CISA’s Zero Trust Maturity Model version 2.0 offers continued modernization efforts within evolving environment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday an update to the Zero Trust Maturity Model (ZTMM), providing agencies a roadmap to reference as they transition towards zero-trust architecture, superseding the initial version released in September 2021. The ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.

The objective of the update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA also encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture. 

However, although the maturity model is not intended to be exclusionary, it does not address challenges specific to operational technologies, certain classes of Internet of Things (IoT) devices, or broadly incorporating emerging technologies, such as deception platforms, authenticated web application firewalls, and behavior analytics.

Moreover, version 2.0 of the ZTMM model, aligns with a memorandum (OMB M-22-09) published last January by the U.S. administration that detailed specific actions for federal agencies to adopt in alignment with the pillars outlined in the ZTMM. “This memorandum sets forth a Federal ZTA strategy, requiring agencies to meet cybersecurity objectives by the end of Fiscal Year (FY) 2024 to reinforce FCEB defense. CISA revised the ZTMM to further align with M-22-09’s direction for agencies. FCEB agencies should review this memo in parallel with developing and implementing their zero trust strategies,” CISA wrote in its document.  

The ZTMM is one of many roadmaps that agencies can reference as they transition toward a zero-trust architecture. The model aims to assist agencies in the development of zero-trust strategies and implementation plans and to present ways in which various CISA services can support zero-trust solutions across agencies. 

It also provides one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in line with U.S. President Joe Biden’s May 2021 Executive Order 14028 that mandates agencies to develop a plan to implement a zero trust architecture (ZTA). While the ZTMM is tailored for federal agencies as required by EO 14028, all organizations should review and consider the adoption of the approaches outlined in the document.  

When planning ZTA implementation, agencies should make decisions based on factors that include risk, mission, federal requirements, and operating constraints, CISA said. While the model is generally aligned to a federal enterprise’s single administrative domain or accreditation boundary, agencies should also assess how their interactions with and reliance upon external partners, stakeholders, and service providers factor into their ZTA. The maturity model should not be viewed as a strict set of requirements but as a general guide to help agencies implement their ZTA and adopt an overall improved cybersecurity posture.

The federal government, as with most large enterprises, faces several challenges in implementing ZTA. Legacy systems often rely on ‘implicit trust,’ in which access and authorization are infrequently assessed based on fixed attributes; this conflicts with the core principle of adaptive evaluation of trust within a ZTA. Existing infrastructures built on implicit trust will require investment to change systems to better align with zero-trust principles. Furthermore, as the technology landscape continues to evolve, new solutions and continued discussions on how to best achieve zero trust objectives are paramount. 

CISA recognizes in the updated ZTMM document that zero trust adoption requires engagement and cooperation from senior leadership, IT staff, data and system owners, and users across the federal government to achieve design objectives and improve cybersecurity posture. “Modernization of the Federal Government’s cybersecurity will require agencies to transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy, with agency-wide buy-in for a common architecture and governance policies. This includes current and future plans to adopt cloud technologies,” it added. 

Additionally, federal agencies are beginning their journeys to zero trust from different starting points. “Some agencies may be further along or better positioned to make these advancements than others; however, regardless of starting point, successful zero trust adoption can produce numerous benefits such as improved productivity, enhanced end-user experiences, reduced IT costs, flexible access, and bolstered security,” it added. 

In alignment with NIST’s steps for transitioning to zero trust, agencies should assess their current enterprise systems, resources, infrastructure, personnel, and processes before investing in zero trust capabilities, including for the pillars and functions outlined. “This assessment can assist agencies in identifying existing capabilities to support further zero trust maturity and gaps for prioritization. Agencies can also plan for opportunities to coordinate capabilities across the pillars to enable granular, least privilege access controls and mitigate additional risks,” the document added. 

The three stages of the ZTM journey that advance from a ‘Traditional’ starting point to ‘Initial,’ ‘Advanced,’ and ‘Optimal’ will facilitate federal ZTA implementation. Each subsequent stage requires greater levels of protection, detail, and complexity for adoption. 

CISA explains that agencies should expect that required levels of effort and realized benefits will increase as zero trust maturity progresses across and within pillars. As agencies chart their ZTA journey, they should explore opportunities to advance pillar maturity to align with specific mission needs and support further growth across other pillars. Progression will lead to the intended agency evolving from a traditional enterprise to a future state featuring more dynamic updates, automated processes, integrated capabilities, and other characteristics of the Optimal stages. These stages are dynamic and grow exponentially; planned progress from one maturity stage to another may shift in scope and impact over time.

The security agency provided guiding criteria for each stage to identify maturity for each zero trust technology pillar and provide consistency across the maturity model. The Traditional model consisted of manually configured lifecycles (i.e., from the establishment to decommissioning) and assignments of attributes; static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry. 

The Initial model marks the start of automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems. 

The Advanced framework, wherever applicable, provides automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness including externally hosted resources.

In the case of the Optimal design, fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access for assets and their respective dependencies enterprise-wide; with cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness. 

The maturity stages and the details associated with each pillar allow agencies to assess, plan, and maintain the investments needed to progress toward a ZTA. Additionally, high-level information to support agencies in transitioning to zero trust across the five different pillars – Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar also includes general details regarding Visibility and Analytics, Automation and Orchestration, and Governance capabilities to support integration with that pillar and across the model. 

Visibility refers to the observable artifacts that result from the characteristics of and events within enterprise-wide environments. The focus on cyber-related data analysis can help inform policy decisions, facilitate response activities, and build a risk profile to develop proactive security measures before an incident occurs. 

Moving over to Automation and Orchestration, zero trust makes full use of automated tools and workflows that support security response functions across products and services while maintaining oversight, security, and interaction of the development process for such functions, products, and services. 

Governance refers to the definition and associated enforcement of agency cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of zero trust principles and fulfillment of federal requirements.

“While the ZTMM covers many aspects of cybersecurity critical to federal enterprises, it does not address other aspects of cybersecurity such as activities related to incident response, specifics for logging, monitoring, alerting, forensic analysis, risk acceptance, recovery,” the CISA document said. “Other aspects of and best practices for enterprise cybersecurity posture management are not explicitly included within the maturity model functions.”

Methodologies such as recommendations to best incorporate machine learning and artificial intelligence capabilities within zero-trust solutions are not included in this model. Mature agencies should take steps to monitor and assess the performance and integrity of their security capabilities, underlying infrastructure, and policies to detect unauthorized access and changes as they mature each pillar. Agencies should be careful not to create new opportunities for exploitation or weaken security protocols. Research and development are required to effectively assure software and hardware systems integrity at scale across federal enterprises.

FCEB agencies have also been called upon to increase focus on asset discovery and vulnerability enumeration, pushing them to make measurable progress across their networks. Agencies must review existing asset detection and vulnerability enumeration processes, identify any gaps, and determine what capabilities need to be developed or improved. These requirements also play a key role in conducting continuous and comprehensive asset visibility and vulnerability enumeration for all IP-addressable networked assets across IPv4 and IPv6 protocols.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.