National Cybersecurity Center of Excellence (NCCoE) Zero Trust Cybersecurity: Implementing a Zero Trust Architecture, 66936-66939 [2020-23292]

Download as PDF 66936 Federal Register / Vol. 85, No. 204 / Wednesday, October 21, 2020 / Notices Description of Certified Content NFE’s Certificate was amended as follows: 1. Added the following company as a new Member of the Certificate within the meaning of section 325.2(l) of the Regulations (15 CFR 325.2(l)) for the following Export Product: Fresh sweet cherries: • Griggs Farms Packing, LLC, Orondo, WA 2. Deleted the following companies as Members of the Certificate: • Peshastin Hi-Up Growers, Peshastin, WA • Strand Apples, Inc., Cowiche, WA 3. Changed the Export Product coverage for one Member: • Stemilt Growers, LLC changed Export Product coverage from fresh sweet cherries, fresh apples, and fresh pears to fresh sweet cherries and fresh apples (dropping fresh pears). 4. Modified the Certificate language under Paragraph 2 of the Export Trade Activities and Methods of Operation to read as follows: ‘‘With respect to fresh sweet cherries only, NFE may on behalf of and with the advice of its Members negotiate export prices and quantities and allocate export quotas among growing regions and its Members, in connection with actual or potential bona fide export opportunities. In allocating export quotas among growing regions and its Members, NFE, through employees or agents of NFE who are not also employees of a Member, may receive, and each Member may supply to such employees or agents of NFE, information as to such Member’s actual total export shipments of fresh sweet cherries in any previous growing season or seasons, provided that such information is not disclosed by NFE to any other Member. All communications made on behalf of NFE to its Members relating to the allocation of quotas shall be made by an NFE employee or agent who is not also an employee of a Member, and neither the NFE employee/agent or any employee of a Member shall disclose to any other Member the quota allocation of that Member or any other Member.’’ khammond on DSKJM1Z7X2PROD with NOTICES NFE’s Amended Certificate Membership Is as Follows 1. Allan Bros., Naches, WA 2. AltaFresh L.L.C. dba Chelan Fresh Marketing, Chelan, WA 3. Apple House Warehouse & Storage, Inc., Brewster, WA 4. Apple King, L.L.C., Yakima, WA 5. Auvil Fruit Co., Inc., Orondo, WA 6. Baker Produce, Inc., Kennewick, WA 7. Blue Bird, Inc., Peshastin, WA 8. Blue Star Growers, Inc., Cashmere, WA VerDate Sep<11>2014 16:58 Oct 20, 2020 Jkt 253001 9. Borton & Sons, Inc., Yakima, WA 10. Brewster Heights Packing & Orchards, LP, Brewster, WA 11. Chelan Fruit Cooperative, Chelan, WA 12. Chiawana, Inc. dba Columbia Reach Pack, Yakima, WA 13. CMI Orchards LLC, Wenatchee, WA 14. Columbia Fruit Packers, Inc., Wenatchee, WA 15. Columbia Valley Fruit, L.L.C., Yakima, WA 16. Congdon Packing Co. L.L.C., Yakima, WA 17. Conrad & Adams Fruit L.L.C., Grandview, WA 18. Cowiche Growers, Inc., Cowiche, WA 19. CPC International Apple Company, Tieton, WA 20. Crane & Crane, Inc., Brewster, WA 21. Custom Apple Packers, Inc., Quincy, and Wenatchee, WA 22. Diamond Fruit Growers, Inc., Odell, OR 23. Domex Superfresh Growers LLC, Yakima, WA 24. Douglas Fruit Company, Inc., Pasco, WA 25. Dovex Export Company, Wenatchee, WA 26. Duckwall Fruit, Odell, OR 27. E. Brown & Sons, Inc., Milton-Freewater, OR 28. Evans Fruit Co., Inc., Yakima, WA 29. E.W. Brandt & Sons, Inc., Parker, WA 30. FirstFruits Farms, LLC, Prescott, WA 31. Frosty Packing Co., LLC, Yakima, WA 32. G&G Orchards, Inc., Yakima, WA 33. Gilbert Orchards, Inc., Yakima, WA 34. Griggs Farms Packing, LLC, Orondo, WA 35. Hansen Fruit & Cold Storage Co., Inc., Yakima, WA 36. Henggeler Packing Co., Inc., Fruitland, ID 37. Highland Fruit Growers, Inc., Yakima, WA 38. HoneyBear Growers LLC, Brewster, WA 39. Honey Bear Tree Fruit Co LLC, Wenatchee, WA 40. Hood River Cherry Company, Hood River, OR 41. JackAss Mt. Ranch, Pasco, WA 42. Jenks Bros Cold Storage & Packing, Royal City, WA 43. Kershaw Fruit & Cold Storage, Co., Yakima, WA 44. L & M Companies, Union Gap, WA 45. Legacy Fruit Packers LLC, Wapato, WA 46. Manson Growers Cooperative, Manson, WA 47. Matson Fruit Company, Selah, WA 48. McDougall & Sons, Inc., Wenatchee, WA 49. Monson Fruit Co., Selah, WA 50. Morgan’s of Washington dba Double Diamond Fruit, Quincy, WA 51. Naumes, Inc., Medford, OR 52. Northern Fruit Company, Inc., Wenatchee, WA 53. Olympic Fruit Co., Moxee, WA 54. Oneonta Trading Corp., Wenatchee, WA 55. Orchard View Farms, Inc., The Dalles, OR 56. Pacific Coast Cherry Packers, LLC, Yakima, WA 57. Piepel Premium Fruit Packing LLC, East Wenatchee, WA 58. Pine Canyon Growers LLC, Orondo, WA 59. Polehn Farms, Inc., The Dalles, OR 60. Price Cold Storage & Packing Co., Inc., Yakima, WA 61. Pride Packing Company LLC, Wapato, WA 62. Quincy Fresh Fruit Co., Quincy, WA PO 00000 Frm 00011 Fmt 4703 Sfmt 4703 63. Rainier Fruit Company, Selah, WA 64. Roche Fruit, Ltd., Yakima, WA 65. Sage Fruit Company, L.L.C., Yakima, WA 66. Smith & Nelson, Inc., Tonasket, WA 67. Stadelman Fruit, L.L.C., MiltonFreewater, OR, and Zillah, WA 68. Stemilt Growers, LLC, Wenatchee, WA 69. Symms Fruit Ranch, Inc., Caldwell, ID 70. The Dalles Fruit Company, LLC, Dallesport, WA 71. Underwood Fruit & Warehouse Co., Bingen, WA 72. Valicoff Fruit Company Inc., Wapato, WA 73. Washington Cherry Growers, Peshastin, WA 74. Washington Fruit & Produce Co., Yakima, WA 75. Western Sweet Cherry Group, LLC, Yakima, WA 76. Whitby Farms, Inc. dba: Farm Boy Fruit Snacks LLC, Mesa, WA 77. WP Packing LLC, Wapato, WA 78. Yakima Fresh, Yakima, WA 79. Yakima Fruit & Cold Storage Co., Yakima, WA 80. Zirkle Fruit Company, Selah, WA The effective date of the amendment is July 8, 2020, the date on which NFE’s application to amend was deemed submitted. Dated: October 16, 2020. Joseph Flynn, Director, Office of Trade and Economic Analysis, International Trade Administration, U.S. Department of Commerce. [FR Doc. 2020–23293 Filed 10–20–20; 8:45 am] BILLING CODE 3510–DR–P DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No.: 200921–0251] National Cybersecurity Center of Excellence (NCCoE) Zero Trust Cybersecurity: Implementing a Zero Trust Architecture National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. AGENCY: The National Institute of Standards and Technology (NIST) invites organizations to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project. Participation in the building SUMMARY: E:\FR\FM\21OCN1.SGM 21OCN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 85, No. 204 / Wednesday, October 21, 2020 / Notices block is open to all interested organizations. DATES: Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than November 20, 2020. ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, Rockville, MD 20850. Letters of interest must be submitted to nccoe-zta-project@ list.nist.gov or via hardcopy to National Institute of Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850. Organizations whose letters of interest are accepted in accordance with the process set forth in the SUPPLEMENTARY INFORMATION section of this notice will be asked to sign a consortium Cooperative Research and Development Agreement (CRADA) with NIST. An NCCoE consortium CRADA template can be found at: https:// nccoe.nist.gov/library/nccoeconsortium-crada-example. FOR FURTHER INFORMATION CONTACT: Alper Kerman via email to nccoe-ztaproject@list.nist.gov; or by telephone at 301–975–0200. Additional details about the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project are available at https:// www.nccoe.nist.gov/zerotrust. SUPPLEMENTARY INFORMATION: Interested parties can access the letter of interest template by visiting the project website at https://www.nccoe.nist.gov/zerotrust and completing the letter of interest webform. Completed letters of interest should be submitted to NIST and will be accepted on a first come, first served basis. When the building block has been completed, NIST will post a notice on the NCCoE Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project website at https:// www.nccoe.nist.gov/zerotrust announcing the completion of the building block and informing the public that it will no longer accept letters of interest for this building block. Background: The NCCoE, part of NIST, is a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The NCCoE brings together experts from industry, government, and academia under one roof to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage VerDate Sep<11>2014 16:58 Oct 20, 2020 Jkt 253001 systems; reduce risk for companies and individuals using IT systems; and encourage development of innovative, job-creating cybersecurity products and services. Process: NIST is soliciting responses from all sources of relevant security capabilities (see below) to enter into a Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project. The full building block can be viewed at: https:// www.nccoe.nist.gov/zerotrust. Interested parties can access the letter of interest template by visiting the project website at https:// www.nccoe.nist.gov/zerotrust and completing the letter of interest webform. On completion of the webform, interested parties will receive access to the letter of interest template, which the party must complete, certify that it is accurate, and submit to NIST. NIST will contact interested parties if there are questions regarding the responsiveness of the letters of interest to the building block objective or requirements identified below. NIST will select participants who have submitted complete letters of interest on a first come, first served basis within each category of product components or capabilities listed below up to the number of participants in each category necessary to carry out this building block. However, there may be continuing opportunity to participate even after initial activity commences. Selected participants will be required to enter into a consortium CRADA with NIST (for reference, see ADDRESSES section above). NIST published a notice in the Federal Register on October 19, 2012 (77 FR 64314) inviting U.S. companies to enter into National Cybersecurity Excellence Partnerships (NCEPs) in furtherance of the NCCoE. For this demonstration project, NCEP partners will not be given priority for participation. Building Block Objective: The objective of this building block project is to produce an example implementation(s) of a zero trust architecture that is designed and deployed according to the concepts and tenets documented in the NIST Special Publication (SP) 800–207, Zero Trust Architecture. The proposed proof-ofconcept solution(s) will integrate commercial and open source products that leverage cybersecurity standards and recommended practices to demonstrate the use case scenarios detailed in the Implementing a Zero PO 00000 Frm 00012 Fmt 4703 Sfmt 4703 66937 Trust Architecture project description at https://www.nccoe.nist.gov/zerotrust. This project will result in a publicly available NIST Cybersecurity Practice Guide as a Special Publication 1800 series, a detailed implementation guide describing the practical steps needed to implement a cybersecurity reference implementation. Requirements: Each responding organization’s letter of interest should identify which security platform component(s) or capability(ies) it is offering. Letters of interest should not include company proprietary information, and all components and capabilities must be commercially available. Components are listed in section 3 of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project description (for reference, please see the link in the Process section above) and include, but are not limited to: Core Components of Zero Trust Architecture • Policy Engine: The policy engine handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The policy engine calculates the trust scores/confidence levels and ultimate access decisions. • Policy Administrator: The policy administrator is responsible for establishing and/or terminating the transaction between a subject and a resource. It generates any sessionspecific authentication and authentication token or credential used by a client to access an enterprise resource. It is closely tied to the Policy Engine and relies on its decision to ultimately allow or deny a session. • Policy Enforcement Point: The policy enforcement point handles enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource. Functional Components of Zero Trust Architecture • The data security component includes all the data access policies and rules that an enterprise develops to secure its information, and the means to protect data at rest and in transit. • The endpoint security component encompasses the strategy, technology, and governance to protect endpoints (e.g., servers, desktops, mobile phones, IoT devices) from threats and attacks, as well as protect the enterprise from threats from managed and unmanaged devices. • The identity and access management component includes the strategy, technology, and governance for creating, storing, and managing E:\FR\FM\21OCN1.SGM 21OCN1 66938 Federal Register / Vol. 85, No. 204 / Wednesday, October 21, 2020 / Notices enterprise user (i.e., subject) accounts and identity records and their access to enterprise resources. • The security analytics component encompasses all the threat intelligence feeds and traffic/activity monitoring for an IT enterprise. It gathers security and behavior analytics about the current state of enterprise assets and continuously monitors those assets to actively respond to threats or malicious activity. This information could feed the policy engine to help make dynamic access decisions. khammond on DSKJM1Z7X2PROD with NOTICES Devices and Network Infrastructure Components of a Zero Trust Architecture • Assets include the devices/ endpoints, such as laptops, tablets, and other mobile or IoT devices, that connect to the enterprise. • Enterprise resources include data and computer resources as well as applications/services that are hosted and managed on-premise, in the cloud, at the edge, or some combination of these. Each responding organization’s letter of interest should identify how their products help address one or more of the following desired security characteristics and properties in section 3 of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project description (for reference, please see the link in the PROCESS section above): • All interactions throughout the proposed architecture are achieved in the most secure manner available, with emphasis on protecting confidentiality and integrity through a consistent identification, authentication, and authorization scheme. • All interactions throughout the proposed architecture are continually reassessed with possible reauthentication and reauthorization as necessary to mitigate unauthorized access to enterprise resources. • Access to an enterprise resource is assessed on a per-session basis and authorized specifically for that enterprise resource. • Access requests are evaluated dynamically based on organizational policies and rules for accessing enterprise resources, including the observable state of: a. Subject identity (e.g., user account or service identity with associated attributes) b. requesting asset (e.g., laptop, mobile device, server) device characteristics (e.g., software version installed, security posture, network location, time/date of request, VerDate Sep<11>2014 16:58 Oct 20, 2020 Jkt 253001 previously observed behavior, and installed credentials) c. requested resource (e.g., server, application, service) characteristics • Enterprise assets and resources are continuously monitored and reassessed in order to maintain them in the most secure states possible. • Log and event data generated about the current state of enterprise assets, resources, and interactions throughout the proposed architecture are collected and leveraged for better policy alignment and enforcement to increase the enterprise’s overall security posture. • Secure access to corporate resources, hosted either on-premise or within a cloud environment, as well as to non-corporate resources on the internet are provided without the use of conventional network and network perimeter access and security solutions. • Integration with various directory protocols and identity management services (e.g., Lightweight Directory Access Protocol [LDAP], OAuth 2.0, Active Directory, OpenLDAP, Security Assertion Markup Language) is demonstrated. • Integration with security information and event management tools through common application programming interfaces is demonstrated. • Desired enterprise device security characteristics are demonstrated, including: a. Maintaining data protection at rest and in transit b. remediating device vulnerabilities that could result in unauthorized access to data stored on or accessed by the device, and misuse of the device c. mitigating malware execution on the device that could result in unauthorized access to data stored on or accessed by the device, and misuse of the device d. mitigating the risk of data loss through accidental, deliberate, or malicious deletion or obfuscation of data stored on the device e. maintaining awareness of and responding to suspicious or malicious activities within and against the device to prevent or detect a compromise of the device Responding organizations need to understand and, in their letters of interest, commit to provide: 1. Access for all participants’ project teams to component interfaces and the organization’s experts necessary to make functional connections among security platform components. 2. Support for development and demonstration of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture building block will PO 00000 Frm 00013 Fmt 4703 Sfmt 4703 be conducted in a manner consistent with the following standards and guidance: FIPS 200, SP 800–37, SP 800– 53, SP 800–63, and SP 800–207. Additional details about the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project are available at https://www.nccoe.nist.gov/zerotrust. NIST cannot guarantee that all of the products proposed by respondents will be used in the demonstration. Each prospective participant will be expected to work collaboratively with NIST staff and other project participants under the terms of the consortium CRADA in the development of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project. Prospective participants’ contribution to the collaborative effort will include assistance in establishing the necessary interface functionality, connection and set-up capabilities and procedures, demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and demonstration plans and scripts necessary to demonstrate the desired capabilities. Each participant will train NIST personnel, as necessary, to operate its product in capability demonstrations. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project. These descriptions will be public information. Under the terms of the consortium CRADA, NIST will support development of interfaces among participants’ products by providing IT infrastructure, laboratory facilities, office facilities, collaboration facilities, and staff support to component composition, security platform documentation, and demonstration activities. The dates of the demonstration of the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project capability will be announced on the NCCoE website at least two weeks in advance at https://nccoe.nist.gov/. The expected outcome will demonstrate how the components of the Zero Trust Architecture can provide security capabilities to mitigate identified risks and meet industry sectors’ compliance requirements. Participating organizations will gain from the knowledge that their products are interoperable with other participants’ offerings. For additional information on the NCCoE governance, business processes, E:\FR\FM\21OCN1.SGM 21OCN1 Federal Register / Vol. 85, No. 204 / Wednesday, October 21, 2020 / Notices and NCCoE operational structure, visit the NCCoE website https:// nccoe.nist.gov/. Kevin A. Kimball, Chief of Staff. [FR Doc. 2020–23292 Filed 10–20–20; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration [RTID 0648–XA554] Takes of Marine Mammals Incidental to Specified Activities; Taking Marine Mammals Incidental to the U.S. Coast Guard’s Base Los Angeles/Long Beach Wharf Expansion Project, Los Angeles, California National Marine Fisheries Service (NMFS), National Oceanic and Atmospheric Administration (NOAA), Commerce. ACTION: Notice; proposed incidental harassment authorization; request for comments on proposed authorization and possible renewal. AGENCY: NMFS has received a request from the U.S. Coast Guard (Coast Guard) for authorization to take marine mammals incidental to the Base Los Angeles/Long Beach Wharf Expansion Project in Los Angeles, California. Pursuant to the Marine Mammal Protection Act (MMPA), NMFS is requesting comments on its proposal to issue an incidental harassment authorization (IHA) to incidentally take marine mammals during the specified activities. NMFS is also requesting comments on a possible one-year renewal that could be issued under certain circumstances and if all requirements are met, as described in Request for Public Comments at the end of this notice. NMFS will consider public comments prior to making any final decision on the issuance of the requested MMPA authorizations and agency responses will be summarized in the final notice of our decision. DATES: Comments and information must be received no later than November 20, 2020. ADDRESSES: Comments should be addressed to Jolie Harrison, Chief, Permits and Conservation Division, Office of Protected Resources, National Marine Fisheries Service. Comments should be sent to ITP.Meadows@ noaa.gov. Instructions: NMFS is not responsible for comments sent by any other method, to any other address or individual, or khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 16:58 Oct 20, 2020 Jkt 253001 received after the end of the comment period. Comments received electronically, including all attachments, must not exceed a 25megabyte file size. Attachments to electronic comments will be accepted in Microsoft Word or Excel or Adobe PDF file formats only. All comments received are a part of the public record and will generally be posted online at https://www.fisheries.noaa.gov/permit/ incidental-take-authorizations-undermarine-mammal-protection-act without change. All personal identifying information (e.g., name, address) voluntarily submitted by the commenter may be publicly accessible. Do not submit confidential business information or otherwise sensitive or protected information. FOR FURTHER INFORMATION CONTACT: Dwayne Meadows, Ph.D., Office of Protected Resources, NMFS, (301) 427– 8401. Electronic copies of the application and supporting documents, as well as a list of the references cited in this document, may be obtained online at: https:// www.fisheries.noaa.gov/permit/ incidental-take-authorizations-undermarine-mammal-protection-act. In case of problems accessing these documents, please call the contact listed above. SUPPLEMENTARY INFORMATION: Background The MMPA prohibits the ‘‘take’’ of marine mammals, with certain exceptions. Sections 101(a)(5)(A) and (D) of the MMPA (16 U.S.C. 1361 et seq.) direct the Secretary of Commerce (as delegated to NMFS) to allow, upon request, the incidental, but not intentional, taking of small numbers of marine mammals by U.S. citizens who engage in a specified activity (other than commercial fishing) within a specified geographical region if certain findings are made and either regulations are issued or, if the taking is limited to harassment, a notice of a proposed incidental take authorization may be provided to the public for review. Authorization for incidental takings shall be granted if NMFS finds that the taking will have a negligible impact on the species or stock(s) and will not have an unmitigable adverse impact on the availability of the species or stock(s) for taking for subsistence uses (where relevant). Further, NMFS must prescribe the permissible methods of taking and other ‘‘means of effecting the least practicable adverse impact’’ on the affected species or stocks and their habitat, paying particular attention to rookeries, mating grounds, and areas of similar significance, and on the PO 00000 Frm 00014 Fmt 4703 Sfmt 4703 66939 availability of the species or stocks for taking for certain subsistence uses (referred to in shorthand as ‘‘mitigation’’); and requirements pertaining to the mitigation, monitoring and reporting of the takings are set forth. The definitions of all applicable MMPA statutory terms cited above are included in the relevant sections below. National Environmental Policy Act To comply with the National Environmental Policy Act of 1969 (NEPA; 42 U.S.C. 4321 et seq.) and NOAA Administrative Order (NAO) 216–6A, NMFS must review our proposed action (i.e., the issuance of an IHA) with respect to potential impacts on the human environment. This action is consistent with categories of activities identified in Categorical Exclusion B4 (IHAs with no anticipated serious injury or mortality) of the Companion Manual for NOAA Administrative Order 216–6A, which do not individually or cumulatively have the potential for significant impacts on the quality of the human environment and for which we have not identified any extraordinary circumstances that would preclude this categorical exclusion. Accordingly, NMFS has preliminarily determined that the issuance of the proposed IHA qualifies to be categorically excluded from further NEPA review. We will review all comments submitted in response to this notice prior to concluding our NEPA process or making a final decision on the IHA request. Summary of Request On July 2, 2020, NMFS received an application from the Coast Guard requesting an IHA to take small numbers of five species of marine mammals incidental to pile driving associated with the Base Los Angeles Long Beach Wharf Expansion Project in Los Angeles, California. The application was deemed adequate and complete on October 5, 2020. The Coast Guard’s request is for take of a small number of five species of marine mammals by Level A and/or Level B harassment. Neither the Coast Guard nor NMFS expects serious injury or mortality to result from this activity and, therefore, an IHA is appropriate. Description of Proposed Activity Overview The purpose of the project is to expand the existing wharf and other base infrastructure for hosting two additional offshore patrol cutters. The existing 1255-foot (383 meters (m)) long E:\FR\FM\21OCN1.SGM 21OCN1

Agencies

[Federal Register Volume 85, Number 204 (Wednesday, October 21, 2020)]
[Notices]
[Pages 66936-66939]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-23292]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No.: 200921-0251]


National Cybersecurity Center of Excellence (NCCoE) Zero Trust 
Cybersecurity: Implementing a Zero Trust Architecture

AGENCY: National Institute of Standards and Technology, Department of 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
invites organizations to provide products and technical expertise to 
support and demonstrate security platforms for the Zero Trust 
Cybersecurity: Implementing a Zero Trust Architecture project. This 
notice is the initial step for the National Cybersecurity Center of 
Excellence (NCCoE) in collaborating with technology companies to 
address cybersecurity challenges identified under the Zero Trust 
Cybersecurity: Implementing a Zero Trust Architecture project. 
Participation in the building

[[Page 66937]]

block is open to all interested organizations.

DATES: Collaborative activities will commence as soon as enough 
completed and signed letters of interest have been returned to address 
all the necessary components and capabilities, but no earlier than 
November 20, 2020.

ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, 
Rockville, MD 20850. Letters of interest must be submitted to [email protected] or via hardcopy to National Institute of 
Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, 
MD 20850. Organizations whose letters of interest are accepted in 
accordance with the process set forth in the SUPPLEMENTARY INFORMATION 
section of this notice will be asked to sign a consortium Cooperative 
Research and Development Agreement (CRADA) with NIST. An NCCoE 
consortium CRADA template can be found at: https://nccoe.nist.gov/library/nccoe-consortium-crada-example.

FOR FURTHER INFORMATION CONTACT: Alper Kerman via email to [email protected]; or by telephone at 301-975-0200. Additional 
details about the Zero Trust Cybersecurity: Implementing a Zero Trust 
Architecture project are available at https://www.nccoe.nist.gov/zerotrust.

SUPPLEMENTARY INFORMATION: Interested parties can access the letter of 
interest template by visiting the project website at https://www.nccoe.nist.gov/zerotrust and completing the letter of interest 
webform. Completed letters of interest should be submitted to NIST and 
will be accepted on a first come, first served basis. When the building 
block has been completed, NIST will post a notice on the NCCoE Zero 
Trust Cybersecurity: Implementing a Zero Trust Architecture project 
website at https://www.nccoe.nist.gov/zerotrust announcing the 
completion of the building block and informing the public that it will 
no longer accept letters of interest for this building block.
    Background: The NCCoE, part of NIST, is a public-private 
collaboration for accelerating the widespread adoption of integrated 
cybersecurity tools and technologies. The NCCoE brings together experts 
from industry, government, and academia under one roof to develop 
practical, interoperable cybersecurity approaches that address the 
real-world needs of complex Information Technology (IT) systems. By 
accelerating dissemination and use of these integrated tools and 
technologies for protecting IT assets, the NCCoE will enhance trust in 
U.S. IT communications, data, and storage systems; reduce risk for 
companies and individuals using IT systems; and encourage development 
of innovative, job-creating cybersecurity products and services.
    Process: NIST is soliciting responses from all sources of relevant 
security capabilities (see below) to enter into a Cooperative Research 
and Development Agreement (CRADA) to provide products and technical 
expertise to support and demonstrate security platforms for the Zero 
Trust Cybersecurity: Implementing a Zero Trust Architecture project. 
The full building block can be viewed at: https://www.nccoe.nist.gov/zerotrust.
    Interested parties can access the letter of interest template by 
visiting the project website at https://www.nccoe.nist.gov/zerotrust 
and completing the letter of interest webform. On completion of the 
webform, interested parties will receive access to the letter of 
interest template, which the party must complete, certify that it is 
accurate, and submit to NIST. NIST will contact interested parties if 
there are questions regarding the responsiveness of the letters of 
interest to the building block objective or requirements identified 
below. NIST will select participants who have submitted complete 
letters of interest on a first come, first served basis within each 
category of product components or capabilities listed below up to the 
number of participants in each category necessary to carry out this 
building block. However, there may be continuing opportunity to 
participate even after initial activity commences. Selected 
participants will be required to enter into a consortium CRADA with 
NIST (for reference, see ADDRESSES section above). NIST published a 
notice in the Federal Register on October 19, 2012 (77 FR 64314) 
inviting U.S. companies to enter into National Cybersecurity Excellence 
Partnerships (NCEPs) in furtherance of the NCCoE. For this 
demonstration project, NCEP partners will not be given priority for 
participation.
    Building Block Objective: The objective of this building block 
project is to produce an example implementation(s) of a zero trust 
architecture that is designed and deployed according to the concepts 
and tenets documented in the NIST Special Publication (SP) 800-207, 
Zero Trust Architecture. The proposed proof-of-concept solution(s) will 
integrate commercial and open source products that leverage 
cybersecurity standards and recommended practices to demonstrate the 
use case scenarios detailed in the Implementing a Zero Trust 
Architecture project description at https://www.nccoe.nist.gov/zerotrust. This project will result in a publicly available NIST 
Cybersecurity Practice Guide as a Special Publication 1800 series, a 
detailed implementation guide describing the practical steps needed to 
implement a cybersecurity reference implementation.
    Requirements: Each responding organization's letter of interest 
should identify which security platform component(s) or capability(ies) 
it is offering. Letters of interest should not include company 
proprietary information, and all components and capabilities must be 
commercially available. Components are listed in section 3 of the Zero 
Trust Cybersecurity: Implementing a Zero Trust Architecture project 
description (for reference, please see the link in the Process section 
above) and include, but are not limited to:

Core Components of Zero Trust Architecture

     Policy Engine: The policy engine handles the ultimate 
decision to grant, deny, or revoke access to a resource for a given 
subject. The policy engine calculates the trust scores/confidence 
levels and ultimate access decisions.
     Policy Administrator: The policy administrator is 
responsible for establishing and/or terminating the transaction between 
a subject and a resource. It generates any session-specific 
authentication and authentication token or credential used by a client 
to access an enterprise resource. It is closely tied to the Policy 
Engine and relies on its decision to ultimately allow or deny a 
session.
     Policy Enforcement Point: The policy enforcement point 
handles enabling, monitoring, and eventually terminating connections 
between a subject and an enterprise resource.

Functional Components of Zero Trust Architecture

     The data security component includes all the data access 
policies and rules that an enterprise develops to secure its 
information, and the means to protect data at rest and in transit.
     The endpoint security component encompasses the strategy, 
technology, and governance to protect endpoints (e.g., servers, 
desktops, mobile phones, IoT devices) from threats and attacks, as well 
as protect the enterprise from threats from managed and unmanaged 
devices.
     The identity and access management component includes the 
strategy, technology, and governance for creating, storing, and 
managing

[[Page 66938]]

enterprise user (i.e., subject) accounts and identity records and their 
access to enterprise resources.
     The security analytics component encompasses all the 
threat intelligence feeds and traffic/activity monitoring for an IT 
enterprise. It gathers security and behavior analytics about the 
current state of enterprise assets and continuously monitors those 
assets to actively respond to threats or malicious activity. This 
information could feed the policy engine to help make dynamic access 
decisions.

Devices and Network Infrastructure Components of a Zero Trust 
Architecture

     Assets include the devices/endpoints, such as laptops, 
tablets, and other mobile or IoT devices, that connect to the 
enterprise.
     Enterprise resources include data and computer resources 
as well as applications/services that are hosted and managed on-
premise, in the cloud, at the edge, or some combination of these.
    Each responding organization's letter of interest should identify 
how their products help address one or more of the following desired 
security characteristics and properties in section 3 of the Zero Trust 
Cybersecurity: Implementing a Zero Trust Architecture project 
description (for reference, please see the link in the PROCESS section 
above):
     All interactions throughout the proposed architecture are 
achieved in the most secure manner available, with emphasis on 
protecting confidentiality and integrity through a consistent 
identification, authentication, and authorization scheme.
     All interactions throughout the proposed architecture are 
continually reassessed with possible reauthentication and 
reauthorization as necessary to mitigate unauthorized access to 
enterprise resources.
     Access to an enterprise resource is assessed on a per-
session basis and authorized specifically for that enterprise resource.
     Access requests are evaluated dynamically based on 
organizational policies and rules for accessing enterprise resources, 
including the observable state of:
    a. Subject identity (e.g., user account or service identity with 
associated attributes)
    b. requesting asset (e.g., laptop, mobile device, server) device 
characteristics (e.g., software version installed, security posture, 
network location, time/date of request, previously observed behavior, 
and installed credentials)
    c. requested resource (e.g., server, application, service) 
characteristics
     Enterprise assets and resources are continuously monitored 
and reassessed in order to maintain them in the most secure states 
possible.
     Log and event data generated about the current state of 
enterprise assets, resources, and interactions throughout the proposed 
architecture are collected and leveraged for better policy alignment 
and enforcement to increase the enterprise's overall security posture.
     Secure access to corporate resources, hosted either on-
premise or within a cloud environment, as well as to non-corporate 
resources on the internet are provided without the use of conventional 
network and network perimeter access and security solutions.
     Integration with various directory protocols and identity 
management services (e.g., Lightweight Directory Access Protocol 
[LDAP], OAuth 2.0, Active Directory, OpenLDAP, Security Assertion 
Markup Language) is demonstrated.
     Integration with security information and event management 
tools through common application programming interfaces is 
demonstrated.
     Desired enterprise device security characteristics are 
demonstrated, including:
    a. Maintaining data protection at rest and in transit
    b. remediating device vulnerabilities that could result in 
unauthorized access to data stored on or accessed by the device, and 
misuse of the device
    c. mitigating malware execution on the device that could result in 
unauthorized access to data stored on or accessed by the device, and 
misuse of the device
    d. mitigating the risk of data loss through accidental, deliberate, 
or malicious deletion or obfuscation of data stored on the device
    e. maintaining awareness of and responding to suspicious or 
malicious activities within and against the device to prevent or detect 
a compromise of the device
    Responding organizations need to understand and, in their letters 
of interest, commit to provide:
    1. Access for all participants' project teams to component 
interfaces and the organization's experts necessary to make functional 
connections among security platform components.
    2. Support for development and demonstration of the Zero Trust 
Cybersecurity: Implementing a Zero Trust Architecture building block 
will be conducted in a manner consistent with the following standards 
and guidance: FIPS 200, SP 800-37, SP 800-53, SP 800-63, and SP 800-
207. Additional details about the Zero Trust Cybersecurity: 
Implementing a Zero Trust Architecture project are available at https://www.nccoe.nist.gov/zerotrust.
    NIST cannot guarantee that all of the products proposed by 
respondents will be used in the demonstration. Each prospective 
participant will be expected to work collaboratively with NIST staff 
and other project participants under the terms of the consortium CRADA 
in the development of the Zero Trust Cybersecurity: Implementing a Zero 
Trust Architecture project. Prospective participants' contribution to 
the collaborative effort will include assistance in establishing the 
necessary interface functionality, connection and set-up capabilities 
and procedures, demonstration harnesses, environmental and safety 
conditions for use, integrated platform user instructions, and 
demonstration plans and scripts necessary to demonstrate the desired 
capabilities. Each participant will train NIST personnel, as necessary, 
to operate its product in capability demonstrations. Following 
successful demonstrations, NIST will publish a description of the 
security platform and its performance characteristics sufficient to 
permit other organizations to develop and deploy security platforms 
that meet the security objectives of the Zero Trust Cybersecurity: 
Implementing a Zero Trust Architecture project. These descriptions will 
be public information.
    Under the terms of the consortium CRADA, NIST will support 
development of interfaces among participants' products by providing IT 
infrastructure, laboratory facilities, office facilities, collaboration 
facilities, and staff support to component composition, security 
platform documentation, and demonstration activities.
    The dates of the demonstration of the Zero Trust Cybersecurity: 
Implementing a Zero Trust Architecture project capability will be 
announced on the NCCoE website at least two weeks in advance at https://nccoe.nist.gov/. The expected outcome will demonstrate how the 
components of the Zero Trust Architecture can provide security 
capabilities to mitigate identified risks and meet industry sectors' 
compliance requirements. Participating organizations will gain from the 
knowledge that their products are interoperable with other 
participants' offerings.
    For additional information on the NCCoE governance, business 
processes,

[[Page 66939]]

and NCCoE operational structure, visit the NCCoE website https://nccoe.nist.gov/.

Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2020-23292 Filed 10-20-20; 8:45 am]
BILLING CODE 3510-13-P