Zero-Trust Security Model website screenshot

Zero-Trust Security Model

The Zero Trust security model is a strategic cybersecurity approach that eliminates implicit trust and requires continuous verification of every user, device, workload, and request attempting to access resources, regardless of network location. It is rooted in NIST SP 800-207, formalized for federal agencies by the CISA Zero Trust Maturity Model and the DoD Zero Trust Reference Architecture, and operationalized by NSA, NCSC, and industry guidance. This topic indexes the canonical specifications, guidance documents, advocacy organizations, and reference data schemas that describe the Zero Trust security model and its pillars (Identity, Devices, Networks, Applications & Workloads, Data, Visibility & Analytics, Automation & Orchestration).

5 APIs 8 Features
Access ControlCybersecurityFederalIdentity ManagementNetwork SecurityNISTSecuritySecurity FrameworkZero Trust

APIs

NIST SP 800-207 Zero Trust Architecture

The foundational specification of the Zero Trust security model. Defines the seven tenets, the PDP/PEP/PA logical components, and the deployment variants (enhanced identity gove...

CISA Zero Trust Maturity Model

CISA's Zero Trust Maturity Model defines four maturity levels (Traditional, Initial, Advanced, Optimal) across five pillars (Identity, Devices, Networks, Applications & Workload...

DoD Zero Trust Reference Architecture

The Department of Defense Zero Trust Reference Architecture defines the seven DoD Zero Trust pillars (User, Device, Application & Workload, Data, Network & Environment, Automati...

NSA Zero Trust Guidance

A series of NSA Cybersecurity Information Sheets providing pillar-by- pillar guidance for implementing Zero Trust, including the Network and Environment, User, Device, Applicati...

UK NCSC Zero Trust Architecture Design Principles

The UK National Cyber Security Centre's eight Zero Trust design principles, providing the British government's view of Zero Trust architecture for both public-sector and private...

Pricing Plans

Rate Limits

FinOps

Features

Never Trust Always Verify

No user, device, or network is trusted by default; every access is verified.

Explicit Verification

Authentication and authorization happen for every request using all available signals.

Least Privilege Access

Users and workloads receive only the minimum permissions required for the task.

Assume Breach

The model is designed assuming attackers are already present in the environment.

Continuous Monitoring

All sessions and signals are continuously analyzed and policies re-evaluated.

Microsegmentation

Networks and workloads are segmented to limit blast radius after compromise.

Data-Centric Protection

Security controls follow the data, not the perimeter.

Identity as the Perimeter

User and workload identity replaces network location as the primary trust boundary.

Use Cases

Federal Civilian Compliance

Meeting OMB M-22-09 and CISA Zero Trust Maturity Model requirements.

DoD Mission Systems

Implementing the seven DoD Zero Trust pillars and 152 capabilities.

Critical Infrastructure

Applying Zero Trust to OT and ICS environments in energy, water, and transportation.

Healthcare Data Protection

Protecting PHI under HIPAA using Zero Trust controls and continuous verification.

Financial Services Compliance

Aligning Zero Trust with SOX, GLBA, and PCI-DSS requirements.

Higher Education Research

Securing distributed research networks and BYOD environments.

Semantic Vocabularies

Zero Trust Security Model Context

19 classes · 0 properties

JSON-LD

JSON Structure

Zero Trust Security Model Pillar Structure

5 properties

JSON STRUCTURE

Example Payloads

Resources

🔗
NIST Zero Trust Architecture
Documentation
🔗
NIST SP 800-207 PDF
Documentation
🔗
NIST SP 800-207A PDF
Documentation
🔗
CISA Zero Trust Maturity Model
Compliance
🔗
OMB M-22-09 Federal Zero Trust Strategy
Compliance
🔗
DoD Zero Trust Reference Architecture
Compliance
🔗
NSA Zero Trust Guidance
Documentation
🔗
UK NCSC Zero Trust
Documentation
🌐
Cloudflare Learning - What Is Zero Trust
Portal
🌐
Microsoft Zero Trust Guidance Center
Portal
🌐
Google BeyondCorp
Portal
👥
SPIFFE
GitHubOrganization
👥
Open Policy Agent
GitHubOrganization
🔗
Zero Trust Pillar Schema
JSONSchema
🔗
Zero Trust Maturity Assessment Schema
JSONSchema
🔗
Zero Trust Pillar Structure
JSONStructure
🔗
Zero Trust Security Model JSON-LD Context
JSONLD
💻
Zero Trust Maturity Assessment Example
CodeExamples
🔗
Zero Trust Security Model Vocabulary
Resources

Sources

apis.yml Raw ↑
aid: zero-trust-security-model
name: Zero-Trust Security Model
description: The Zero Trust security model is a strategic cybersecurity approach that eliminates implicit trust and requires
  continuous verification of every user, device, workload, and request attempting to access resources, regardless of network
  location. It is rooted in NIST SP 800-207, formalized for federal agencies by the CISA Zero Trust Maturity Model and the
  DoD Zero Trust Reference Architecture, and operationalized by NSA, NCSC, and industry guidance. This topic indexes the canonical
  specifications, guidance documents, advocacy organizations, and reference data schemas that describe the Zero Trust security
  model and its pillars (Identity, Devices, Networks, Applications & Workloads, Data, Visibility & Analytics, Automation &
  Orchestration).
type: Index
url: https://www.nist.gov/publications/zero-trust-architecture
tags:
- Access Control
- Cybersecurity
- Federal
- Identity Management
- Network Security
- NIST
- Security
- Security Framework
- Zero Trust
created: '2025'
modified: '2026-05-03'
specificationVersion: '0.19'
apis:
- aid: zero-trust-security-model:nist-sp-800-207
  name: NIST SP 800-207 Zero Trust Architecture
  description: The foundational specification of the Zero Trust security model. Defines the seven tenets, the PDP/PEP/PA logical
    components, and the deployment variants (enhanced identity governance, microsegmentation, and network infrastructure /
    SDP).
  humanURL: https://csrc.nist.gov/pubs/sp/800/207/final
  tags:
  - NIST
  - Specification
  - Zero Trust
  properties:
  - type: Documentation
    url: https://csrc.nist.gov/pubs/sp/800/207/final
  - type: APIReference
    url: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf
- aid: zero-trust-security-model:cisa-zero-trust-maturity-model
  name: CISA Zero Trust Maturity Model
  description: CISA's Zero Trust Maturity Model defines four maturity levels (Traditional, Initial, Advanced, Optimal) across
    five pillars (Identity, Devices, Networks, Applications & Workloads, Data) and three cross-cutting capabilities (Visibility
    & Analytics, Automation & Orchestration, Governance). It is the federal-civilian roadmap for Zero Trust adoption.
  humanURL: https://www.cisa.gov/zero-trust-maturity-model
  tags:
  - CISA
  - Federal
  - Maturity Model
  properties:
  - type: Documentation
    url: https://www.cisa.gov/zero-trust-maturity-model
  - type: APIReference
    url: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
- aid: zero-trust-security-model:dod-zero-trust-reference-architecture
  name: DoD Zero Trust Reference Architecture
  description: The Department of Defense Zero Trust Reference Architecture defines the seven DoD Zero Trust pillars (User,
    Device, Application & Workload, Data, Network & Environment, Automation & Orchestration, Visibility & Analytics) and 152
    capabilities across target and advanced activities.
  humanURL: https://dodcio.defense.gov/library/
  tags:
  - DoD
  - Federal
  - Reference Architecture
  properties:
  - type: Documentation
    url: https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-Reference-Architecture.pdf
- aid: zero-trust-security-model:nsa-zero-trust-guidance
  name: NSA Zero Trust Guidance
  description: A series of NSA Cybersecurity Information Sheets providing pillar-by- pillar guidance for implementing Zero
    Trust, including the Network and Environment, User, Device, Application & Workload, and Data pillars.
  humanURL: https://www.nsa.gov/Cybersecurity/
  tags:
  - Federal
  - Guidance
  - NSA
  properties:
  - type: Documentation
    url: https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2899282/nsa-releases-guidance-on-zero-trust-security-model/
- aid: zero-trust-security-model:ncsc-zero-trust-principles
  name: UK NCSC Zero Trust Architecture Design Principles
  description: The UK National Cyber Security Centre's eight Zero Trust design principles, providing the British government's
    view of Zero Trust architecture for both public-sector and private organizations.
  humanURL: https://www.ncsc.gov.uk/collection/zero-trust-architecture
  tags:
  - Guidance
  - NCSC
  - UK
  properties:
  - type: Documentation
    url: https://www.ncsc.gov.uk/collection/zero-trust-architecture
common:
- type: Documentation
  title: NIST Zero Trust Architecture
  url: https://www.nist.gov/publications/zero-trust-architecture
  description: NIST landing page for Zero Trust Architecture publications.
- type: Documentation
  title: NIST SP 800-207 PDF
  url: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf
- type: Documentation
  title: NIST SP 800-207A PDF
  url: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207A.pdf
- type: Compliance
  title: CISA Zero Trust Maturity Model
  url: https://www.cisa.gov/zero-trust-maturity-model
- type: Compliance
  title: OMB M-22-09 Federal Zero Trust Strategy
  url: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
  description: White House OMB memorandum mandating Zero Trust adoption across federal civilian agencies.
- type: Compliance
  title: DoD Zero Trust Reference Architecture
  url: https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-Reference-Architecture.pdf
- type: Documentation
  title: NSA Zero Trust Guidance
  url: https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2899282/nsa-releases-guidance-on-zero-trust-security-model/
- type: Documentation
  title: UK NCSC Zero Trust
  url: https://www.ncsc.gov.uk/collection/zero-trust-architecture
- type: Portal
  title: Cloudflare Learning - What Is Zero Trust
  url: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
- type: Portal
  title: Microsoft Zero Trust Guidance Center
  url: https://learn.microsoft.com/en-us/security/zero-trust/
- type: Portal
  title: Google BeyondCorp
  url: https://cloud.google.com/beyondcorp
- type: GitHubOrganization
  title: SPIFFE
  url: https://github.com/spiffe
- type: GitHubOrganization
  title: Open Policy Agent
  url: https://github.com/open-policy-agent
- type: JSONSchema
  title: Zero Trust Pillar Schema
  url: json-schema/zero-trust-security-model-pillar-schema.json
- type: JSONSchema
  title: Zero Trust Maturity Assessment Schema
  url: json-schema/zero-trust-security-model-maturity-schema.json
- type: JSONStructure
  title: Zero Trust Pillar Structure
  url: json-structure/zero-trust-security-model-pillar-structure.json
- type: JSONLD
  title: Zero Trust Security Model JSON-LD Context
  url: json-ld/zero-trust-security-model-context.jsonld
- type: CodeExamples
  title: Zero Trust Maturity Assessment Example
  url: examples/zero-trust-security-model-maturity-example.json
- type: Resources
  title: Zero Trust Security Model Vocabulary
  url: vocabulary/zero-trust-security-model-vocabulary.yaml
- type: Features
  data:
  - name: Never Trust Always Verify
    description: No user, device, or network is trusted by default; every access is verified.
  - name: Explicit Verification
    description: Authentication and authorization happen for every request using all available signals.
  - name: Least Privilege Access
    description: Users and workloads receive only the minimum permissions required for the task.
  - name: Assume Breach
    description: The model is designed assuming attackers are already present in the environment.
  - name: Continuous Monitoring
    description: All sessions and signals are continuously analyzed and policies re-evaluated.
  - name: Microsegmentation
    description: Networks and workloads are segmented to limit blast radius after compromise.
  - name: Data-Centric Protection
    description: Security controls follow the data, not the perimeter.
  - name: Identity as the Perimeter
    description: User and workload identity replaces network location as the primary trust boundary.
- type: UseCases
  data:
  - name: Federal Civilian Compliance
    description: Meeting OMB M-22-09 and CISA Zero Trust Maturity Model requirements.
  - name: DoD Mission Systems
    description: Implementing the seven DoD Zero Trust pillars and 152 capabilities.
  - name: Critical Infrastructure
    description: Applying Zero Trust to OT and ICS environments in energy, water, and transportation.
  - name: Healthcare Data Protection
    description: Protecting PHI under HIPAA using Zero Trust controls and continuous verification.
  - name: Financial Services Compliance
    description: Aligning Zero Trust with SOX, GLBA, and PCI-DSS requirements.
  - name: Higher Education Research
    description: Securing distributed research networks and BYOD environments.
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com