feat: add NIST SP 800-207 Zero Trust Architecture skill#42
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-207 Zero Trust Architecture skill#42sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
PLUGIN: nist-sp-800-207 VERSION: 1.0.0 SOURCE: NIST Special Publication 800-207, August 2020 TITLE: Zero Trust Architecture CSRC: https://csrc.nist.gov/publications/detail/sp/800-207/final PLUGIN STRUCTURE: plugins/nist-sp-800-207/.claude-plugin/plugin.json plugins/nist-sp-800-207/skills/nist-sp-800-207/SKILL.md plugins/nist-sp-800-207/skills/nist-sp-800-207/references/zta-components.md plugins/nist-sp-800-207/skills/nist-sp-800-207/references/deployment-approaches.md plugins/nist-sp-800-207/skills/nist-sp-800-207/references/migration-guide.md FRAMEWORK COVERAGE: 1. Zero trust definition: no implicit trust based on network location, physical location, or asset ownership; all access independently validated 2. Seven ZTA tenets: all resources treated as resources; all communications secured regardless of location; per-session access grants; dynamic policy; device posture monitoring; dynamic continuous auth/authz; telemetry collection 3. ZTA logical components: Policy Engine (PE), Policy Administrator (PA), Policy Enforcement Point (PEP) with full data flow description 4. PE design: availability requirements, isolation requirements, trust algorithm inputs (7 input sources), decision outputs (grant/conditional/deny/quarantine) 5. PA functions: session establishment, session maintenance, session termination with credential lifecycle 6. PEP types: inline, split-component, resource-native (service mesh sidecar); PEP coverage requirement 7. Trust algorithm: criteria-based (Boolean policy), score/confidence-based, historical behaviour-based (ML) approaches with trade-offs 8. Supporting components: IdP, CDM, threat intel, SIEM, PKI, behavioural analytics integration requirements 9. Three ZTA deployment approaches: Enhanced Identity Governance (EIG), Microsegmentation, SDN/ZTNA 10. EIG implementation: IdP centralisation, phishing-resistant MFA, identity-aware proxy deployment, device posture integration, session revocation 11. Microsegmentation implementation: workload communication flow mapping, policy design, enforcement mechanism options (host-based, hypervisor, cloud-native, service mesh), staged enforcement 12. SDN/ZTNA implementation: SDP architecture, ZTNA product comparison to VPN, SDN dynamic segmentation, agent-based vs. agentless ZTNA 13. ZTA deployment scenarios: employee access, remote/BYOD, service account/workload-to-workload, third-party/contractor 14. ZTA threats: credential compromise, DoS on PE/PA, control plane compromise, visibility gaps, insider threat, supply chain attack 15. Migration roadmap: four-phase migration (Foundation, First ZTA Controls, Broad Coverage, Optimise) with milestones and success criteria 16. CISA ZTMM alignment: five pillars (Identity, Devices, Networks, Applications/Workloads, Data) with four maturity stages per pillar and SP 800-207 alignment 17. SP 800-53 Rev 5 control mapping: ZTA contributions to AC-2, AC-3, AC-4, AC-17, AC-20, AU-2/3, IA-2, IA-3, IA-5, SC-3, SC-7, SC-8, SC-39, SI-4 18. ZTA threat mitigation summary: phishing, lateral movement, privilege escalation, stolen device, insider threat, ransomware REFERENCE FILES: zta-components.md: - Full ZTA logical architecture with data flow steps - PE design requirements: availability, isolation, scalability - Trust algorithm input sources mapped to trust score weighting - PA functions: session establishment, maintenance, termination - PEP types with technology examples - Control plane vs. data plane separation and security implications - IdP and device identity implementation requirements - Behavioural analytics design requirements - ZTA component inventory template - ZTA coverage gap assessment template deployment-approaches.md: - Approach 1 EIG: 6-step implementation with technology options - Approach 2 Microsegmentation: 6-step implementation with enforcement mechanism comparison table - Approach 3 SDN/ZTNA: SDP architecture explanation, ZTNA vs. VPN comparison table, 7-step ZTNA deployment - Hybrid approach guidance mapping each environment layer to recommended approach - Recommended sequence for federal agency ZTA adoption migration-guide.md: - ZTA migration assessment checklist (5 domains: Identity/Devices/Network/Applications/Data/Monitoring) - 4-phase migration roadmap with activities, owners, and success criteria - CISA ZTMM v2.0 alignment across all five pillars at all four maturity stages - SP 800-53 Rev 5 control mapping (14 controls) - ZTA threat mitigation summary (8 threats) - Key ZTA terms and definitions glossary (15 terms) INTEGRATION POINTS: - SP 800-63B: authentication assurance levels (AAL1/2/3) define the identity signal quality for the ZTA trust algorithm - SP 800-53 Rev 5: ZTA implements or contributes to AC, IA, SC, SI, AU control families - SP 800-37 Rev 2: ZTA architecture decision is part of the RMF system design phase - SP 800-137: continuous monitoring telemetry from ZTA components feeds ISCM - CISA ZTMM v2.0: five-pillar framework for measuring ZTA implementation maturity - EO 14028: federal ZTA requirements derive from this executive order; NIST SP 800-207 is the primary technical reference TESTS: test_plugin_json_exists[nist-sp-800-207] PASSED test_plugin_json_is_valid[nist-sp-800-207] PASSED test_plugin_json_required_fields[nist-sp-800-207] PASSED test_plugin_version_semver[nist-sp-800-207] PASSED test_skills_directory_exists[nist-sp-800-207] PASSED test_skills_directory_has_one_skill_folder[nist-sp-800-207] PASSED test_skill_md_exists[nist-sp-800-207] PASSED test_skill_md_not_empty[nist-sp-800-207] PASSED test_no_files_outside_skill_folder[nist-sp-800-207] PASSED test_references_are_markdown[nist-sp-800-207] PASSED 10 passed, 95 deselected
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-207 — Zero Trust Architecture
Source: NIST Special Publication 800-207, August 2020
CSRC: https://csrc.nist.gov/publications/detail/sp/800-207/final
Files Added
Framework Coverage
Reference Files
zta-components.md
deployment-approaches.md
migration-guide.md
Integration Points
Tests