CISA updates zero trust maturity model to provide an easier launch

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published its Zero Trust Maturity Model (ZTMM) version 2, which incorporates recommendations from public comments it received on its first version of ZTMM. “CISA has been acutely focused on guiding agencies, who are at various points in their journey, as they implement zero trust architecture,” said Chris Butera, technical director for cybersecurity, CISA. “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity. While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.”

CISA released the first version of its ZTMM model in September 2021, as directed by President Biden’s wide-ranging cybersecurity executive order (EO) issued in May 2021. That EO laid out a series of cybersecurity initiatives and goals, including spurring federal government agencies to move closer to zero trust architectures. In January 2022, OMB also issued a federal zero trust architecture (ZTA) strategy under the EO, requiring agencies to meet specific cybersecurity standards and objectives by the end of the fiscal year 2024.

What is zero trust again?

Zero trust is a buzz phrase in the cybersecurity risk management arena. It encompasses many concepts that are often hard to grasp and even more challenging to implement. CISA defines zero trust as “an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified.”

According to the National Institute of Standards and Technology (NIST), a zero-trust architecture (ZTA) is “an enterprise’s cybersecurity plan that uses zero-trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan.”

Theresa Payton, CEO of Fortalice, points to the term “zero trust” as a critical branding problem that makes it hard for organizations to adopt approaches that achieve the goals of zero-trust strategies and models. “Even just the terminology ‘zero-trust architecture’ sounds like products such as a Lego set you can buy, and you could just follow the directions, plug everything in, and at the end, you have zero trust,” she tells CSO. “The biggest challenge I see is a lack of appreciation for the fact that this is not really a journey. I hear people describe it as a journey, but it’s actually a lifestyle choice. So, I always talk in terms of ‘no-trust architecture,’ which gets you to a better conversation.”

Inclusion of an initial zero-trust stage the most significant change

CISA’s ZTMM includes five pillars — Identity, Devices, Networks, Applications and Workloads, and Data – and three cross-cutting capabilities labeled as Visibility and Analytics, Automation and Orchestration, and Governance.  According to the updated model, there are four stages of maturity: Traditional, Initial, Advanced, and Optimal.

“The three stages of the ZTM journey that advance from a Traditional starting point to Initial, Advanced, and Optimal will facilitate federal ZTA implementation. Each subsequent stage requires greater levels of protection, detail, and complexity for adoption,” CISA said.

Adding the initial stage is the most significant change between the original ZTMM model and the updated version. This stage focuses on organizations just starting “automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems,” according to CISA.

Payton applauds “CISA for adding the initial stage to the zero-trust maturity model. So now they give people that launch point if you’re not sure where to get started.” The new model provides “some basic foundational items you can implement that will help you along the way in trying to achieve the zero trust architecture principles,” she says.

“What they did is they took the 300-plus comments that they received from agencies and consultants, vendors, just the community who commented on the previous model,” Eric Noonan, CEO of CyberSheath, tells CSO. “They then created a product that incorporated [the comments] by adding the initial stage because they recognized that going from the first phase, which is traditional, to the next phase, which was advanced, was too much of a leap. So, I think they made a greater focus on the fact that this is not a light switch.”

Adding the initial stage highlights that moving to zero trust is not a straightforward path, Noonan says. “It’s not linear by any means. The initial stage recognizes that and gives organizations who want to adopt this model a more practical and achievable way to do that in a more measurable way rather than just going from zero to one hundred.”

The pace of technological change is a challenge

CISA took 20 months to update its initial ZTMM, which, according to Payton, is too long a lag given the pace of technological change, particularly the rapid advances in artificial technology. She points to a recent situation in which Samsung employees reportedly leaked sensitive and confidential company information to Open AI’s ChatGPT platform. “I was a little surprised that it doesn’t address [AI], and this is how challenging it can be, so this is not a ding against CISA. But this shows how challenging it can be to keep up with technological innovation and transformation. The ZTMM does not address artificial intelligence, machine learning, or generative AI. That’s not in there.”

Payton would like to see CISA given the authority to move more quickly in updating its model in the future. “I would like to see the ability for CISA to be given the authority and the guardrails to move more swiftly. New technologies are being introduced. They need to be allowed to update models and guidance and frameworks and policies to match the same speed of the marketplace.”

Noonan, however, offers an alternative take on the timing of the update. “I think they’ve made a tremendous amount of progress,” he says. “The second iteration of the model in just two years speaks to the amount of focus the federal government is putting on this and the amount of importance and progress they are making with zero trust.”