NIST SP 800-207 — Zero Trust Architecture · v1.0 (August 2020)

NIST SP 800-207 — Zero Trust Architecture

NIST SP 800-207 — Zero Trust Architecture — 94% covered.

40 requirements · 36 enforced · 2 designed · 2 advisory · 0 deferred.

Source: NIST Special Publication 800-207, Zero Trust Architecture (August 2020). §2.1 — seven tenets; §3.1 — four deployment variants; §3.2 — ZTA logical components (PE, PA, PEP + supporting); §3.3 — use cases; §4 — ZTA threats; §7 — migration to ZTA. Deep-mapping expanded 2026-05-29 (Wave-Ralph-B) from 11 to the full §§2-7 surface. · License: NIST publications are US-Government works in the public domain.

By category

CategoryReqsEnforcedDesignedAdvisoryDeferredCoverage
ZTA Logical Components (§3.2) 11 11 0 0 0 100%
Deployment models (§3.1) 4 3 1 0 0 88%
Migration to ZTA (§7) 7 6 0 1 0 89%
ZTA Use cases (§3.3) 5 4 1 0 0 90%
ZTA Threats (§4) 6 5 0 1 0 88%
Tenets (§2.1) 7 7 0 0 0 100%

Every requirement → the KYE artefact that enforces it

IDTitleStatusKYE enforcement
nist-800-207.C.PE Policy Engine (PE) — the component ultimately responsible for the decision to grant access to a resource for a given subject; uses enterprise policy + input from external sources to grant, deny, or revoke access. enforced audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1, kye.purpose.admissibility.v1
engines: internal, internal
workers: kye-pdp
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.C.PA Policy Administrator (PA) — the component responsible for establishing and/or shutting down the communication path between a subject and a resource via commands to the PEP; coordinates with the PE. enforced audit_events: kye.authority.grant.v1, kye.signal.decision.admitted.v1, kye.signal.revocation.cascaded.v1
engines: internal, internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.C.PEP Policy Enforcement Point (PEP) — the component responsible for enabling, monitoring and eventually terminating connections between a subject and an enterprise resource. enforced audit_events: kye.signal.decision.admitted.v1, kye.signal.decision.denied.v1, kye.evidence.decision_map.v1
engines: internal, internal, internal
workers: kye-gateway, kye-edge-arbiter
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.C.CDM Continuous Diagnostics and Mitigation (CDM) system — gathers information about the enterprise asset's current state and applies updates to configuration and software components, feeding the PE. enforced audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1, kye.reconciliation.verdict.v1
engines: internal, internal
constitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/13-RESILIENCE-LOOP.md
nist-800-207.C.IndustryCompliance Industry compliance system — ensures the enterprise remains compliant with any regulatory regime it falls under, including any compliance-related policies the enterprise must follow. enforced audit_events: kye.compliance.attestation.v1
engines: internal
constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md
nist-800-207.C.ThreatIntel Threat intelligence feed(s) — provide information from internal or external sources about new vulnerabilities, attack methods, and other threats that help the PE make access decisions. enforced audit_events: kye.risk.score.v1, kye.signal.drift.detected.v1
engines: internal, internal
constitution_refs: constitution/13-RESILIENCE-LOOP.md
nist-800-207.C.ActivityLogs Network and system activity logs — aggregate near real-time asset, traffic, access and other events that provide feedback on the enterprise's security posture. enforced audit_events: kye.audit.event.v1, kye.signal.drift.detected.v1
engines: internal, internal
workers: kye-log-stream-bridge
constitution_refs: constitution/35-STREAMING-LOGS.md, constitution/30-AUDIT-WORM-RETENTION.md
nist-800-207.C.DataAccessPolicy Data access policies — the attributes, rules and policies about access to enterprise resources that form the starting point for the PE's authorisation decisions. enforced audit_events: kye.purpose_manifest.v1, kye.access_right.v1
engines: internal, internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/29-PROFILES-LITE.md
nist-800-207.C.PKI Enterprise public-key infrastructure (PKI) — system responsible for generating and logging certificates issued by the enterprise to resources, subjects, services and applications. enforced audit_events: kye.authority.grant.v1, kye.audit.event.v1
engines: internal, internal, internal
constitution_refs: constitution/51-NO-SPOF.md
nist-800-207.C.IdMgmt ID management system — responsible for creating, storing and managing enterprise user accounts and identity records, including the necessary subject information and any role-based or attribute-based access control information. enforced audit_events: kye.signal.entity.created.v1, kye.signal.entity.updated.v1, kye.relationship.member_of.v1
engines: internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.C.SIEM Security Information and Event Management (SIEM) system — collects security-centric information for later analysis; used to refine policies and warn of possible active attacks against enterprise assets. enforced audit_events: kye.audit.event.v1, kye.signal.incident.opened.v1
engines: internal, internal, internal
workers: kye-siem-export
constitution_refs: constitution/35-STREAMING-LOGS.md
nist-800-207.D1 Device-agent / gateway-based deployment — a software agent installed on assets coordinates with a resource gateway that enforces the PEP. enforced audit_events: kye.evidence.decision_map.v1
engines: internal, internal
workers: kye-gateway, kye-edge-arbiter
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.D2 Enclave-based deployment — the gateway sits at the boundary of a resource enclave, with the PDP central and the PEP at the enclave edge. enforced audit_events: kye.evidence.decision_map.v1
engines: internal, internal
workers: kye-pdp, kye-gateway
constitution_refs: constitution/16-EDGE-RUNTIME.md
nist-800-207.D3 Resource portal-based deployment — the PEP is a portal that brokers all access to resources without device-side software. enforced audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1
engines: internal
workers: kye-gateway
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.D4 Device application sandboxing — applications run in segmented compartments on the asset, with the agent inside the compartment. designed audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1
constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md
nist-800-207.M.Inventory Identify actors on the enterprise — every subject (employee, contractor, NPE) that may request access must be enumerated and attribute-bound. enforced audit_events: kye.signal.entity.created.v1, kye.risk.authority_register.v1
engines: internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.M.AssetInventory Identify assets owned by the enterprise — all hardware, software, services, and data that the ZTA must protect. enforced audit_events: kye.risk.authority_register.v1, kye.reconciliation.verdict.v1
engines: internal, internal
registries: internal
constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md
nist-800-207.M.ProcessInventory Identify key business processes — understand the data flows and dependencies of the enterprise's mission-critical activities so the ZTA does not block them. enforced audit_events: kye.purpose_manifest.v1
engines: internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/29-PROFILES-LITE.md
nist-800-207.M.FormulatePolicies Formulate policies for the ZTA candidate — translate business requirements into PE-consumable policy attributes and rules. enforced audit_events: kye.purpose_manifest.v1, kye.access_right.v1
engines: internal, internal
rule_packs: kye:rule-pack:action-admissibility
constitution_refs: constitution/29-PROFILES-LITE.md
nist-800-207.M.IdentifySolution Identify candidate solutions — evaluate ZTA tooling against enterprise requirements (PE, PA, PEP, supporting components) and acquire / build accordingly. advisory audit_events: kye.compliance.attestation.v1
constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/51-NO-SPOF.md
nist-800-207.M.InitialDeployment Initial deployment and monitoring — deploy the ZTA candidate in monitor mode first; observe enforcement decisions before going fully blocking. enforced audit_events: kye.evidence.decision_map.v1, kye.signal.scenario_run.completed.v1
engines: internal, internal
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.M.ExpandZTA Expand the ZTA scope — incrementally widen ZTA enforcement across the enterprise as confidence grows. enforced audit_events: kye.compliance.attestation.v1, kye.reconciliation.verdict.v1
engines: internal
constitution_refs: constitution/34-RECONCILIATION-ENGINE.md
nist-800-207.S.EnterpriseHQ Use case: enterprise with satellite facilities — remote employees and devices outside the enterprise-owned network must still operate with ZTA assumptions; the PE/PA logic should be cloud-hosted to support remote subjects. enforced audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1
engines: internal, internal
workers: kye-pdp, kye-gateway
constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/25-EDGE-GOVERNANCE.md
nist-800-207.S.MultiCloud Use case: multi-cloud / cloud-to-cloud — the PE/PA must allow direct application-to-application access across cloud providers without traversing the enterprise network. enforced audit_events: kye.federation.cross_org_delegation.v1, kye.evidence.decision_map.v1
engines: internal, internal
constitution_refs: constitution/25-EDGE-GOVERNANCE.md, constitution/51-NO-SPOF.md
nist-800-207.S.Contracted Use case: enterprise with contracted services and/or non-employee access — the ZTA must accommodate visitors, contractors and partners whose devices and identities are not enterprise-managed. enforced audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1, kye.purpose.permission.v1
engines: internal, internal
constitution_refs: constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md, constitution/52-DELEGATED-AGENT-BINDING.md
nist-800-207.S.Collaboration Use case: collaboration across enterprise boundaries — projects that include subjects, services and resources from multiple enterprises require coordinated PE decisions without each side fully trusting the other. designed audit_events: kye.federation.cross_org_delegation.v1, kye.evidence.tool_call_pin.v1
constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/52-DELEGATED-AGENT-BINDING.md
nist-800-207.S.PublicSafety Use case: public-facing services — the enterprise must allow public access (e.g. marketing site) while keeping internal resources tightly scoped under ZTA assumptions. enforced audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1
engines: internal
constitution_refs: constitution/06-WEBSITE.md, constitution/33-IP-OSS-LINE.md
nist-800-207.TH.SubvertedPE Threat: subversion of ZTA decision process — an attacker who manages to influence the PE or PA components (configuration tampering, supply-chain compromise, insider) can grant illegitimate access. enforced audit_events: kye.signal.drift.detected.v1, kye.agency_drift.event.v1, kye.reconciliation.verdict.v1, kye.governedui.approval.v1
engines: internal, internal
constitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/36-GOVERNEDUI.md
nist-800-207.TH.DDoS Threat: denial-of-service or network disruption against the PE/PA — if the ZTA control plane is unreachable, enterprise access must degrade gracefully without becoming permissive. enforced audit_events: kye.spof.path_to_full.v1, kye.compliance.attestation.v1
engines: internal, internal
registries: internal
constitution_refs: constitution/25-EDGE-GOVERNANCE.md, constitution/51-NO-SPOF.md
nist-800-207.TH.StolenCreds Threat: stolen credentials / insider — credential compromise should not yield broad access because the PE re-evaluates context per request and detects anomalous behaviour. enforced audit_events: kye.risk.score.v1, kye.signal.revocation.cascaded.v1, kye.purpose.permission.v1
engines: internal, internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md
nist-800-207.TH.NetworkVisibility Threat: visibility into the ZTA network — adversaries who can observe ZTA traffic patterns may infer policy structure; the architecture must minimise the information leaked through metadata. advisory audit_events: kye.evidence.decision_map.v1
engines: internal, internal
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.TH.ProprietaryData Threat: storage of system and network information — the data used to inform PE decisions (logs, configs, scores) is itself a high-value target. enforced audit_events: kye.audit_retention_policy.v1, kye.evidence.tool_call_pin.v1
engines: internal, internal
constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md
nist-800-207.TH.NonPersonEntities Threat: reliance on proprietary data formats / vendor lock-in — heterogeneous identity / NPE (service / agent) management increases the risk of policy gaps and inconsistent enforcement. enforced audit_events: kye.agent.governance.v1, kye.agent.completion.v1, kye.agent.mcp_allow_list.v1
engines: internal
constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md, constitution/32-AGENT-DEV-KIT.md
nist-800-207.T1 All data sources and computing services are considered resources. enforced audit_events: kye.risk.authority_register.v1
engines: internal, internal
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.T2 All communication is secured regardless of network location. enforced audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1
engines: internal, internal
workers: kye-gateway, kye-edge-arbiter
constitution_refs: constitution/25-EDGE-GOVERNANCE.md
nist-800-207.T3 Access to individual enterprise resources is granted on a per-session basis. enforced audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1
engines: internal, internal
workers: kye-pdp
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.T4 Access to resources is determined by dynamic policy — including the observable state of client identity, application/service, the requesting asset — and may include other behavioural and environmental attributes. enforced audit_events: kye.evidence.decision_map.v1, kye.purpose.permission.v1, kye.risk.score.v1, kye.model.influence_envelope.v1
engines: internal, internal, internal
workers: kye-pdp
constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md
nist-800-207.T5 The enterprise monitors and measures the integrity and security posture of all owned and associated assets. enforced audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1, kye.audit.event.appended.v1
engines: internal, internal
workers: kye-drift-detector
constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/34-RECONCILIATION-ENGINE.md
nist-800-207.T6 All resource authentication and authorisation are dynamic and strictly enforced before access is allowed. enforced audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.evidence.decision_map.v1
engines: internal, internal, internal
workers: kye-pdp, kye-gateway
constitution_refs: constitution/12-PURPOSE-PERMISSION.md
nist-800-207.T7 The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. enforced audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.evidence.decision_map.v1, kye.evidence.trace_replay_spec.v1
engines: internal, internal
constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md