By Sara Mosley and Danny Toler
Based on our federal agency experience, we recommend the following essential activities to accelerate progress toward achieving Zero Trust, in line with the updated CISA Zero Trust Maturity Model (ZTMM) v2.
1. Assess Your Current State Before Diving into Further Investments
Agencies should assess their current enterprise systems, resources, infrastructure, personnel, and processes before investing in new Zero Trust capabilities (including those that address the pillars and functions outlined in this model). This assessment assists agencies in understanding their capabilities that support Zero Trust maturity and identifying gaps.
a. Focus on Critical Systems and Data Stores
As part of the assessment, we recommend that agencies prioritize their assessment with regard to the state of their most critical systems and/or data stores, i.e., their High Value Assets (HVAs) and systems. Focusing first on these systems provides the highest return on investment and accelerates the protection of the agency’s most important assets.
b. Integrate all Federal Guidelines
Our approach to performing an effective assessment is to map capabilities relative to all available federal guidelines, including NIST 800-53; NIST Security Measures for “EO-Critical Software” Use; CISA Maturity Model v2; and OMB 22-09.
2. Start by Automating Processes and Workflows
Following the assessment in steps 1-4, implementation begins with the automation of processes and workflows. As agencies progress towards optimal Zero Trust implementation, their maturity increasingly relies on automated processes and systems that more fully integrate across pillars and more dynamically enforce policy decisions.
3. Invest in Tabletop Exercises
Scenario-driven tabletop exercises are an excellent way to assess your governance, capabilities, standing procedures, and organizational workflows. During tabletop exercises, agency leaders uncover gaps in these areas. Leaders can then address and close the gaps to prepare for (and hopefully prevent!) a possible future occurrence of the scenario.
4. Avoid the “Shiny Object”
Zero Trust cannot be achieved by buying a single tool. Zero Trust is a journey. Tools that replicate or perpetuate the traditional perimeter-centric approach to cybersecurity are, for the most part, inconsistent with Zero Trust. Most agencies have the foundational tools needed to start on their Zero Trust journey; however, they will need to change the way these tools are used and integrated. For example, agencies generally have one or more device management solutions for enterprise assets but have not integrated these solutions with their identity platforms to enable granular-level authentication. There’s a temptation to add new solutions, such as a Secure Access Service Edge (SASE) cloud-based security solution. This helps with the management of devices for remote workforces but does not address all the objectives for Device pillar maturity.
5. Emphasize Horizontal Integration vs. Vertical Excellence
The model encourages incremental progress achieved horizontally across the pillars, rather than vertically within select pillars. This approach favors integration across pillars to provide optimal protection to data and services against the broadest range of threats. Without an integrated approach, an organization can achieve optimal maturity in one pillar and remain in the traditional or initial stage in other pillars. This uneven maturity results in gaps in achieving the main objective of Zero Trust, which is to protect critical data.
Zero Trust is a Strategic Undertaking for Federal Agencies
We are grateful to CISA for the investment and collaboration resulting in a refined Zero Trust Maturity Model, especially contributable to the diligence of John Simms and Sean Connelly. The model is not a strict set of proscriptive requirements, nor is it a step-by-step recipe for full Zero Trust maturity. It is, however, a definitive way for agencies to determine where they stand in their Zero Trust journey and allows them to track their progress. By identifying the criteria for achieving progressive levels of Zero Trust maturity, CISA has recognized Zero Trust as a strategic undertaking. Agencies must assess their current state to determine their specific starting point and set a path that recognizes budgetary, technical, and organizational boundaries. Most importantly, they need to track progress each step of the way.
Four Ways to Accelerate the Zero Trust Journey NOW
By using our approach outlined above, agencies will dramatically accelerate their journey. To that end, Acuity provides four offerings that can be scaled to fit your needs:
Zero Trust Readiness Assessment
We use the approach outlined in the Recommendations section above to baseline your agency’s current Zero Trust posture and existing technology. Our baseline highlights gaps that need to be closed to meet regulatory requirements and position for Zero Trust maturity. We can quickly coordinate our assessment, collaborating with agency counterparts to gather needed documentation, perform our assessment with our expert team, and provide you with an Agency Roadmap that includes highlighted, prioritized gaps and recommended actions based on critical mission demands.
Tailored Tabletop Exercises
Using your Agency Roadmap, we provide a holistic view of the organizational, operational, procedural, talent, and other changes needed to make progress along the path to Zero Trust. These exercises are tailored to the specific needs of the agency and allow all stakeholders to have a fuller understanding of their roles and the impact that integrated Zero Trust capabilities will have on avoiding or mitigating potential security incidents.
Zero Trust Implementation Services
Acuity’s Innovation Lab is developing a suite of capabilities to support known Zero Trust use cases that meet federal requirements. Our risk-based approach is built on the CISA Zero Trust Maturity Model v2.0.
ZT Subject Matter Experts – On Call
Acuity offers subject matter expert consultation services for agencies who are interested in advisory, planning, and/or review sessions in support of Zero Trust.
For more information, or to request a meeting, please contact: BD@myacuity.com
For a quick overview of the changes in CISA’s ZTTM v2.0, read this article.