SECOND PRELIMINARY DRAFT
NIST SP 1800-35C: Implementing a Zero Trust Architecture 7
The following EIG phase builds are supported within the physical architecture depicted in Figure 1-1 and
documented in the remainder of this guide:
▪ EIG E1B1 components consist of DigiCert CertCentral, IBM Cloud Pak for Security, IBM Security
QRadar XDR, Ivanti Access ZSO, Ivanti Neurons for UEM, Ivanti Sentry, Ivanti Tunnel, Mandiant
Security Validation (MSV), Okta Identity Cloud, Okta Verify App, Radiant Logic RadiantOne
Intelligent Identity Data Platform, SailPoint IdentityIQ, Tenable.ad, Tenable.io, and Zimperium
▪ EIG E2B1 components consist of Cisco Duo, DigiCert CertCentral, IBM Security QRadar XDR,
Mandiant MSV, Palo Alto Networks Next Generation Firewall (NGFW), PingFederate, which is a
service in the Ping Identity Software as a Service (SaaS) offering of PingOne, Radiant Logic
RadiantOne Intelligent Identity Data Platform, SailPoint IdentityIQ, Tenable.ad, Tenable.io, and
Tenable Nessus Network Monitor (NNM).
▪ EIG E3B1 components consist of DigiCert CertCentral, F5 BIG-IP, Forescout eyeSight, Lookout
MES, Mandiant MSV, Microsoft Azure AD, Microsoft Defender for Endpoint, Microsoft Endpoint
Manager, Microsoft Sentinel, Palo Alto Networks NGFW, PC Matic Pro, Tenable.ad, and
▪ EIG E1B2 components consist of AWS Infrastructure as a Service (IaaS), DigiCert CertCentral, IBM
Cloud Pak for Security, IBM Security QRadar XDR, Mandiant MSV, Okta Identity Cloud, Okta
Verify App, Radiant Logic RadiantOne Intelligent Identity Data Platform, SailPoint IdentityIQ,
Tenable.ad, Tenable.io, Tenable NNM, Zscaler Admin Portal, Zscaler Application Connector,
Zscaler Central Authority, Zscaler Client Connector, Zscaler Internet Access (ZIA) Public Service
Edges, and Zscaler Private Access (ZPA) Public Service Edges.
▪ EIG E3B2 components consist of DigiCert CertCentral, F5 BIG-IP, Forescout eyeControl,
Forescout eyeExtend, Forescout eyeSegment, Forescout eyeSight, Mandiant MSV, Microsoft AD,
Microsoft Azure AD, Microsoft Azure AD (Conditional Access), Microsoft Azure AD Identity
Protection, Microsoft Azure (IaaS), Microsoft Defender for Cloud, Microsoft Defender for Cloud
Apps, Microsoft Defender for Endpoint, Microsoft Intune, Microsoft Office 365 (SaaS), Microsoft
Sentinel, Palo Alto Networks NGFW, PC Matic Pro, Tenable.ad, Tenable.io, and Tenable NNM.
For a detailed description of the architecture of each build, see Volume B, Appendices D, E, F, H and J.
The remainder of this guide describes how to implement the EIG crawl and run phase builds E1B1, E2B1,
1.3 Typographic Conventions
The following table presents typographic conventions used in this volume.