Zero Trust

How CISA’s revised maturity model can help initiate, accelerate, or maintain zero trust momentum

May 03, 2023
Zero Trust Maturity Model 2.0 Zero Trust Maturity Model 2.0

No matter where your organization stands on the road to zero trust – even if it hasn’t yet set out – your next step just became a little clearer.

CISA’s newly released Zero Trust Maturity Model 2.0 is the latest example of a framework worth rallying around to increase overall resilience against cyber threats. Rather than expecting critical infrastructure owners and other organizations hungry for guidance to jump straight into the deep end, the 2.0 release contains benchmarks for newcomers.

The introduction of an “initial” phase to this document is a key improvement that will help agencies stuck on the “traditional” model get started with their zero trust transitions. These organizations are often SLED or small and medium businesses with large, flat networks and limited IT resources to protect them. Given the interconnectedness of supply chains, this should spark concern among organizations of all sizes. 

CISA’s maturity model no longer asks organizations to make it halfway up the mountain in a single push. Source: CISA, Zero Trust Maturity Model 2.0

CISA’s endorsement of zero trust principles both in this document and among private sector members of its Joint Center Defense Collaborative (JCDC) is more strong evidence governmental agencies are moving in the right direction on cybersecurity. RSAC 2023 provided proof that information-sharing between civilian and government agencies yields results. The fact that these organizations are joining together to voice their support for zero trust enhances all our safety. 

The zero trust maturity matrix. Source: CISA, Zero Trust Maturity Model 2.0

Putting the model into action

Guidance and information sharing help, but in my experience working within government agencies, most were so “customer-focused” – meaning intent on serving their constituents – that this occupied the bulk of their focus. They typically don’t have the luxury of obsessing over their cyber threat mitigation tactics, especially the IT funding “have-nots,” until it’s too late. 

In government, there is also the obstacle of leadership turnover. Agency heads have four or, at most, eight years at the helm. They also arrive with different leadership priorities. As in the private sector, these competing priorities can make it difficult to execute transformational initiatives. But CISA’s revamped maturity model allows any organization to pick up where its IT predecessors left off.

Here’s my advice for turning CISA’s Zero Trust Maturity Model 2.0 into an actionable framework for your organization, public or private:

  • Use it to honestly evaluate progress on your journey. Your organization falls somewhere on CISA’s maturity spectrum. Whether CXOs and their teams discuss zero trust transformations daily or haven't given it a thought, now is the time to critically assess where they fall. Luckily, CISA's Zero Trust Maturity Model 2.0 provides actionable advice for progressing, whether that's from Advanced to Optimal or just breaking out of a traditional mindset. Decide on your target stage and take action to get there. 

Action: Set a meeting with IT security leadership to establish where along the maturity model you currently fall for each of the five pillars – identity, devices, networks, applications/workloads, and data. Use this to build an honest understanding of where your agency or business is overall.

  • Create context for leadership about your progress toward zero trust. Security teams encountering resistance from leadership about allocating more resources to a zero trust transformation should use the model to illustrate that zero trust is a process, not a purchase order. "I gave you some money for this last year," is a misguided if common objection entities encounter along the journey. Use the framework as context for why the security may need more budget, personnel, or board support to truly transition into a zero trust-enabled organization.

Action: Pinpoint concrete investments or initiatives that could take you to the next level of each pillar. Then build a specific business case for each focused on mitigating risk, improving productivity, or achieving cost savings by consolidating vendors or point products. Have a CXO lobby senior leadership or the board for organizational support. Focus on measuring success to build confidence for when you return to initiatives that were denied. Also, manage expectations so that leadership knows that, while one round of funding may get the organization to the next step, additional steps will require additional funding.

  • For more mature organizations, begin thinking about resilience. You've invested in cyber controls and risk mitigation strategies, now it's important to focus on how zero trust network architecture can help prevent minor incidents from becoming catastrophic breaches. These include eliminating lateral movement and implementing data loss prevention capabilities. Containing the blast radius of a breach is an inherent benefit of zero trust, but security teams must extend their capabilities to automation, orchestration, and governance. Even well-designed security programs will fail if they cannot scale with the organization, so continued support for security operations is essential to remaining safe from cyber threats over the long term.

Action: This is the time to be laser-focused on the cross-cutting capabilities:

  1. Visibility and analytics support more informed policy decisions and faster incident response. They can also be used to enhance users' digital experience and to more quickly diagnose application performance issues, leading to a more productive workforce. How visible are your assets and what steps could you take to make the data you gather more valuable?
  2. Automation and orchestration capabilities use insights gained from improved visibility and analytics to support robust and streamlined operations for handling security incidents and responding to events before they escalate in severity. How well-defined are your incident response procedures and have they been table-topped?
  3. Governance enables agencies to manage and monitor their regulatory, legal, environmental, federal, and operational requirements in support of risk-based decision-making. Governance capabilities also ensure the right people, processes, and technology are in place to support mission, risk, and compliance objectives. Has a CXO discussed data risk acceptance, mitigation, and transference strategies with the board or another oversight entity?

Cyber threats are increasing and strike without discrimination. Enterprises to K-12 schools should use CISA's guidance as a catalyst to start or evolve their zero trust architectures. Given our economic interdependencies and integrated supply chains, it's essential for all organizations to harden their defenses by going all-in on zero trust.

What to read next

Accelerate Zero Trust Adoption with CISA's Maturity Model (video)

Public sector cybersecurity: We can't afford to leave SLED behind

The cyber safety of our infrastructure plays a critical role in the health of our democracy