Your organization cannot meet the new NSA Zero Trust Implementation Guidelines. Here's how to do it.

The NSA's 2026 Zero Trust Implementation Guidelines assume devices can prove cryptographic identity, but most enterprises still rely on spoofable identifiers like MAC addresses, MDM enrollment, and SCEP-issued certificates. These portable credentials can be copied or replayed, making true device verification impossible. Hardware security modules (TPM, Secure Enclave, Android hardware-backed keystores) solve this by generating non-exportable private keys. ACME Device Attestation (ACME-DA), an emerging IETF standard co-developed by Smallstep and Google, extends the ACME protocol with hardware attestation challenges, replacing SCEP's shared-password model with cryptographic proof that a certificate key is bound to a specific physical device. This enables continuous, hardware-rooted device authentication across Wi-Fi, VPN, SaaS, SSH, and internal services.