<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
How much is access costing your organization? Find out now with our ROI calculator.

CISA Zero Trust Maturity Model (TL;DR Version)

In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.

What Is the CISA Zero Trust Maturity Model?

The CISA Zero Trust Maturity Model, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was drafted in June 2021 to help government agencies comply with Executive Order 14028, “Improving the Nation’s Cybersecurity.” EO 14028 specifically recommends Zero Trust Architecture to protect government infrastructure.

Right on the heels of EO 14028, CISA began working on the CISA Zero Trust Maturity Model. It provides a framework as agencies transition to Zero Trust Architecture, strengthening their cybersecurity posture and preventing unauthorized access to infrastructure and resources by requiring constant authentication. The CISA Zero Trust Maturity Model is meant to serve as guidelines but is not meant to be a complete plan.

CISA built the Zero Trust Maturity Model on the seven Zero Trust tenets outlined by the National Institute of Standards and Technology (NIST). They are:

  • All data sources and computing services are infrastructure.
  • All communication is secured, regardless of location.
  • Access to individual enterprise resources is granted per session.
  • Access to resources is determined by dynamic policy.
  • The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  • All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  • The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Importance of the Zero Trust Maturity Model

The federal government recognizes the importance of Zero Trust in its efforts to secure infrastructure and resources. In addition to the seven tenets outlined by NIST in Special Publication 800-207, which describes Zero Trust for enterprise security architects, federal agencies have released other publications to explain the concept and provide guidance.

The Department of Defense (DoD) released the DoD Zero Trust Reference Architecture specifically for the DoD Information Network, and the National Security Agency has embraced a Zero Trust security model.

But the challenges lie in legacy systems that may conflict with Zero Trust principles and the lack of consensus on what a Zero Trust Maturity Model looks like. The CISA Zero Trust Maturity Model aims to address these challenges and operationalize protections through its programs, including Continuous Diagnostics and Mitigation (CDM) and National Cybersecurity Protection System (NCPS).

Zero Trust Maturity Model Implementation

The Zero Trust Maturity Model relies on the Foundation of Zero Trust. This is represented by five pillars: identity, device, network/environment, application workload, and data. The five pillars sit on top of visibility and analytics, automation and orchestration, and governance.

Zero Trust maturity stages

The Zero Trust maturity stages are used to identify maturity for each zero trust technology pillar and provide consistency across the maturity model. Briefly, the stages are:

  • Traditional: Manual configurations are still widely used for attributes, along with static security policies and coarse dependencies on external systems.
  • Advanced: Some cross-pillar coordination and centralized visibility and identity control are complete.
  • Optimal: Attributes are automatically assigned to assets and resources, and dynamic policies based on automated or observed triggers are in place.

The pillars of Zero Trust are:

Pillar 1: Identity

This refers to a set of attributes or an attribute that describes a user or identity. In an optimal maturity model, the identity is continuously authenticated.

Pillar 2: Device

A device is any hardware asset that can connect to a network. An optimal model includes constant device security monitoring and validation, and data access depends on real-time risk analytics.

Pillar 3: Network/Environment

The CISA Zero Trust Maturity Model defines network/environment as any open communications medium, including agency internal networks, wireless networks, and the Internet. In an optimal model, it uses fully distributed ingress/egress micro-parameters, machine learning-based threat detection, and encryption for all traffic.

Pillar 4: Application Workload

Applications and workloads include agency systems, computer programs, and services that execute on-premise and in the cloud. Optimal models continuously authorize access and are strongly integrated into the application workflow.

Pillar 5: Data

Data needs to be protected on all devices, in applications, and on networks, according to the CISA Zero Trust Maturity Model. An optimal model uses dynamic support and encrypts all data.

How StrongDM Simplifies Zero Trust Implementation

Zero Trust implementation can seem daunting, particularly for organizations that are taking a reactive approach to data loss prevention. StrongDM simplifies Zero Trust at optimal levels for network/environment, application and workload, and data by detecting suspicious behavior in real-time and providing a full audit trail that logs every permission change and employee query.

This checks the boxes for optimal threat protection, visibility and analytics, automation and orchestration, governance, access authorization, and access determination, all key components of Zero Trust.

IT administrators already have enough to do without manually configuring access and implementing Zero Trust from scratch. StrongDM makes it easy with a Dynamic Access Management (DAM) Platform that provides access to resources based on what’s actually needed and enforces a Zero Trust model that keeps infrastructure and resources safe.

Want to see how StrongDM can help your organization move toward Zero Trust? Book a demo today.

About the Author

, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

DoD Zero Trust Strategy Explained (TL;DR Version)
DoD Zero Trust Strategy Explained (TL;DR Version)
On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.
Zero Trust vs. SASE: Everything You Need to Know
Zero Trust vs. SASE: Everything You Need to Know
Concerned about providing secure access to the data and tools employees need to do their jobs in a cloud or hybrid environment? Don’t worry. Solid strategies exist for protecting distributed resources. Zero Trust and SASE are two architectural approaches that provide strong security in today’s cloud-first world. The information in this article will help you decide which strategy works best for your business. Robust cloud security is attainable.
Have You Nailed Zero Trust (Webinar)
Have You Nailed Zero Trust?
Recipe for Zero Trust is just 7 ingredients. Where does it go wrong? Why is it so hard to nail? This webinar breaks it down in simple steps.
What is an Attack Vector? 15 Common Attack Vectors to Know
What is an Attack Vector? 15 Common Attack Vectors to Know
In this article, we’ll take a deep dive into attack vectors. You’ll learn what they are, the most common types, how they’re used, and why hackers continually use them to exploit vulnerabilities. By the end of this article, you'll have a thorough understanding of the fifteen most common types of attack vectors and what you can do to prevent your organization from falling victim to them.
Zero Trust Memo From Executive Order 14028 (TL;DR Version)
Zero Trust Memo From Executive Order 14028 (TL;DR Version)
It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.