CISA updates its zero-trust maturity model.
the cyberwire logoApr 12, 2023

CISA released their Zero Trust Maturity Model version 2 yesterday, an update to the agency’s existing capabilities.

CISA updates its zero-trust maturity model.

CISA yesterday updated their Zero Trust Maturity Model, including recommendations from public commentary and increasing the government’s zero trust capabilities.

Identifying different zero trust starting points.

CISA wrote in a press release yesterday that the zero trust approach is defined by the agency as “an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified.” The agency has recognized that the architectures implemented by different organizations have different maturity levels, and come from different starting points. This maturity model has added a new stage called “Initial,” which can be used to identify maturity for each pillar.

Facilitating zero trust implementation.

This updated model is said to provide “a gradient of implementation” across the pillars, which allow for the advancement of zero trust architecture within agencies. The five pillars are: “Identity, Devices, Network, Data, and Applications and Workloads.”

Chris Butera, Technical Director for Cybersecurity at CISA, said “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity. While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.”

Expert response to the new release.

Richard Bird, CSO at Traceable, notes that Zero Trust for APIs has fallen to the wayside: 

“Implicit trust within corporate and government agency systems is empirically proven to be a failing architecture. Not only has it failed, it is failing faster every single day with larger and larger breaches and losses. CISA is right to continue to keep their foot on the gas pedal. The time for making excuses for allowing implied and persistent trust has passed.

"While the enhanced ZTMM from CISA is another great effort, neither CISA nor NIST SP 800-27 directly addresses the need for Zero Trust for APIs. APIs have rapidly become the DevOps workaround when it comes to ZT. Violations of basic ZT requirements like ‘all communications are secured…’ are rampant in the layer 7 because APIs rarely are included in anyone's security program, let alone their Zero Trust program strategy.”