CISA Updates Zero Trust Maturity Model to Align with White House Directives

After two years, the Cybersecurity and Infrastructure Security Agency (CISA) published an updated Zero Trust Maturity Model introducing significant changes to the initial document released in 2021.

The biggest changes to the updated version are aligned with the memorandum released by The Office of Management and Budget (OMB) establishing the federal zero trust architecture strategy and requiring agencies across the federal government to meet certain zero trust objectives by 2024.

“I would say that this has been one of the most remarkable times I’ve seen where you have CISA, the Office of Management Budget and the agencies having really fundamental discussions about their plans, about their budgets and making sure that priority is given to cybersecurity and not as an afterthought,” John Simms, CISA’s senior technical advisor told GovCIO Media & Research. “I think this is probably one of the first times I’ve seen where that discussion is very transparent and honest in terms of what it actually will take to implement the executive order and secure agency environments.”

For more than two decades, federal agencies relied on a perimeter security model to protect their enterprise data. The biggest challenge now is shifting away from the existing infrastructure built on implicit trust and align with zero trust principles.

Recognizing that federal agencies are starting the transition from different points, the updated version adds an “initial” stage to the existing traditional, advanced and optimal stages to enable an easier transition for the agencies in their shift to zero trust architecture. The idea is that agencies can take gradual steps across the five pillars of zero trust that include identity, devices, networks, applications and workloads, and data to reach a state where an agency is at an optimal stage across all five pillars of zero trust.

One of the key concepts of zero trust is to treat the agency network as a hostile network, and one of the OMB memorandum’s requirements for the agencies was to expose at least one moderate system to the internet.

“What that required agencies to do was think about what the architecture would need to be, and what the capabilities would need to be…to protect that system,” Simms said. “We had a number of discussions with agencies about…what the real intent of that was, and the real intent behind that task was to provide agencies with an opportunity to gain confidence in their ability to provide that level of security on an application workload to gain confidence to ensure that would withstand any type of attacks or malicious use.”

After releasing the initial Zero Trust Maturity Model version, CISA went into a request-for-comment period and received roughly 375 comments, with each pillar receiving between 50 to 100 different comments about how to further expand on the content provided in the initial version. The comments CISA received came from agencies and trade associations, but the most significant portion of comments came from the vendor community.

“They were at about 70% of the comments that came back, which is great because it gave us a chance to…get their insights and perspectives in terms of some of the concepts that were a little raw in our initial version of the maturity model,” Simms said. “Some things we expected, given that we put it together very quickly…we knew we would get a lot of comments about adding depth in technical areas. And really looking at how we could structure the capabilities across the different pillars.”

OMB released FISMA metrics for fiscal year 2023, but there is no exact number on where agencies are in the zero trust maturity journey.

“There have been a number of discussions about how long does it take…I would say in the next year or two, we’ll be in a better place in terms of…understanding how best to measure progress, but it is something that is getting a lot of discussion right now amongst the agencies as well as in OMB,” Simms added.