CISA releases updated guidance for zero trust security architectures
The Cybersecurity and Infrastructure Security Agency issued revised zero trust guidance Tuesday after incorporating nearly 400 comments from public and private sectors on its previous version. ArtemisDiana / Getty Images
By
Chris Riotta
The Cybersecurity and Infrastructure Security Agency is encouraging increased automation and enhanced security for access controls in its latest roadmap for agencies and organizations working to achieve zero trust.
The Cybersecurity and Infrastructure Security Agency published updated guidance for its Zero Trust Maturity Model on Tuesday, more than a year after the nation's cyber defense agency issued an initial set of best practices and guidelines to evaluate security capabilities and identify areas for improvement.
The latest maturity model features recommendations CISA received during a public comment period, and incorporates elements of the Office of Management and Budget memo about implementing zero trust security principles from January 2022.
The maturity model is meant to serve as one of several roadmaps agencies can use to shift towards a data-centric security approach and to prevent unauthorized access to systems and services.
It includes five pillars of trust – identity, network, data and applications and workloads – and provides specific examples of zero trust architectures, from traditional and initial to advanced and optimal.
An optimal zero trust architecture features continuous validation and risk analysis, according to the latest maturity model, in addition to enterprise-wide identity integration and tailored, as-needed automated access to specific systems and applications.
Networks on an optimal zero trust architecture feature distributed micro-perimeters with secure access controls and configurations that are regularly monitored and updated. The maturity model also encourages increased secure automation processes, including automated data categorization and enterprise-wide labeling.
According to CISA documents, the agency fielded 378 comments from “from agencies, vendors, consulting services, academic organizations, trade associations, individuals and foreign organizations” on the first version of the maturity model, accepting 60% of them for inclusion with the new guidance.
Changes included the addition of the “Initial” maturity stage within the model, which accounts for the second stage of an agency’s zero trust adoption process and includes steps like “starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement,” as well as others.
CISA officials also added language to clarify terms and concepts in the model and “expanded and added functions for each pillar, and clarified intent of cross-cutting pillars” to provide more granularity as requested by stakeholders.
The federal government faces significant challenges in adopting zero trust architectures, the maturity model notes, and many agencies are starting from different levels with varying degrees of funding, resources and capabilities to cope with the ever-changing technological landscape and emerging cybersecurity risks.
“Regardless of starting point, successful zero trust adoption can produce numerous benefits such as improved productivity, enhanced end-user experiences, reduced IT costs, flexible access and bolstered security,” the maturity model said.