On April 2023,the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) released theirZero Trust Maturity Model Version 2.0 (ZTMM) as "one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with Executive Order (EO) 14028 'Improving the Nation's Cybersecurity' which requires that agencies develop a plan to implement a Zero Trust Architecture (ZTA)."
Zero trust is not a product.It's a mindset, a path toward better security that includes a set of core capabilities and an approach that emphasizes the concept of least privileged access.
A "never?trust, always verify" approachmeans granting?least privilege?access based on a dynamic evaluation of the trustworthiness of users and their devices and any transaction risk before they areallowed to connect to network resources.
Beforeimplementing an operational approach with such far-reaching and strategic effects, getting the fundamentals right is important. Don't go to Step 1 without starting here! NIST SP 800-207emphasizes that an enterprise cannot determine what new processes or systems need to be in place if there is no knowledge of the current state of operations.In fact, NIST emphasizes that before starting an enterprise's journey into zero trust, having a "survey of assets, subjects, dataflows, and workflows" remains a necessity. Further, NIST reminds us that "developing access policies around acceptable risk to the designated mission or business process" is crucial to any zero trust deployment.
Likewise,theCISA ZTMMemphasizes "alignment with NIST's steps for transitioning to zero trust" and that "agencies should assess their current enterprise systems, resources, infrastructure, personnel, and processes before investing in zero trust capabilities." Additionally, the CISA guide makes reference toNIST CSWP 20: "Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators"which describes the importance of following the deliberate steps of the Risk Management Framework to help an enterprise discuss, develop, and implement a ZTA. Suffice it to say, focusing on the fundamentals of knowing your environment and applying a risk-informed approach to developing policy remains criticalbeforestarting your journey to zero trust.
Policies can be developed and deployed by the Policy Decision Point (PDP) to enable granular, least privilege access controls that are enforced in the most optimal Policy Enforcement Point (PEP). Policies are calculated with input from as many sources and with as much context as possible to inform the policy engine. A risk-informed understanding of the appropriate workflows and data flows is critical to developing these policies. All network activity must be visible, understood, continuously inspected, and logged. Any indications of compromise or variations in behavior changes between users and devices, and resources must be investigated, validated, and responded to immediately to mitigate additional risks (Figure 1).
Figure 1. Zero Trust Logical Components Adapted from NIST SP 800-207The CISA ZTMM uses a maturity model to describe the necessary capabilities allocated across several pillars. Underpinning the "core five pillars," thevisibility &analyticscapabilities support all thecapabilities in the pillarsof identity, devices, networks, applications & workloads, and data. Likewise, automation & orchestration support, economize, and harmonizeallzero trust capabilities and operations across the pillar.Torealize thezero trustlogical working model from Figure 1, it is important to note that the capabilities must work across pillars wholistically-notby themselves in apillar or"silo."
Cisco's open standards-based integrated capabilities enable government enterprises to take a 4-step cross-pillar approach to help government organizations to deliver secure mission outcomes with zero trust.
Figure 2. CISA Zero Trust Maturity EvolutionA practical approach for realizing a zero trust journey can be encapsulated in an operational, four-step, cyclical approach:
Continuously applying these steps helps drive security resilience for your organization and can help you to strengthen your security posture with the power to understand risk exposure, spring back from disruption, and limit the impact of incidents. Cisco solutions integrate with your existing network and the capabilities you already have. They deliver visibility and analytics to know and control what connects to your network. And they provide capabilities from automatic threat updates to machine learning to behavioral modeling that will help you outsmart emerging threats. All of it made easier to manage and more efficient by integrated, automated orchestration through a resilient platform.
Go deeper into how Cisco can help you frustrate attackers, not users, andhow Cisco enables zero trust security.
Check out the resources and videos onSecurity Resilience for Governmentand explore use cases for government atPortfolio Explorer for Government.