The NextLabs Approach to CISA’s Zero Trust Maturity Model

The Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency within the United States Department of Homeland Security (DHS) that plays a vital role in protecting the nation's critical infrastructure and ensuring the security of cyberspace. CISA's primary mission is to enhance the resilience of the country's infrastructure against a wide range of cybersecurity threats and physical hazards. CISA’s activities include providing cybersecurity and infrastructure resilience guidance and support to government and private sector partners, conducting threat assessments, disseminating timely and actionable information on cyber threats, and coordinating incident response efforts. While CISA maintains capabilities to defend against and mitigate known or suspected cyber threats, an evolving threat landscape and the adoption of emerging technologies pose new challenges.

CISA’s Zero Trust Maturity Model (ZTMM) , first released in August of 2021, provides an approach to achieve continued modernization efforts related to zero trust. CISA’s ZTMM is just one way an organization can implement their transition plan to zero trust architectures in accordance with Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” which requires that federal agencies develop a plan to implement a Zero Trust Architecture (ZTA) . As defined by NIST, a zero-trust architecture (ZTA) employs a data-centric methodology that focuses on protecting resources over the network perimeter. Zero-trust encompasses a set of principles that safeguards subjects, enterprise assets, and resources. These principles include “never trust, always verify”, “assume breach” and “least privileged access”.

EO14028 directs federal agencies to take various measures to strengthen their cybersecurity defenses, modernize their systems, and improve information sharing and incident response capabilities. The executive order aims to protect against evolving cyber threats, such as ransomware attacks and nation-state-sponsored intrusions, by promoting best practices, standards, and collaboration between the government and the private sector. It also sets the stage for improved data protection and privacy while promoting a resilient and secure digital environment for the United States.

Another government issued document OMB Memorandum M-22-09 , “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” detailed specific actions for federal agencies to adopt in alignment with the pillars outlined in the ZTMM. This memorandum introduces a Federal ZTA strategy, requiring agencies to meet cybersecurity objectives by the end of Fiscal Year 2024 to reinforce Federal Civilian Executive Branches (FCEB) defense. In March 2022, CISA revised the ZTMM to further align with M-22-09’s direction for agencies. All FCEB agencies should review this memo while working on developing and implementing their zero trust strategies.

A typical plan to implement a ZTA will assess an agency’s current cybersecurity state and plan for a fully implemented ZTA. As the lead agency on federal cybersecurity and risk reduction, CISA’s ZTMM assists agencies in development of their zero trust strategies and continued evolution of their implementation plans and presents ways in which various CISA services can support zero trust solutions across agencies.

ZTMM Pillars

The ZTMM represents a gradient of implementation across five distinct pillars, in which minor advancements can be made over time toward optimization. The pillars include Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar includes general details regarding the following cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance.

ZTMM Implementation Stages

As government agencies move toward achieving the best zero trust implementations, they are relying more on automated systems and processes that seamlessly integrate across ZTMM pillars and dynamically enforce policy decisions. Each pillar can advance independently and might even progress faster than others until there is a need for cross-pillar coordination. However, this coordination can only be successful if the capabilities and dependencies are compatible with one another and with the broader enterprise environment. This process allows for a gradual evolution to zero trust, distributing costs over time rather than entirely upfront.

The three stages of the ZTM journey that advance from a Traditional starting point to Initial, Advanced, and Optimal will facilitate federal ZTA implementation. Each subsequent stage requires greater levels of protection, detail, and complexity for adoption. Agencies should expect that required levels of effort and realized benefits will significantly increase as zero trust maturity progresses across and within pillars. These stages are dynamic and grow exponentially; planned progress from one maturity stage to another may shift in scope and impact over time.

How can organizations utilize the ZTMM?

Organizations can use CISA's Zero Trust Maturity Model (ZTMM) to guide their implementation of Zero Trust. With cyber threats becoming more sophisticated and pervasive, traditional security models, which often rely on perimeter defenses, are no longer sufficient to protect against modern threats. The ZTMM provides a proactive and adaptive approach to implementing Zero Trust that emphasizes continuous verification of all entities attempting to access an organization's resources.

In addition to the evolving threat landscape, insider threats, whether intentional or unintentional, are a significant concern for organizations. The ZTMM outlines an approach to implementing the Zero Trust principles of continuous monitoring and strict access control. By minimizing the inherent trust associated with users and devices, Zero Trust can significantly reduce the risk associated with insider threats and limit the potential damage they can cause. The rise of remote work and the adoption of cloud computing have also expanded the traditional network perimeter, making it imperative for organizations to adopt a more granular and identity-based approach to security. The ZTMM provides a structured framework for organizations to adapt to these changing work environments by guiding them in establishing comprehensive access controls and identity management practices.

Other reasons for organizations to implement Zero Trust are regulatory requirements and compliance standards that are increasingly stringent across various industries. The ZTMM can serve as a roadmap for organizations to meet these standards by providing clear guidelines and best practices for implementing a robust Zero Trust security model. By adhering to these principles, organizations can demonstrate their commitment to strong cybersecurity practices and ensure they are compliant with relevant regulations.

Data protection is also a critical concern for organizations. Zero Trust prioritizes protecting data wherever it resides, whether it is within on-premises data centers, cloud environments, or on user endpoints. The comprehensive approach to implementing Zero Trust provided by the ZTMM can help organizations maintain the confidentiality and integrity of sensitive information, safeguarding an organization's most valuable assets.

Key Takeaways

Organizations can use CISA's ZTMM to help them guide their Zero Trust implementation journey. Implementing Zero Trust is crucial for organizations to adapt to the evolving threat landscape, mitigate insider threats, address the challenges of remote work and cloud adoption, meet compliance requirements, reduce overall cybersecurity risk, and protect critical data assets. By following the principles and guidance laid out in the ZTMM, organizations can establish a more resilient and comprehensive cybersecurity framework that aligns with the dynamic nature of the digital business landscape and the evolving threats it faces.

The road to implementing the ZTMM can be difficult, but NextLabs offers a Zero Trust Security Suite of products to help agencies implement the capabilities to progress on their cybersecurity journey. To learn more about our solutions, please read our whitepaper .