CISA Updates Zero Trust Maturity Model to Align with White House Directives
CISA’s updated guidance provides more technical depth across the five pillars of zero trust and adds a new maturity stage.
After two years, the Cybersecurity and Infrastructure Security Agency (CISA) published an updated Zero Trust Maturity Model introducing significant changes to the initial document released in 2021.
The biggest changes to the updated version are aligned with the memorandum released by The Office of Management and Budget (OMB) establishing the federal zero trust architecture strategy and requiring agencies across the federal government to meet certain zero trust objectives by 2024.
“I would say that this has been one of the most remarkable times I’ve seen where you have CISA, the Office of Management Budget and the agencies having really fundamental discussions about their plans, about their budgets and making sure that priority is given to cybersecurity and not as an afterthought,” John Simms, CISA’s senior technical advisor told GovCIO Media & Research. “I think this is probably one of the first times I’ve seen where that discussion is very transparent and honest in terms of what it actually will take to implement the executive order and secure agency environments.”
For more than two decades, federal agencies relied on a perimeter security model to protect their enterprise data. The biggest challenge now is shifting away from the existing infrastructure built on implicit trust and align with zero trust principles.
Recognizing that federal agencies are starting the transition from different points, the updated version adds an “initial” stage to the existing traditional, advanced and optimal stages to enable an easier transition for the agencies in their shift to zero trust architecture. The idea is that agencies can take gradual steps across the five pillars of zero trust that include identity, devices, networks, applications and workloads, and data to reach a state where an agency is at an optimal stage across all five pillars of zero trust.
One of the key concepts of zero trust is to treat the agency network as a hostile network, and one of the OMB memorandum’s requirements for the agencies was to expose at least one moderate system to the internet.
“What that required agencies to do was think about what the architecture would need to be, and what the capabilities would need to be…to protect that system,” Simms said. “We had a number of discussions with agencies about…what the real intent of that was, and the real intent behind that task was to provide agencies with an opportunity to gain confidence in their ability to provide that level of security on an application workload to gain confidence to ensure that would withstand any type of attacks or malicious use.”
After releasing the initial Zero Trust Maturity Model version, CISA went into a request-for-comment period and received roughly 375 comments, with each pillar receiving between 50 to 100 different comments about how to further expand on the content provided in the initial version. The comments CISA received came from agencies and trade associations, but the most significant portion of comments came from the vendor community.
“They were at about 70% of the comments that came back, which is great because it gave us a chance to…get their insights and perspectives in terms of some of the concepts that were a little raw in our initial version of the maturity model,” Simms said. “Some things we expected, given that we put it together very quickly…we knew we would get a lot of comments about adding depth in technical areas. And really looking at how we could structure the capabilities across the different pillars.”
OMB released FISMA metrics for fiscal year 2023, but there is no exact number on where agencies are in the zero trust maturity journey.
“There have been a number of discussions about how long does it take…I would say in the next year or two, we’ll be in a better place in terms of…understanding how best to measure progress, but it is something that is getting a lot of discussion right now amongst the agencies as well as in OMB,” Simms added.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Facing Evolving Cybersecurity Challenges
New cyber threats to agency operations are constantly emerging. While some are predictable, others can be chaotic and can disrupt mission deliver for extended periods of time. Hear from agency cyber leaders about how they are keeping up-to-date on cybersecurity practices, tools and policy.
30m watch -
DHS Tabs Cyber and AI as Innovation R&D Priorities
The agency’s plan utilizes AI to better address future threats, secure critical infrastructure and improve workforce efficiency.
5m read -
The Opportunities and Challenges of Securing the 2024 Election
The 2024 presidential election is just under 50 days away, and federal agencies are reassuring voters’ concerns about election security.
4m read -
Advanced Computing Holds Promise for Health Care, Ethical Hurdles Remain
Researchers and government officials are creating policies to improve customer experience nearly a year after President Biden’s executive order on digital experience.
3m read