CISA publishes update to Zero Trust Maturity Model
The Cybersecurity and Infrastructure Security Agency on Tuesday published a second version of its Zero Trust Maturity Model, which updates implementation guidance for agencies across key pillars including identity, networks and workloads and data.
The latest version of the guidance updates key definitions and metrics for the governmentwide adoption of zero-trust security architectures. The model is one of several paths federal agencies can take in designing and implementing their move to zero trust.
It comes more than a year after the release of CISA’s Zero Trust Maturity Model, which set out how U.S. government departments could deploy its Continuous Diagnostics and Mitigation (CDM) program to improve network visibility.
The updated maturity model adds an additional maturity stage – optimal – alongside traditional, initial and advanced, which were included in the agency’s initial guidance document.
Speaking to FedScoop ahead of the maturity model update, GitLab’s Federal CTO Joel Krooswyk said: “I think the application workload and data pillars of the model will see the majority of the new information.”
He added: “From a Zero Trust maturity perspective, most of the real work being done and the biggest gains to be made are within those two areas.”
The Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — are meant to be a guide for federal agencies zero trust strategy implementations and most agencies have started off focusing on identity and data questions.
Krooswyk said he would like to see the maturity model shed more light on threats and risk factors of new technologies like AI models created by OpenAI and others along with the risks of cloud technologies given the mass migration to cloud in the federal government in the past few years.
“Popular AI tools created by OpenAI like ChatGPT are opening the possibility that someone will type confidential information into the AI tool when and then that model knows it and can build upon that information,” said Krooswyk.
“It’s not a question of if but when AI will pose a threat to our cybersecurity landscape and Zero Trust.”
Federal agencies have been pushed to submit their zero-trust architecture implementation plans as required by the White House’ Office of Management and Budget (OMB).
CISA describes its maturity model as “one of many roadmaps” for federal agencies shifting to zero trust architectures, which are intended to prevent unauthorized or dangerous access to government data and services by consistently verifying user credentials across network checkpoints.
Federal IT experts like Krooswyk said that although the maturity model is voluntary and not mandated, he hopes that it will be implemented swiftly.
“I don’t see opposition to this update in part because it’s all voluntary, not legally binding but I hope it’s taken seriously and not put in nice to have box,” Krooswyk said.
Notably, the updated maturity model does not address aspects of cybersecurity related to to incident response, specifics for logging, monitoring, alerting, forensic analysis, risk acceptance, and recovery and other aspects related to best practices for enterprise cybersecurity posture management are not explicitly included.
It also does not cover guidance on how to best incorporate machine learning and artificial intelligence capabilities within zero trust solutions as well as emerging technologies such as deception platforms, authenticated web application firewalls, behavior analytics.
“Agencies should be careful to not create new opportunities for exploitation or weaken security protocols. Research and development are required to effectively assure software and hardware systems integrity at scale across federal enterprises,” the CISA maturity model 2.0 says.
Krooswyk added that he would like to see the maturity model shed more light on threats and risk factors of new technologies like AI models created by OpenAI and others along with the risks of cloud technologies given the mass migration to cloud in the federal government in the past few years.
