Zero Trust Maturity Model (ZTMM 2.0): A Transition to ZTA
May 2, 2023
On April 11, 2023, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) delivered an updated Zero Trust Maturity Model (ZTMM 2.0) draft—a roadmap for federal agencies to reference as they transition toward a zero trust architecture (ZTA).
ZERO TRUST OVERVIEW
ZTA, also referred to as zero trust security model or zero trust access management, is a high-level strategy that assumes users, devices, and services attempting to access an organization’s IT resources cannot be implicitly trusted after initial authentication and should be verified with every resource request. In short, “never trust, always verify” (as opposed to user identification and access rights being infrequently assessed based on fixed attributes).
ZTA (and ZTMM 2.0) is in response to the dissolution of traditional network boundaries or identifiable perimeters, with most modern networks consisting of multiple interconnected zones, cloud infrastructure services, SaaS applications, remote connections, and connections to many types of mobile devices, including uncontrolled (BYOD), and non-conventional (IoT) devices.
Obviously, the pandemic-driven acceleration of users to the above-mentioned cloud and edge computing environments has made ZTA strategies the core of most organizational security programs today.
As illustrated by CISA, the ZTMM is intended to promote advancing stages of maturity across five primary pillars. In summary, ZTA is at optimal levels when there is high confidence in user identity and device identity and health, and networks, applications, workloads, and data stores are appropriately configured to adaptively control least privileged access based on risk.
ADDITIONAL ZTA ELEMENTS
As also shown in the above graphic, CISA defines three what they term “cross-cutting” capabilities which support interoperability of functions across pillars. Capabilities to drive the first two, Visibility and Analytics and Automation and Orchestration, have become more accessible as cloud-based functionality and connects have evolved. The descriptions of these capabilities as provided by CISA are:
- Visibility and Analytics: Visibility refers to the observable artifacts that result from the characteristics of and events within enterprise-wide environments. The focus on cyber-related data analysis can help inform policy decisions, facilitate response activities, and build a risk profile to develop proactive security measures before an incident occurs.
- Automation and Orchestration: Zero trust makes full use of automated tools and workflows that support security response functions across products and services while maintaining oversight, security, and interaction of the development process for such functions, products, and services.
- Governance: Governance refers to the definition and associated enforcement of agency cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of zero trust principles and fulfillment of federal requirements.
CISA’s ZTMM UPDATE PROCESS
Upon the initial release of the ZTMM 1.0 in August 2021, CISA collected 378 comments from agencies, vendors, consulting services, academic organizations, trade associations, individuals, and foreign organizations during a subsequent Request for Comment period. CISA’s analysis of and response to these inputs resulted in the revised ZTMM 2.0.
REVISED ZTMM MODEL AND PURPOSE
The ZTMM 2.0 draft can be found at:
Per CISA’s “Response to Comments” summary document (https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_response_comments_508.pdf):
- Commenters requested additional guidance and space to evolve along the maturity model, as well as current and future plans to adopt cloud technologies. In response, CISA added the additional maturity stage “Initial” tothe maturity model and realigned text for consistency across all pillars. CISA revised guiding criteria for each stage to account for the new maturity model stage. These maturity stages are meant to be dynamic; planned progress from stage to stage may shift in scope over time.
- Relative to current and future plans of agencies to adopt cloud technologies, a related CISA publication, Cloud Security Technical Reference Architecture (Cloud Security Technical Reference Architecture v.2 (cisa.gov)), offers guidance related to Cloud Security Posture Management (CSPM) offerings usage to achieve security outcomes, such as:
- Commenters also looked for updates to the longer-term ZTMM In response, CISA updated the text preceding the model to reflect content updates and revised the purpose so the ZTMM is no longer a stopgap solution but continues to support federal agencies in designing and implementing their ZTA transition plans.
New functions that were added to the “Devices” pillar (see below) include Policy Enforcement & Compliance Monitoring, Asset & Supply Chain Risk Management, and Device Threat Protection.
EXPANDED CONTENT AND GUIDANCE
Drilling down, commenters requested expanded content and guidance across all pillars and functions to provide more granularity to ZTA support implementation. In response, CISA revised the text for every function of the model,expanded and added functions for each pillar, and clarified intent of cross-cutting pillars. Notable changes in specific stages include:
- Identity: Additional details provided regarding implementation of secure passwordless MFA via PIV (personal identity verification) methods such as FIDO2 or Windows Hello, and strong two-factor MFA methods (for example, usage of authentication applications and number matching).
- Devices: Updated Policy Enforcement & Compliance function to address software and configuration management; revised Automation and Orchestration and Governance to include deprovisioning, offboarding devices, and remediation steps for failure to meet posture requirements; and added Device Threat Protections function for centralized security management.
- Networks: Revised Network Segmentation function to promote micro segmentation based around application profiles and added Network Traffic Management function and Network Resilience Further revisedpillar to incorporate elements of the original Threat Protection function into Visibility & Analytics and expanded Traffic Encryption function.
- Applications and Workloads: Updated Application Access function to incorporate contextual information, enforce expiration conditions, and adhere to least privilege principles. Revised Application Threat Protections and Application Security Testing to integrate protections into application workflows for real-time visibility and security testing throughout the software development life cycle. Incorporated a new Secure Application Development and Deployment Workflow function to formalize code deployment, restrict access to production environments, and promote a shift to immutable Renamed and revised Application Accessibilityfunction to focus on making applications and workloads available to authorized users over public networks in alignment with OMB’s M-22-09. Applications and workloads include agency systems, computer programs, and services that execute on-premises, on mobile devices, and in cloud environments, making adoption of strong and phishing-resistant multi-factor authentication (MFA) and endpoint detection and response (EDR) technologies and monitoring especially critical.
- Data: Expanded Data Encryption function to support encrypting data across the enterprise, formalize key management policies, and incorporate cryptographic agility; revised Data Inventory Management and added Data Categorization function to address maturity toward inventoried and understood data types; and addedData Availability function to optimize availability and emphasize access to historical data.
- Cross-cutting Capabilities: Visibility and Analytics, Automation and Orchestration, and Governance now include detailed scoping descriptions, pillar-independent paths to maturity, and updated recommendations across each pillar.
ZTA BEYOND THE FEDERAL GOVERNMENT
The ZTA principles and ZTMM promulgated by CISA for federal agencies equally apply for all organizations.
Certainly, there are many technologies and services that assist companies with applying ZTA concepts. Unfortunately, however, in today’s commercial marketplace the term “zero trust” is overused and often used incorrectly to imply “built-in” security.
If you are new to zero trust, in future blogs SecureSky will explore practical application and measurement of the ZTA principles, including:
- Creating a secure identity management system, including ongoing validation of the effectiveness of controls such as MFA.
- Applying identity and endpoint policies to drive conditional and adaptive access management for more granular control.
- Assessing, continuously monitoring, and enforcing secure configurations of networks, applications, cloud services, and data stores aligned with zero trust principles.