CISA’s Zero Trust Maturity Model Seeks to Optimize Federal Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a draft Zero Trust Maturity Model (ZTMM) for public comment, providing federal agencies with “a road map to migrate and deploy zero trust security concepts to an enterprise environment.”

In the introduction, CISA says the pre-decisional draft document is “designed to be a stopgap solution to support Federal Civilian Executive Branch (FCEB) agencies in designing their zero trust architecture (ZTA) implementation plans” in line with the White House’s May Executive Order (EO) on improving federal cybersecurity.

Three Stages of Zero Trust Maturity

CISA identifies three stages agencies will migrate through on their way to Zero Trust maturity, each with increasing levels of protection, detail, and complexity for adoption. The Traditional stage is characterized by manual, inflexible or proprietary security processes and policy enforcement. The Advanced stage includes some cross-pillar coordination and inputs/outputs with centralized visibility, control, and policy enforcement with some least-privilege access controls. The Optimal stage involves fully automated security attribute processes, dynamic policy enforcement, open standards for interoperability, and centralized visibility with historian functionality.

Zero Trust Maturity Across Five Technology Pillars

The CISA ZTMM presents a gradient of implementation across five distinct technology pillars – Identity, Device, Network, Application Workload, and Data – where incremental advancements can be made over time toward optimization. Each pillar also includes areas of opportunity for maturity around Visibility and Analytics, Automation and Orchestration, and Governance.

Pillar #1 Identity – An identity refers to an attribute or set of attributes that uniquely describe an agency user or entity. Identity functions pertaining to zero trust include:

• Authentication – Agency moves from authenticating identity using either passwords or multi-factor authentication (MFA) to optimize by continuously validating identity, not just when access is initially granted.
• Identity Stores – Agency matures from only using on-premises identity providers to federating some identity with cloud and on-premises systems and eventually optimizing with global identity awareness across cloud and on-premises environments.
• Risk Assessment – Agency moves from making limited determinations for identity risk and determining risk based on simple analytics and static rules to optimizing risk determination and protections by analyzing user behavior in real time with machine learning algorithms.

Cloud Implications – As agencies migrate services to the cloud, their users will have identities among a variety of providers, so agencies will need to integrate their on-premises identities with those in the cloud environments to effectively manage and secure these identities.

Pillar #2 Device – A device refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others. Device functions pertaining to zero trust include:

• Compliance Monitoring – Agency matures from having limited visibility into device compliance to employing compliance enforcement mechanisms for most devices, eventually optimizing by constantly monitoring and validating device security posture.
• Data Access – Agency moves from allowing access to data without visibility into the accessing device to evaluating device posture on first-access, optimizing to managing data access with real-time risk analytics about devices.
• Asset Management – Agency evolves from manual device inventory tracking to automated device management and patching, optimizing by integrating asset and vulnerability management across all environments, including cloud and remote.

Pillar #3 Network/Environment – CISA refers to a network as any open communications medium, including agency internal networks, wireless networks, and the Internet, used to transport messages. Network functions pertaining to zero trust include:

• Network Segmentation – Agency moves from defining their network architecture using large perimeter/macro-segmentation to defining more of their network architecture by ingress/egress micro-perimeters with some internal micro-segmentation, eventually optimizing on a network architecture consisting of fully distributed ingress/egress micro-perimeters and deeper internal micro-segmentation based around application workflows.
• Threat Protection – Agency evolves from threat protections based primarily on known threats and static traffic filtering and basic analytics to proactively discover threats to optimization through integrating machine learning-based threat protection and filtering with context-based signals.
• Encryption – Agency matures from encrypting minimal internal or external traffic to encrypting all traffic to internal applications, optimizing by encrypting all traffic to internal and external locations, where possible.

Pillar #4 Application Workload – Applications and workloads include agency systems, computer programs and services that execute both on-premise and in a cloud environment. Application Workload functions pertaining to zero trust include:

• Access Authorization – Agency access to applications evolves from local authorization and static attributes to centralized authentication, authorization, monitoring, and attributes, eventually optimizing to continuous authorization for applications access, considering real-time risk analytics.
• Threat Protections – Agency threat protections mature from minimal integration with application workflows with general purpose protections to incorporate basic integration of threat protections with application-specific protections, optimizing on strongly integrated threat protections with analytics to provide protections based on application behavior.
• Accessibility – Agency advances from some critical cloud applications being directly accessible to users over the internet, with all others available through a virtual private network (VPN) to eventually optimize by making all applications directly accessible to users over the internet and eliminating the need for VPNs.
• Application Security – Agency evolves from performing application security testing prior to deployment to integrating application security testing into the application development and deployment process, eventually optimizing by integrating regular automated testing of deployed applications.

Pillar #5 Data – Agency data should be protected on devices, in applications, and on networks, while at rest and in transit. Data functions pertaining to zero trust include:

• Inventory Management – Agency evolves from manual processes to categorize and inventory data to increasingly use automation for data categorization and tracking, eventually optimizing by continuously inventorying data with robust tagging and tracking and augmenting categorization with machine learning models.
• Access Determination – Agency matures from governing data access through static access controls to using least privilege controls that consider identity and risk, optimizing to dynamic, risk-based data access with just-in-time and just-enough principles.
• Encryption – Agency matures from primarily storing data unencrypted in on-premises data stores to storing data encrypted in cloud or remote environments, optimizing to encrypting all data at rest.

The CISA model was released in coordination with the White House release of its draft Zero Trust Strategy to improve cybersecurity government-wide.

CISA and others recognize that the path to zero trust will be an incremental journey that will take years to implement. One particular challenge is dealing with and modernizing legacy IT infrastructure and systems that may not readily support a zero trust implementation.

CISA is seeking industry comments on some key questions around their draft ZTMM through Friday, October 1, 2021.