The Cybersecurity and Infrastructure Security Agency, seeing agencies struggle in some cases to initiate a mandated shift to a “zero trust” security approach, rolled out an updated roadmap for how agencies should carry out a modernization of their cyber defenses.
CISA released Version 2.0 of the Zero Trust Maturity Model on Tuesday. One of the biggest changes is the addition of an “initial” stage to the model. The four stages in sequence are now “traditional, initial, advanced, and optimal.”
CISA first released the maturity model in 2021, prior to finalization of the White House’s zero trust strategy in early 2022. The strategy directed agencies to develop implementation plans for reaching a zero trust architecture by the end of fiscal 2024, with the maturity model serving as one of the primary guiding documents for many agencies.
But CISA Director Jen Easterly explained how the agency found many organizations were struggling to make the shift from a traditional, perimeter defense approach to a more advanced zero trust architecture. The model is geared toward federal agencies, but can be used by any organization, CISA said.
“We found that it was too high a leap to go from traditional to advanced, so we now we have the initial stage,” Easterly said at Crowdstrike’s Government Summit in Washington on Tuesday.
“The most important thing for anybody starting on this journey is to recognize that this is a journey, and it might take a while to get to an ‘optimal’ zero trust architecture,” she continued. “A journey of a thousand miles starts with one step, and now we’ve made the first step easier.”
CISA updated the model after receiving more than 378 comments from agencies, vendors, consultants and other organizations on the initial document. It also reviewed agency zero trust implementation plans. The agency additionally relied on CyberStat Working Groups; “modernization deep dives”; and one-on-one meetings with agencies, international partners and “the greater IT community,” the agency said.
The National Security Telecommunications Advisory Committee also helped feed the development of the updated model. The committee’s February 2022 report on “Zero Trust and Trusted Identity Management” found the White House’s zero trust push was at risk of becoming an “incomplete experiment.”
One challenge, the report found, is that agencies are in “dramatically different phases” in their zero trust journey.
“Some have well-defined zero trust reference architectures mapped to specific security controls and well-developed governance constructs to accelerate adoption across their enterprises,” the report states. “Other federal entities, burdened by legacy infrastructure built on the prior concept of implicit trust, lack some of the basic network and asset visibility necessary to even begin implementing a zero trust-focused project in the near term.”
The updated model expands on guidance across the five “pillars” of zero trust: identity; devices; networks; applications and workloads; and data. And it shows the new “initial” stage sets a lower barrier to entry across the different pillars.
For instance, under the “authentication” function of the “identity” pillar, an agency could reach the “initial” stage by adopting multifactor authentication, while still relying on passwords for one of those factors.
Moving to the “advanced” stage of identity would require the adoption of “phishing-resistant” MFA and an initial implementation of password-less authentication.
Sean Connelly, senior cybersecurity architect and program manager for Trusted Internet Connections at CISA, said the updated maturity model provides a crawl-walk-run approach based on feedback not just from agencies, but from commercial industry, academia and even international partners.
He said agencies should be thinking about their people, and processes need to change to achieve a zero trust approach, in addition to their technology needs.
“Agencies need to be asking the question, how do we go from the initial to the advanced stage?” Connelly told Federal News Network after speaking at the Crowdstrike summit. “Not only the technology, but how is the organization going to change? How will new teams be able to work together in ways they may not have before?””
Moving forward, Connelly said the data pillar “presents the most opportunity” for CISA to introduce new solutions and functions to help agencies advance their maturity.
“With the networking pillar, it’s pretty well understood what we mean by the networking pillar and how to go from the traditional to the initial,” he said. “With the data pillar, we’re still learning what it means to advance.”
CISA, the White House Office of Management and Budget, and the General Services Administration are now looking to produce “playbooks” to help agencies with specific aspects of their zero trust architecture, Connelly said.
“Not doing these massive reference architectures as much as focusing on one pillar or maybe how a couple of the pillars align in new ways, and so you should see some opportunities with playbooks coming out,” he said.