Understanding the Zero Trust Maturity Model V 2.0

On Aprill 11, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) delivered an updated Zero Trust Maturity Model (ZTMM) draft based on information from the existing ZTMM V1.0, Zero Trust Implementation Plans with the Office of Management and Budget (OMB), CyberStat Working Groups, National Security Telecommunications Advisory Committee (NSTAC), one-on-one meetings with agencies, international partners, and the greater IT community.

Although this model is primarily aligned to federal agencies, it could also be used as a guide or persuasive precedent for private sector enterprises or other third-party organizations.

Based on comments from the IT community, CISA has noted that federal agencies will have different starting points when it comes to implementing their Zero Trust Architecture (ZTA). As such, it is critical to identify these different levels of maturity when looking at the previous Zero Trust Model since the journey to implementing the ZTA is continuous.  

What has Changed in the Zero Trust Maturity Model?

ZTMM allows for and defines a gradual evolution to zero trust, distributing costs over time rather than entirely upfront. Each subsequent stage requires greater levels of protection, detail, and complexity for adoption.

The ZTMM represents five different pillars, namely: Identity, Devices, Networks, Applications & Workloads, and Data. As agencies embark on their individual ZTA journey, each pillar can progress at different rates until they reach cross-pillar coordination.  

Version 1.0 of this model had previously identified three stages of maturity in its Zero Trust Maturity Model: traditional, advanced and optimal. Version 2.0 has now made an allowance for an “initial” stage and has revised the criteria for each stage.

• Traditional- manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.    
• Initial- starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.    
• Advanced- wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).    
• Optimal- fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.  

Per the Zero Trust Maturity Model, Version 2.0

Each of the five pillars also includes cross-cutting capabilities of Visibility and Analytics, Automation and Orchestration, and Governance. These capabilities are used to determine interoperability of functions across pillars.

What Does this Mean?

CISA has been taking necessary action to implement a ZTA within federal agencies to combat sophisticated and persistent cyberattacks. As the focus shifts from securing business perimeters to securing business data, authenticating a user once and then implicitly trusting them is no longer adequate. Following the guidance provided by the updated CISA ZTMM and OMB's M-22-09, by the end of Fiscal Year 2024, federal agencies will be required to reach specific zero trust milestones.  

To better mitigate attacks from nation-states and other cyber threats, both public and private sector organizations should work towards adopting a ZTA.  

The journey to Zero Trust will be a constantly developing topic of discussion because the cyber landscape is continuously evolving. The updated roadmap of the ZTMM creates provisions allowing for more flexibility as enterprises navigate their journey toward ZTA. By considering that each enterprise will have a unique starting point, the ZTMM seeks to improve security, decrease downtime, lower overhead, and provide better end-user experiences as organizations progress from one stage to the next.

‍