An Introduction To CISA’s Zero Trust Maturity Model and Architecture
What is the CISA Zero Trust Maturity Model, how does it relate to Executive Order 14028, who’s impacted, and what do contractors need to know in 2023?
That was a mouthful, and if you’re a bit confused, you’ve come to the right place.
This post will provide answers, some helpful tips, and additional guidance on where you can go for more information on how to prepare for impending zero trust regulatory requirements.
This introductory post is part one of a five-part series on zero-trust cybersecurity architectures, so stay tuned for more information.
Here’s what we’re going to cover in part one:
- What is Executive Order (EO) 14028, and what does it have to do with zero trust cyber security in federal contracting?
- Who and what does EO 14208 cover?
- What’s the impact of EO 14028 and zero trust cybersecurity on government agencies and contractors?
- What exactly is a zero trust architecture and the CISA Zero Trust Maturity Model?
- What is the role of CISA in zero trust cybersecurity implementation and compliance?
- When do you need to start preparing for zero trust cybersecurity compliance?
Zero trust security is inevitably coming to all agencies and departments of the federal government. So, let’s get started with the basics of EO 14028.
What is Executive Order 14028, and what does it have to do with zero trust cyber security in federal contracting?
For some context, we went straight to the Cyber Security Infrastructure & Security Agency (CISA):
Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. Among other policy mandates, the Executive Order (EO) embraces zero trust as the desired model for security and tasks CISA with modernizing its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture (ZTA). While the EO marks a shift in federal policy, many efforts undertaken in recent years laid the foundation for the release of this EO.
Zero trust is, at its core, a cybersecurity concept where it’s assumed that a security breach is imminent or has already occurred. This means that all digital entities, like compute devices, network hardware, software, applications, microservices, containers, cloud services, edge gear, users, etc., are persistently authenticated, authorized, and continuously validated for access.
In the zero trust paradigm, data transmissions are also encrypted with advanced network security protocols, e.g., TLS, that are resistive to bulk decryptions. Data at rest is also encrypted.
Essentially, in a zero trust security model, there is no implicit trust of any user, device, application, or network. Since this level of security already exists in the cloud, there is a significant push for cloud adoption by Federal Civilian Executive Branch (FCEB) Agencies and contractors.
Who and what does EO 14208 cover?
The EO calls for Federal Civilian Executive Branch, or FCEB, agencies to develop migration plans to zero trust architectures or ZTAs. The order clarifies FCEBs as “all agencies except for the Department of Defense and agencies in the Intelligence Community.”
So FCEB agencies are essentially all executive-level government agencies outside the military and the intelligence community. This includes government agencies like the DOJ, HHS, DHS, DOT, HUD, and the Departments of the Treasury, Energy, Education, etc.
The EO calls for all FCEB agencies to develop action plans, teams, and budgets to achieve zero trust compliance by the end of calendar year 2024. And CISA’s Zero Trust Maturity Model defines the guidelines and an initial compliance roadmap.
All FCEB Agencies were given initial guidance in a January 26, 2022, memorandum describing the CISA zero trust architecture strategy to be achieved by 2024. This guidance also includes FCEB agency contractors.
The strategy addresses cloud services but also addresses legacy on-premise and hybrid systems.
What’s the impact of EO 14028 and zero trust cybersecurity on government agencies and contractors?
Zero trust cybersecurity is an overarching goal of the federal government. The zero trust environment will be fluid as documents are issued and compliance requirements and deadlines continue to roll out. As FCEB agencies respond to zero trust guidance from NIST, FedRAMP, and CISA, here’s what you can expect as a contractor:
- Contract language being modified to reflect new zero trust agency guidance from NIST, FedRAMP, and CISA
- Updates on all significant developments from The U.S. General Services Administration (GSA)
- Continued guidance and documentation from NIST, FedRAMP, and CISA
- Future updates to the Federal Acquisition Regulation (FAR) and FedRAMP
What’s the bottom line? Contracts and agency requirements for contractors will change as agencies proceed within the CISA maturity model guidance.
So, what is the CISA Zero Trust Maturity Model?
Here’s what CISA has to say about the Zero Trust Maturity Model:
CISA’s Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture.
EO 14028 clearly delineates zero trust cybersecurity as the model for the future and calls on CISA to upgrade its capabilities, programs, and services to support zero trust functionality and compatibility in hybrid and cloud computing infrastructures.
To that end, CISA has developed a Zero Trust Maturity Model with five vertical technology pillars of functionality. These pillars consist of:
- Identity
- Device
- Network/Environment
- Application Workload
- Data
There are also three cross-functional zero trust metrics that intersect each pillar horizontally. These functional capabilities for each pillar include:
- Visibility and Analytics
- Automation and Orchestration
- Governance
Finally, the model defines three maturity levels for each of the pillars. These maturity levels will ensure that agencies are progressing toward the goal of optimal zero trust security across the five pillars and functional metrics. The levels of advancement are:
- Traditional
- Advanced
- Optimal
CKSS will also be providing additional posts describing the individual five pillars in the context of their cross functional capabilities and maturity levels in the next several months.
As with any maturity model, ensuring progress is the underlying theme. And that’s where the CISA model comes into play.
What is the role of CISA in zero trust cybersecurity implementation and compliance?
The EO clearly tasks CISA with modernizing its capabilities and services to be fully compatible with legacy and cloud computing environments with optimized ZTAs.
In the Pre-Decisional Draft of their Zero Trust Maturity model, CISA references the “seven tenants of zero trust,” as outlined by the National Institute of Standards and Technology (NIST). The agency references NIST Special Publication (SP) 800-207 for the technological guidelines.
CISA has, and will, continue to issue new documentation and guidance on zero trust. CISA states that the Pre-Decisional Draft is not the definitive document to use to achieve zero trust maturity, but also adds that, “It is meant to aid understanding of zero trust for civilian unclassified systems and provide a road map to migrate and deploy zero trust security concepts to an enterprise environment.”
CISA’s role will continue to expand along with the guidance and documentation it will be issuing.
When do you need to start preparing for zero trust cybersecurity compliance?
We all need to start preparing now. On October 3, 2022, CISA issued a “BINDING OPERATIONAL DIRECTIVE 23-01 – IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL NETWORKS.”
This BOD from CISA is aimed at identifying IP assets within agency domains and assessing potential vulnerabilities, aka asset vulnerabilities. This is an abbreviated version of the section of the order specifying the upcoming actions required of all FCEB agencies:
- By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:
- Perform automated asset discovery every 7 days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency…(note: b-d truncated for brevity)
- Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM [Continuous Diagnostics and Mitigation] Dashboard. This data will allow for CISA to automate oversight and monitoring of agency scanning performance including the measurement of scanning cadence, rigor, and completeness.
- By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.
CISA also received an additional $300M in funding for FY 2023.
We see the move toward zero trust cyber security architectures and cloud computing beginning to accelerate significantly.
So what’s the next step to start preparing for a zero trust cybersecurity architecture?
The zero trust architecture compliance space is fluid, evolving, and rapidly taking shape.
And we’re here to help our clients stay abreast of the changes taking place in the world of zero trust cybersecurity and the CISA Zero Trust Maturity Model.
Where can you go for more information and plan your path to ZTA maturity?
We’re here to help.
At CKSS, our team of cybersecurity and regulatory compliance security specialists has extensive experience helping Federal Agencies implement and maintain robust, cost-effective information security programs at all levels. But we’re here to listen first.
It all starts with a complimentary, no-obligation consultation.
After we fully understand your requirements and budget, we can begin planning a strategy to implement a zero trust cybersecurity architecture in the context of CISA’s Zero Trust Maturity Model.
We offer strategic advisory services, security compliance templates, security and compliance staff augmentation, and managed security and compliance services, including Chief Information Security Officer (CISO) services.
You probably have questions.
Call us anytime at 443.464.1589 or get in touch with our team online today.