Request Demo

TAC and the NSA Zero Trust Security Model

Zero Trust Alignment Guide

TAC and the NSA Zero Trust Security Model

How TAC advances Zero Trust maturity across the access-centric pillars of the NSA’s Zero Trust Security Model — User, Device, Application & Workload, and Network & Environment — under the principle of “never trust, always verify.”

Note: The NSA Zero Trust Security Model is maturity guidance — a set of Cybersecurity Information Sheets describing how to advance capability across seven pillars over time — not a certification or pass/fail standard. This guide describes how TAC advances Zero Trust maturity in the pillars where identity verification, device posture, application access control, and network segmentation are the expected evidence. TAC contributes to a Zero Trust architecture; it does not, by itself, constitute one. The Data, Visibility & Analytics, and Automation & Orchestration pillars require capabilities beyond an access control platform, described honestly below.

Where TAC fits in the NSA’s seven pillars

The NSA structures its Zero Trust Security Model around seven pillars: User, Device, Application & Workload, Network & Environment, Data, Visibility & Analytics, and Automation & Orchestration. The NSA publishes detailed Cybersecurity Information Sheets for each, describing how to mature capability from a traditional perimeter posture toward a fully realized Zero Trust architecture under “never trust, always verify.”

No single product spans all seven pillars — and any vendor claiming otherwise should be treated with caution. TAC is an access control platform. Its strength is concentrated in the four pillars where Zero Trust is fundamentally an access problem: verifying the User, evaluating the Device, controlling access to each Application & Workload, and segmenting the Network & Environment to curtail lateral movement.

In the remaining three pillars — Data, Visibility & Analytics, and Automation & Orchestration — TAC plays a supporting role: it controls access to data-bearing applications, generates the access telemetry those pillars consume, and exposes a policy engine and API. It does not classify data at rest, perform analytics-driven threat detection, or act as an orchestration platform. The mapping below is honest about both.

Access-Centric Pillars

Where TAC Delivers Primary Coverage

TAC directly advances maturity in the four pillars where Zero Trust is an access control problem. These map closely to NIST SP 800-207, the foundation of the NSA model.

Pillar 1

User — Primary Coverage

NSA CapabilityHow TAC Delivers
Identity verification & authenticationEvery user is authenticated before reaching any resource. TAC federates with Active Directory, LDAP, SAML, OIDC, RADIUS, SQL, and custom identity sources — including multiple directories simultaneously — without requiring migration to a new identity provider.
Multi-factor authenticationAll seven MFA methods are included in the base licence: FIDO2/WebAuthn, SafeLogin, TOTP, push, SMS, OTP, and hardware tokens, plus third-party integration with Duo, RSA, Swivel, and biometric factors. MFA is enforced on every session.
Least-privilege accessAccess is granted per-user, per-application, scoped to exactly what each identity is authorized to reach. Users see only the resources their current authorization permits — nothing more.
Continuous authenticationAuthorization is re-evaluated throughout the session, not just at login. If identity context changes, access can be revoked mid-session. Removing a user at the identity source cuts off all access in moments.
Non-human identitiesService accounts, devices, and AI agents are governed as first-class identities under the same policy engine as human users — a requirement as automation expands inside Zero Trust environments.
Pillar 2

Device — Primary Coverage

NSA CapabilityHow TAC Delivers
Device posture evaluationTAC evaluates device posture at access time — certificate presence, OS version, patch level, antivirus state, firewall status, disk encryption, domain join, and geolocation — and enforces policy based on the result.
Continuous device validationPosture is validated continuously throughout the session. If a device falls out of compliance mid-session, access is revoked immediately rather than at next login.
No agent requirementDevice posture is assessed without mandating an endpoint agent on every device, reducing deployment friction for contractors, partners, and unmanaged endpoints that still must meet posture requirements.
Pillar 3

Application & Workload — Primary Coverage

NSA CapabilityHow TAC Delivers
Granular application access controlTAC’s reverse proxy sits in front of every protected application and enforces identity-, posture-, and policy-based access on every request. No user reaches an application without passing TAC’s policy decision first.
Application visibility & access from unauthorized usersApplications are never directly exposed. They sit behind TAC’s single encrypted port, invisible and unreachable to unauthenticated users — the core aim of the NSA Application & Workload pillar.
Coverage for legacy & thick-client appsTAC protects modern web apps, legacy web apps, thick-client applications, RDP, SSH, and forms-based authentication apps — with no application modification. Legacy workloads that cannot adopt modern auth are brought under Zero Trust policy.
Location-independent enforcementPolicy is enforced identically whether a workload runs on-premises, in a private cloud, or in a public cloud. Migrating a workload does not change its access policy or the user experience.
Pillar 4

Network & Environment — Primary Coverage

NSA CapabilityHow TAC Delivers
Curtailing lateral movementBecause access to each resource is brokered individually through TAC, a compromised credential or endpoint cannot move laterally to other systems. There is no flat network to traverse — every hop requires a fresh policy decision.
Macro- and micro-segmentationTAC enforces logical segmentation by identity and policy rather than network topology. Each application is its own segment of one, reachable only by authorized identities meeting posture requirements.
Reduced attack surfaceTAC’s reverse-proxy architecture requires only a single encrypted inbound port (TLS 1.2 or TLS 1.3 with FIPS 140-2 compliant cryptographic modules). Every other inbound port is closed, eliminating the unauthenticated remote-exploitation attack surface.
Encrypted access pathsAll access is encrypted end-to-end through the single TAC port, protecting traffic against interception and tampering across the network environment.
Supporting Pillars

Where TAC Contributes — Honestly Scoped

TAC supports the remaining three pillars but does not fully deliver them. Each requires capabilities beyond an access control platform. Here is exactly what TAC does — and does not — contribute.

Pillar 5

Data — Supporting Coverage

NSA CapabilityTAC’s Role
Access control to data-bearing systemsSupports. TAC controls who can reach the applications and systems that hold data, applying identity, posture, and policy to every access path. It governs the door to the data.
Data classification, tagging & labellingOut of scope. TAC does not classify, tag, or label data. These are functions of data governance and DLP tooling. TAC can enforce access policy informed by classifications applied elsewhere.
Encryption of data at restOut of scope. TAC encrypts data in transit on the access path. Encryption of data at rest is a function of the storage and application layers, not the access control platform.
Pillar 6

Visibility & Analytics — Supporting Coverage

NSA CapabilityTAC’s Role
Access & authentication telemetrySupports. Every authentication, authorization decision, session, and policy event is logged with full attribution — a rich, high-fidelity source of access telemetry for the visibility pillar.
SIEM integrationSupports. TAC logs export to SIEM for centralized correlation, retention, and reporting alongside telemetry from other sources.
Analytics & AI-driven threat detectionOut of scope. TAC does not perform native behavioral analytics or AI-driven anomaly detection. It enforces configurable policy rules and feeds its telemetry to the analytics platforms that perform detection.
Pillar 7

Automation & Orchestration — Supporting Coverage

NSA CapabilityTAC’s Role
Policy-driven automated enforcementSupports. TAC’s policy engine automatically enforces access decisions and can automatically revoke access when identity or posture conditions change — automation at the access decision point.
API-driven integrationSupports. TAC exposes an API that orchestration and automation platforms can use to integrate access control into broader security workflows.
Security orchestration (SOAR)Out of scope. TAC is not a SOAR platform. It does not orchestrate cross-tool incident response playbooks. It integrates with orchestration platforms as the access-control enforcement point within them.

Built on the same foundation as NIST 800-207

The NSA Zero Trust Security Model and NIST SP 800-207 share the same core principles: never trust, always verify; assume breach; enforce least-privilege access; and make access decisions dynamically based on identity, device, and context. The NSA’s pillar-based Cybersecurity Information Sheets translate those principles into specific maturity guidance for National Security Systems, the Department of Defense, and the Defense Industrial Base — but the underlying architecture is the one NIST defines.

TAC implements the NIST 800-207 logical model directly: a policy decision point and policy enforcement point that sit between every user and every resource, evaluating identity, device posture, and policy on every request. That architecture is exactly what the NSA’s User, Device, Application & Workload, and Network & Environment pillars call for as organizations mature beyond a perimeter model.

For organizations working toward both NSA Zero Trust maturity and NIST 800-207 alignment, the evidence is shared. The same access enforcement, the same authentication records, and the same audit telemetry serve both. See the companion TAC and NIST Alignment Guide for the detailed 800-207 mapping.

Advancing Zero Trust Maturity?

Our team can map your current Zero Trust posture against the NSA pillars and show exactly where TAC advances maturity across User, Device, Application & Workload, and Network & Environment.

Talk to a SpecialistBack to Resources

This website uses cookies

We use cookies to personalize content, provide social media features, and analyze our traffic. We also share information about your use of our site with our analytics partners. You can change your preferences at any time. For more information, please see our Privacy Policy and Cookie Policy. Privacy Policy Cookie Policy