CISA preps update to the zero trust maturity model

Yuichiro Chino / Getty Images

The Cybersecurity and Infrastructure Security Agency will update its zero trust maturity model to assist agencies in meeting goals outlined in the cybersecurity executive order released last year, an official said Tuesday.

The Cybersecurity and Infrastructure Security Agency (CISA) plans to update its zero trust maturity model, released last year, a CISA official said Tuesday, as agencies work to meet zero trust security goals amid a rapidly changing landscape of cybersecurity threats. 

CISA published the model last September, coinciding with an Office of Management and Budget draft memo with specific deadlines for agencies around five pillars of zero trust: identity, devices, networks, applications and data. Agencies were given four years to implement foundational zero trust policies within those five pillars, from encrypting DNS requests and web traffic to subjecting all applications to rigorous, routine testing.

While CISA has continued to publish a series of security guidance documents in conjunction with federal agencies, including the Cloud Security Technical Reference Architecture, it expects to revise the maturity model released last year, according to Grant Dasher, a CISA identity and access management expert. 

The model "will be updated," Dasher said at the Identity Theft Resource Center (ITRC) cybersecurity policy forum on Tuesday, noting that potential revisions have "not yet gone through the pipe." 

In the meantime, Dasher said CISA was encouraging agencies to focus on establishing phishing-resistant, multi-factor authentication for their entire population of users along with other key recommendations outlined in its original maturity model, adding: "That is a significant value add on its own, and it's a foundational piece of zero trust."

The OMB draft memo required agencies to establish enterprise-wide identity capabilities and stated that phishing-resistant MFA "protects personnel from sophisticated attacks." The OMB and CISA strategies support a cybersecurity executive order the White House released in May 2021, which required agencies to begin implementing zero trust architectures under set timeframes. 

CISA describes its maturity model as "one of many roadmaps" for agencies transitioning to zero trust architectures, which aim to prevent unauthorized access to data and services by consistently verifying user credentials across network checkpoints.

Cybersecurity experts say zero trust frameworks provide one of the most comprehensive tools in the battle against ransomware attacks targeting data breaches, which ITRC found to be on the rise in its latest report released this week. The report showed 2021 setting a new record for data breaches, with a total of 1,862 reported compromises, and said consumers failed to take actionable steps to protect data after reported breaches in a majority of cases.