By Sara Mosley and Danny Toler
On April 11, 2023, Cybersecurity and Infrastructure Security Agency (CISA) published its updated Zero Trust Maturity Model v2.0. The document represents the first formal update since the ZTMM was issued in September 2021, in response to Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity.”
Having participated in the evolution of the Zero Trust Maturity Model (ZTMM), we offer some observations and insights to help federal agencies put Version 2.0 into perspective. Notably, the model should not be viewed as prescriptive, strict requirements, but instead as a general guide to help agencies successfully develop and implement their Zero Trust Architecture (ZTA) and adopt a continuous improvement mindset to their cybersecurity posture. The model does not prescribe specific steps toward a static date of achieving Zero Trust.
It is also important to note that the model encourages incremental, horizontal progress across all pillars, rather than vertically within select pillars, resulting in optimal protection of the data, systems, and services facing the broadest range of threats.
Greater Clarity and an Additional Stage
There are several key changes to the ZTMM document, starting with the model itself. CISA added a new stage, “Initial,” to the maturity model and revised the criteria for each stage. According to CISA, these maturity stages are dynamic, so planned progress from stage to stage may shift in scope over time.
Within each of the ZTMM’s five pillars: Identity, Devices, Networks, Applications and Workloads, and Data, the ZTTM v2.0 offers greater clarity through specific descriptions of the four stages of ZTA: traditional, initial, advanced, and optimal. These stages help federal agencies assess their current state and better understand what they must do to optimize their ZTA.
CISA has added new and updated functions for each maturity stage. One of the major points emphasized throughout the document is the need for automated and dynamic processes. In fact, at every stage of maturity, including initial, automated processes and systems are mentioned as criteria for meeting the maturity goals.
Another key theme is the need for cross-pillar integration, starting in the initial maturity stage. CISA states that federal agencies should expect that required levels of effort and realized benefits will significantly increase as Zero Trust maturity progresses across and within pillars. Acuity’s experience demonstrates that cross-pillar integration is integral to achieving Zero Trust.
Changes within the 5 Pillars
As stated above, CISA made several changes within the pillars. Here’s a quick breakdown:
CISA added Access Management, a new function that provides criteria for least privilege and continuous validation of access to resources. This distinction calls out Authorization as a separate function from Authentication, a key to implementing least privilege access.
In this pillar, CISA takes a realistic view of the challenges agencies face for both on-premises and cloud asset management of government-owned and personal devices. CISA advises that devices should encompass all virtual and network assets, including end-user and machine-to-machine devices.
There are three new functions and one updated function in this pillar. The new functions provide stricter controls and policies for device management to reduce supply chain risk and improve threat protection. The Data Access function was renamed “Resource Access” to better articulate that Zero Trust must be applied to any resource, including – but not limited to – data.
In this pillar, CISA adds two new functions: Network Traffic Management and Network Resilience. The former focuses on profiling and managing application traffic to optimize and prioritize resources. It evolves traditional network routing – which was void of any application-aware capabilities – to dynamically profile applications and allow for the prioritization of critical application traffic.
Now that applications are primarily running in the cloud, Network Resilience emphasizes the need for continuous availability to meet the demands of the new environment.
The Encryption function within the Networks pillar was renamed Traffic Encryption and now incorporates requirements for full lifecycle key management.
Applications & Workloads Pillar
This pillar has one new function: Secure Application Development and Deployment Workflow. The pillar now identifies the criteria for agencies to move towards immutable workloads, as directed in OMB M-22-09.
Application Access (formerly Access Authorization), Application Threat Protections (formerly Threat Protections), Accessible Applications (formerly Accessibility), and Application Security Testing (formerly Application Security) are all updated with additional criteria required to meet the maturity stage.
CISA added two new functions to the Data pillar: Data Categorization and Data Availability. Both functions provide foundational building blocks for the data protection focus of Zero Trust.
Four Ways to Accelerate your Zero Trust Journey NOW
By using our approach outlined in this related article, agencies will dramatically accelerate their journey. To that end, Acuity provides four offerings that can be scaled to fit your needs:
Zero Trust Readiness Assessment
We use the approach outlined in the Recommendations section above to baseline your agency’s current Zero Trust posture and existing technology. Our baseline highlights gaps that need to be closed to meet regulatory requirements and position for Zero Trust maturity. We can quickly coordinate our assessment, collaborating with agency counterparts to gather needed documentation, perform our assessment with our expert team, and provide you with an Agency Roadmap that includes highlighted, prioritized gaps and recommended actions based on critical mission demands.
Tailored Tabletop Exercises
Using your Agency Roadmap, we provide a holistic view of the organizational, operational, procedural, talent, and other changes needed to make progress along the path to Zero Trust. These exercises are tailored to the specific needs of the agency and allow all stakeholders to have a fuller understanding of their roles and the impact that integrated Zero Trust capabilities will have on avoiding or mitigating potential security incidents.
Zero Trust Capability
Acuity offers a Zero Trust maturity solution, based on the ATARC Zero Trust working group use cases. The risk-based solution demonstrates the identity management, capabilities, and integration points needed for a cloud-based application operating in a Zero Trust framework and encompasses functions from all the pillars.
ZT Subject Matter Experts – On Call
Acuity offers subject matter expert consultation services for agencies who are interested in advisory, planning, and/or review sessions in support of Zero Trust.
For more information, or to request a meeting, please contact: BD@myacuity.com