Connect with us

Hi, what are you looking for?


Security Architecture

CISA Publishes New Guidance for Achieving Zero Trust Maturity

CISA has published the second version of its guide describing the necessary strategies and policies to achieve zero trust maturity.

The US Cybersecurity and Infrastructure Security Agency (CISA) this week released the second version of its guidance for achieving zero trust maturity.

The Zero Trust Maturity Model version 2.0 (PDF) is meant to provide federal agencies and other organizations with a roadmap for transitioning to a zero trust architecture and includes five pillars with ‘examples of traditional, initial, advanced, and optimal zero trust architectures’.

Per the National Institute of Standards and Technology (NIST), “zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Zero trust is based on the idea that a breach has already occurred and that no user or asset should be trusted. The goal is to prevent unauthorized access to sensitive assets and to ensure granular access control enforcement.

Implementing a zero trust architecture is a lengthy process that often takes years and incurs additional costs, which faces various challenges, and which requires engagement and cooperation at all enterprise levels.

Achieving a zero trust maturity model involves implementations across five pillars – identity, devices, networks, applications and workloads, and data – and making optimizations over time.

“As agencies transition towards optimal zero trust implementations, associated solutions increasingly rely upon automated processes and systems that more fully integrate across pillars and more dynamically enforce policy decisions. Each pillar can progress at its own pace and may progress more quickly than others until cross-pillar coordination is required,” CISA explains.

Advertisement. Scroll to continue reading.

Organizations looking to transition to zero trust first need to assess their environments – including systems, processes, infrastructure, personnel, and resources – to identify existing capabilities they can build upon as well as gaps that need prioritization.

According to CISA, for each zero trust pillar, there are four stages to achieving a maturity model, namely traditional, initial, advanced, and optimal, which are combined with three cross-cutting capabilities, namely visibility and analytics, automation and orchestration, and governance.

Achieving maturity for the identity pillar means transitioning to multi-factor authentication (MFA) and phishing-resistant and passwordless MFA, securely integrating identity stores across environments, automating the authorization of just-in-time and just-enough access, and determining identity risk in real time.

Maturing the devices pillar means transitioning from limited or no visibility into device compliance to continuously verifying and enforcing compliance, from not tracking assets to a comprehensive and real-time view of all assets, and from not having visibility into devices used to access resources to having real-time risk analytics.

Learn more at SecurityWeek’s Zero Trust Strategies Summit

For networks, zero trust maturity involves extensive micro-segmentation, dynamic network rules and configurations, encrypting traffic as appropriate and enforcing least privilege principles, implementing proportionate resilience, gaining visibility across all networks, automated configurations and monitoring, and enterprise-wide network policies with dynamic updates.

To ensure zero trust maturity for deployed applications, organizations need to implement continuous authorization of access and real-time risk analytics, advanced threat protections, restricted access to critical applications (over private and protected networks only), robust code deployment mechanisms, application security testing throughout the software development lifecycle, continuous and dynamic application monitoring, and automated app configurations and policies.

Ensuring mature data protections involves continuously inventorying all data, automating data categorization, implementing dynamic methods to optimize data availability, automating dynamic just-in-time and just-enough data access controls, encrypting data in use and enforcing least privilege principles, gaining visibility across and automating the full data lifecycle, and unifying data lifecycle policies.

The new zero trust maturity model document, which integrates the Office of Management and Budget’s (OMB) memorandum for a federal zero trust architecture (ZTA) strategy (M-22-09, PDF), is accompanied by CISA’s Applying Zero Trust Principles to Enterprise Mobility (PDF) guidance, which describes how zero trust principles can be applied to mobile security technologies.

Related: CISA Gets Proactive With New Pre-Ransomware Alerts

Related: CISA, NSA Issue Guidance for IAM Administrators

Related: CISA Expands Cybersecurity Committee, Updates Baseline Security Goals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption