CISA Zero Trust Maturity Model (TL;DR Version)

by Schuyler Brown

Chairman of the Board

StrongDM

3 min read

Last updated on: April 5, 2023

Get the Zero Trust eBook PDF

Found in: Zero Trust

StrongDM manages and audits access to infrastructure.

Role-based, attribute-based, & just-in-time access to infrastructure
Connect any person or service to any infrastructure, anywhere
Logging like you've never seen

Get a demo

In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.

What Is the CISA Zero Trust Maturity Model?

The CISA Zero Trust Maturity Model, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was drafted in June 2021 to help government agencies comply with Executive Order 14028, “Improving the Nation’s Cybersecurity.” EO 14028 specifically recommends Zero Trust Architecture to protect government infrastructure.

Right on the heels of EO 14028, CISA began working on the CISA Zero Trust Maturity Model. It provides a framework as agencies transition to Zero Trust Architecture, strengthening their cybersecurity posture and preventing unauthorized access to infrastructure and resources by requiring constant authentication. The CISA Zero Trust Maturity Model is meant to serve as guidelines but is not meant to be a complete plan.

CISA built the Zero Trust Maturity Model on the seven Zero Trust tenets outlined by the National Institute of Standards and Technology (NIST). They are:

All data sources and computing services are infrastructure.
All communication is secured, regardless of location.
Access to individual enterprise resources is granted per session.
Access to resources is determined by dynamic policy.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Importance of the Zero Trust Maturity Model

The federal government recognizes the importance of Zero Trust in its efforts to secure infrastructure and resources. In addition to the seven tenets outlined by NIST in Special Publication 800-207, which describes Zero Trust for enterprise security architects, federal agencies have released other publications to explain the concept and provide guidance.

The Department of Defense (DoD) released the DoD Zero Trust Reference Architecture specifically for the DoD Information Network, and the National Security Agency has embraced a Zero Trust security model.

But the challenges lie in legacy systems that may conflict with Zero Trust principles and the lack of consensus on what a Zero Trust Maturity Model looks like. The CISA Zero Trust Maturity Model aims to address these challenges and operationalize protections through its programs, including Continuous Diagnostics and Mitigation (CDM) and National Cybersecurity Protection System (NCPS).

Zero Trust Maturity Model Implementation

The Zero Trust Maturity Model relies on the Foundation of Zero Trust. This is represented by five pillars: identity, device, network/environment, application workload, and data. The five pillars sit on top of visibility and analytics, automation and orchestration, and governance.

Zero Trust maturity stages

The Zero Trust maturity stages are used to identify maturity for each zero trust technology pillar and provide consistency across the maturity model. Briefly, the stages are:

Traditional: Manual configurations are still widely used for attributes, along with static security policies and coarse dependencies on external systems.
Advanced: Some cross-pillar coordination and centralized visibility and identity control are complete.
Optimal: Attributes are automatically assigned to assets and resources, and dynamic policies based on automated or observed triggers are in place.

The pillars of Zero Trust are:

Pillar 1: Identity

This refers to a set of attributes or an attribute that describes a user or identity. In an optimal maturity model, the identity is continuously authenticated.

Pillar 2: Device

A device is any hardware asset that can connect to a network. An optimal model includes constant device security monitoring and validation, and data access depends on real-time risk analytics.

Pillar 3: Network/Environment

The CISA Zero Trust Maturity Model defines network/environment as any open communications medium, including agency internal networks, wireless networks, and the Internet. In an optimal model, it uses fully distributed ingress/egress micro-parameters, machine learning-based threat detection, and encryption for all traffic.

Pillar 4: Application Workload

Applications and workloads include agency systems, computer programs, and services that execute on-premise and in the cloud. Optimal models continuously authorize access and are strongly integrated into the application workflow.

Pillar 5: Data

Data needs to be protected on all devices, in applications, and on networks, according to the CISA Zero Trust Maturity Model. An optimal model uses dynamic support and encrypts all data.

How StrongDM Simplifies Zero Trust Implementation

Zero Trust implementation can seem daunting, particularly for organizations that are taking a reactive approach to data loss prevention. StrongDM simplifies Zero Trust at optimal levels for network/environment, application workload, and data by detecting suspicious behavior in real-time and providing a full audit trail that logs every permission change and employee query.

This checks the boxes for optimal threat protection, visibility and analytics, automation and orchestration, governance, access authorization, and access determination, all key components of Zero Trust.

IT administrators already have enough to do without manually configuring access and implementing Zero Trust from scratch. StrongDM makes it easy with a Dynamic Access Management (DAM) Platform that provides access to resources based on what’s actually needed and enforces a Zero Trust model that keeps infrastructure and resources safe.

Want to see how StrongDM can help your organization move toward Zero Trust? Book a demo today.

About the Author

Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

💙 this post?

Then get all that StrongDM goodness, right in your inbox.

StrongDM is pleased to see that, in April 2024, the National Security Agency of the United States, has released a Cybersecurity Information (CSI) sheet that recommends why and how organizations, public and private, should adopt the Zero Trust (ZT) security model for their data tier of infrastructure. At the core of the recommendations, an organization needs to know what data it possesses, how that data is being accessed, and how to control access to that data.

PAM Was Dead. StrongDM Just Brought it Back to Life.

In essence, legacy PAM solutions over-index on access. StrongDM uses the principles of Zero Trust to evaluate and govern every action, no matter how minor - where each command, query, or configuration change is evaluated in real-time against dynamic policies that adapt to the context of the user, the sensitivity of the action, and the prevailing threat landscape.

Top 9 Zero Trust Security Solutions in 2024

Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.

XZ Utils Backdoor Explained: How to Mitigate Risks

Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.

Context-Based Access Controls: Challenges, Importance & More

Context-based access controls refer to a dynamic and adaptive approach to managing security policies in modern infrastructure. Addressing challenges in enforcing consistent security across diverse platforms, these policies consider factors such as device posture and geo-location to adjust access controls dynamically. By narrowing access based on contextual parameters, they reduce the attack surface, enhance security, and streamline policy administration, ensuring compliance in evolving environments.