NIST 800-53 controls. PTG then develops a phased implementation roadmap tailored to the organization's risk profile, budget, and compliance requirements. PTG's AI-powered compliance tools automate control mapping, policy generation, and continuous monitoring. PTG's patented technology stack and on-premise AI infrastructure provide the analytical capabilities that Zero Trust's continuous verification model demands, without requiring clients to send sensitive data to third-party cloud services. Craig Petronella (23+ years in cybersecurity) and the PTG team manage the implementation through each phase, from MFA deployment through AI-driven behavioral analytics.

What is the CISA Zero Trust Maturity Model?

The CISA Zero Trust Maturity Model is a framework published by the Cybersecurity and Infrastructure Security Agency that helps organizations benchmark their Zero Trust implementation progress. Version 2.0 (April 2023) defines maturity across five pillars (identity, devices, networks, applications and workloads, data) with four levels: Traditional, Initial, Advanced, and Optimal. Federal agencies use it to track compliance with OMB M-22-09 requirements. Private-sector organizations use it as a practical roadmap for measuring and communicating Zero Trust progress to leadership and auditors.

Can Zero Trust help with compliance across multiple frameworks?

Yes, and this is one of Zero Trust's most significant practical benefits. Because Zero Trust implements and reinforces controls from NIST 800-53, which serves as the master control catalog for most U.S. compliance frameworks, a well-implemented Zero Trust Architecture simultaneously advances compliance with CMMC, FedRAMP, HIPAA, PCI DSS, SOC 2, and NIST CSF 2.0. PTG's automated crosswalk tools quantify this overlap for each client, ensuring that every dollar invested in Zero Trust counts toward the broadest possible set of compliance objectives. Explore PTG's compliance packages to learn more about multi-framework compliance strategies.

NIST SP 800-207

Zero Trust Architecture

NIST SP 800-207 defines Zero Trust as a cybersecurity paradigm that eliminates implicit trust and requires continuous verification of every user, device, and network flow. PTG translates these principles into practical, deployable security architectures for SMBs.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Start Your Zero Trust Journey Call 919-601-1601

Core Architecture

Seven Tenets and Three Core Components

Zero Trust is not a product. It is an architectural transformation built on seven foundational tenets with Policy Engine, Policy Administrator, and Policy Enforcement Point at its core.

The Seven Tenets

All data sources and computing services are resources
All communication secured regardless of network location
Per-session access with dynamic, risk-adaptive policy
Continuous asset monitoring and security posture assessment

Deployment Models

Enhanced Identity Governance for mature IAM environments
Micro-segmentation for high-value asset protection
Software Defined Perimeters for cloud-native environments
CISA Maturity Model aligned phased implementation

Multi-Framework ROI

Zero Trust Counts Toward Multiple Frameworks

NIST 800-53 Control Families

Zero Trust maps to AC, IA, SC, SI, and AU control families, reinforcing existing compliance investments.

Learn more

CMMC Level 2

Defense contractors implementing Zero Trust satisfy multiple CMMC access control and identification practices.

Learn more

HIPAA Security Rule

Continuous verification and least-privilege access align directly with HIPAA access control requirements.

Learn more

SP 800-63 Digital Identity

Identity-centric Zero Trust builds on 800-63 assurance levels for authentication and federation.

Learn more

Process

How PTG Implements Zero Trust

Assess Current Maturity

Map Existing Controls

Design Target Architecture

Deploy PE/PA/PEP Components

Enable Continuous Verification

Advance Maturity Levels

Who This Is For

Built For

Federal Agencies (EO 14028) Defense Contractors Healthcare Organizations Financial Services Cloud Service Providers

FAQ

Frequently Asked Questions

Is Zero Trust a product I can buy?

No. Zero Trust is an architectural approach, not a single product. It requires integrating identity, device, network, and application controls into a unified policy framework. PTG designs and implements the full architecture.

Does EO 14028 require Zero Trust for contractors?

EO 14028 directly mandates Zero Trust for federal agencies. Contractors in the federal supply chain face increasing pressure through CMMC, FedRAMP, and contract requirements that align with Zero Trust principles.

How long does Zero Trust implementation take?

Zero Trust is a phased journey, not a single project. PTG uses the CISA Maturity Model to advance clients through Traditional, Initial, Advanced, and Optimal levels with clear milestones at each stage.

What is a Policy Enforcement Point (PEP)?

The PEP is the gatekeeper that enables, monitors, and terminates connections between users/devices and resources. Every access request passes through a PEP, which enforces the Policy Engine's decisions.

How does Zero Trust work with existing compliance?

Zero Trust investments count toward NIST 800-53, CMMC, FedRAMP, HIPAA, PCI DSS, and NIST CSF 2.0 simultaneously, maximizing compliance ROI.

Related Resources

Ready to Eliminate Implicit Trust?

PTG builds Zero Trust architectures that protect your organization while satisfying multiple compliance frameworks.

Schedule a Consultation Call 919-601-1601

Zero Trust Architecture

Seven Tenets and Three Core Components

The Seven Tenets

Deployment Models

Zero Trust Counts Toward Multiple Frameworks

NIST 800-53 Control Families

CMMC Level 2

HIPAA Security Rule

SP 800-63 Digital Identity

How PTG Implements Zero Trust

Assess Current Maturity

Map Existing Controls

Design Target Architecture

Deploy PE/PA/PEP Components

Enable Continuous Verification

Advance Maturity Levels

Built For

Frequently Asked Questions

Explore More

SP 800-137 Continuous Monitoring

SP 800-37 RMF

Managed IT Services

Compliance Packages

Ready to Eliminate Implicit Trust?