Cybersecurity incidents that utilize compromised credentials and identities or incomplete access management systems continue to lead to data breaches that impact critical infrastructure, the defense industrial base, and national security. In this report, the NSA advocates for the implementation of a Zero-Trust approach, in which every aspect of a system from the user to the device to the data and the network are continuously monitored and authenticated to ensure legitimacy, is implemented across National Security Systems. Further, this report details the precise prescribed steps at every level of the process to ensure that the zero trust system has minimal gaps when implemented. While it is recognized that not every system may be able to support the zero trust system precisely as it is prescribed, this report identifies a general framework which computer systems should pursue when practical to minimize breaches due to compromised credentials or access management failures.
