NSA Zero Trust guidelines assume devices can prove cryptographic identity, but most enterprises still rely on spoofable identifiers and portable credentials. Hardware-attested device identity (TPM/Secure Enclave) and ACME Device Attestation (ACME-DA) close the gap for continuous verification.

Smallstep's resource offers insights, tutorials, and resources for developers and security professionals interested in authentication and authorization technologies, such as OAuth, OpenID Connect, and Zero Trust security. Readers can learn about secure authentication practices, identity management, and secure communication protocols. With articles, tutorials, and documentation, Smallstep provides  guidance and expertise for implementing robust and secure authentication solutions.

Smallstep

The NSA's 2026 Zero Trust Implementation Guidelines assume devices can prove cryptographic identity, but most enterprises still rely on spoofable identifiers like MAC addresses, MDM enrollment, and SCEP-issued certificates. These portable credentials can be copied or replayed, making true device verification impossible. Hardware security modules (TPM, Secure Enclave, Android hardware-backed keystores) solve this by generating non-exportable private keys. ACME Device Attestation (ACME-DA), an emerging IETF standard co-developed by Smallstep and Google, extends the ACME protocol with hardware attestation challenges, replacing SCEP's shared-password model with cryptographic proof that a certificate key is bound to a specific physical device. This enables continuous, hardware-rooted device authentication across Wi-Fi, VPN, SaaS, SSH, and internal services.

Your organization cannot meet the new NSA Zero Trust Implementation Guidelines. Here's how to do it.

Zero Trust Has a Device Identity Problem. The NSA's New Guidelines Make It Clear.

User Identity Is Solved. Device Identity Is Not.

ACME Device Attestation: The Emerging Standard