CISA’s New Zero Trust Maturity Model: What You Need To Know

zero trust maturity model portnox

Did you know that 74% of IT decision-makers now believe ransomware should be considered a matter of national security? Ransomware threats have skyrocketed in recent years. An eye-watering 60% of organizations fell victim to a ransomware attack last year. Undoubtedly, ransomware is cybersecurity’s most significant challenge today. So, how do organizations fight back and safeguard their networks from nefarious actors? 

Cloud adoption, digital transformation, and a rapidly evolving cyber threat landscape are accelerating the move toward zero-trust architecture. Zero trust is a rigorous approach to cybersecurity that does away with implicit trust and assumes that there is no traditional network edge. Instead, it requires all users, whether inside or outside the organization’s network, to be authenticated, authorized, and continuously validated. It achieves this through a granular and data-centric approach to network access control.  

So that’s zero trust, but what’s the CISA Zero Trust Maturity model? How does it help organizations realize zero-trust architecture? And when can we expect the second iteration of this model? Let’s get into it.  

What is the CISA Zero Trust Maturity Model?

The Cybersecurity and Infrastructure Security Agency intends to issue a second version of its Zero Trust Maturity Model soon. Here’s what you need to know.  

First introduced in June 2021 by the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the Zero Trust Maturity Model aims to assist organizations in transitioning to zero trust architecture.  

There’s no doubt that transitioning to zero-trust architecture should be a top priority for organizations today. It delivers significant improvements in cybersecurity while also reducing costs and offering more peace of mind for IT leaders and end users. However, making this jump can be a challenge for many companies.  

Implementing zero-trust architecture comes with inherent difficulties. For example, it can be technically complex and time-consuming. Companies must decide whether to invest in a single vendor or opt for a multi-vendor solution. Moreover, zero trust architecture isn’t a ‘set and forget’ solution – it requires periodic software updates to ensure cybersecurity remains airtight. And when you add inflexible legacy systems into the mix, complexity only increases.   

The Zero Trust Maturity Model aims to address these challenges and help organizations achieve solid privilege management and identity management authentication across the whole environment.  

The Five Pillars of the Zero Trust Maturity Model

CISA identifies five distinct pillars for Zero Trust implementation. It also outlines a three-stage approach to zero trust implementation: 

  1. Traditional: A mostly manual (as opposed to automated) environment as a starting point. Security policies and mitigation solutions are manually implemented.
  2. Advanced: A nominal increase in automation, centralized management, and better policy enforcement.
  3. Optimal: Characterized by automated systems across the security infrastructure, enhanced alignment with security standards, and robust centralized management.

Critically, CISA believes organizations can reach the optimal stage of zero trust through incremental improvements across the five Zero Trust implementation pillars. These pillars are: 

  1. Identity: An attribute (or set of attributes) that uniquely describes an agency, user, or entity. Organizations must ensure that the right users have the right access to the right resources at the right time.  
  2. Device: This refers to any device that connects to the network. This includes IoT devices, laptops, mobile phones, servers, and more. Organizations must ensure unauthorized devices cannot access network resources.  
  3. Network/Environment: This is the network environment, whether hardware-based, wireless, or linked to other networks like the internet. This pillar is also concerned with encryption, threat identification and mitigation, and the network’s logical configuration. Organizations should segment and control networks to direct internal and external data flows.  
  4. Application Workload: This refers to computer programs, systems, and services that execute on-premises and in a cloud environment. Organizations need to manage the application layer as well as containers to achieve secure application delivery.  
  5. Data: Data needs to be protected on devices, applications, and networks. Organizations should categorize, label, and protect data at rest and in transit.  

Why is CISA Revising its Zero Trust Maturity Model?

The agency intends to revise its Zero Trust Maturity Model soon to bring it into alignment with its current programs and services.  

In simple words, CISA continually updates its cybersecurity programs, services, and capabilities to make them fully functional with modern zero-trust principles and cloud-computing environments.  

 As a result, any effective zero-trust model cannot be a static document. Instead, it needs to evolve as the  threat landscape and our IT environments evolve..  

The CISA programs of particular interest here are: 

  • Continuous Diagnostics and Mitigation (CDM): CDM leverages automated tools, integration services, and dashboards to assess configurations and identify possible security risks.  
  • Trusted Internet Connections (TIC): TIC aims to limit the number of sanctioned gateways on the government network and requires that all federal traffic be routed through TIC-approved agencies.  
  • National Cybersecurity Protection System (NCPS): NCPS is an integrated intrusion detection, analysis, prevention, and information system. Its goal is to defend infrastructure against cyber threats.  
  • High-Value Assets (HVA): A HVA is information that is so critical to an organization that the loss or corruption of it would seriously impact the organization’s ability to conduct business.  
  • Cyber Quality Service Management Office (QSMO) Marketplace: This is an online platform where users can acquire high-quality, cost-efficient cybersecurity services 
  • Threat Hunting (TH): Threat hunting involves proactively searching for threats lurking undetected in an organization’s network.

When Will the Updated Zero Trust Maturity Model be Released?

The release of CISA’s updated Zero Trust Maturity Model was rumored to have been slated for summer 2022. However, we’re now firmly in the fall and still waiting on the updated document. Nonetheless, it feels safe to assume we’ll see the updated document soon. In the meantime, it’s best to familiarize yourself with the current version of the document which you can further explore here.

Try Portnox Cloud for Free Today

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!