CISA revising Zero Trust Maturity Model to better align it with CDM services
The Cybersecurity and Infrastructure Security Agency intends to revise its Zero Trust Maturity Model to better align its programs and services with governmentwide adoption of zero-trust security architectures in 2022.
CISA is in the process of revamping its Continuous Diagnostics and Mitigation (CDM) program to deploy zero-trust capabilities that increase its visibility into agencies’ networks, which in turn allows it to help them mature their architectures.
CISA quickly released the Zero Trust Maturity Model last summer — not because it was required by the Cybersecurity Executive Order requiring zero trust adoption — but to inform agencies how they could use CDM to support key aspects of zero trust-like asset management.
“We’ve done a lot of work with [Trusted Internet Connections] so far,” said John Simms, TIC senior technical advisor at CISA, during an ATARC event Thursday. “But CDM is another area that I think could benefit from additional explanation and connectivity to the zero trust pillars in the federal strategy.”
A month into the release of the Federal Zero Trust Strategy and CISA has had several discussions with the Office of Management and Budget about developing metrics assessing agencies’ progress adopting zero trust in key areas like segmentation, phishing-resistant multi-factor authentication, and data, Simms said.
The Federal Zero Trust Strategy didn’t set hard deadlines for agencies to be a certain percentage compliant with zero trust pillars because OMB is aware they need to adjust their budgets.
But OMB does want CISA supporting agencies as the entire government transitions to zero trust for however long it takes to get there, whether it be three years or 10, Simms said.
“I suspect, based on what I’m hearing is that, they’re going to be looking for demonstrable progress in those key areas and looking at the plans that the agencies are submitting here within the next couple of weeks,” he said. “They’re going to use those to continue the dialogue with the agencies — not just from the federal CIO’s office but also the resource side of OMB, where your budget examiners and resource officers and desk officers are engaging with the agencies — because it’s about bringing together the entire support mechanism that the agencies rely on.”