Introduction

CMS is using the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM) to transition to a ZT architecture (ZTA). The ZTMM framework includes five pillars to guide agencies towards a ZTA, and one of those pillars focuses on devices.  This blog post is a deeper dive into the device threat protection function within the Devices pillar. 

Deep Dive: Zero Trust Devices pillar

A device is any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more.  For cloud environments, assets include compute resources like virtual machines, servers, or containers. 

ZT Devices pillar includes the following functions:

• Policy and Enforcement and Compliance Monitoring
• Asset and Supply Chain Risk Management
• Resource Access (formerly Data Access)
• Device Threat Protection

The Devices pillar also includes three cross-cutting capabilities: 

• Visibility and Analytics 
• Automation and Orchestration 
• Governance

How Zero Trust is measured

The ZTMM measures maturity within the device threat protection function of the Devices pillar using four levels.  As a system becomes more mature, there is more automation for setup and more automation for enforcement of policies or configurations. 

• At the Traditional level, an ADO would manually deploy threat protection capabilities to some devices. 
• At the Initial level, the ADO has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration. 
• At the Advanced level, the ADO begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring. Or they may use centralized solutions provided by CMS. 
• At the Optimal level, the ADO system has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring.

Device Threat Protection

Every device that connects to a network is a potential attack vector for cyber threats.  Devices face a wide range of threats such as malware, unpatched vulnerabilities and physical threats (e.g., device theft). This is why device threat protection is so critical.   

Traditionally, security professionals used antimalware and host-based intrusion detection systems (HIDS) to protect devices, but these traditional solutions, deployed alone, have limitations.  Traditional antimalware and HIDS, used alone, do not have the advanced technology required to detect, record, evaluate and respond to modern cyber threats. Antimalware software and HIDS can only detect on threats they know about. 

Manually configuring security on numerous endpoint devices can be complex, time consuming, and error-prone.  Application Development Organizations (ADOs) can use system imaging along with endpoint management tools to create servers and virtual machines that are properly configured to ensure a consistent baseline across devices.

What about unknown threats? To identify unknown threats, an endpoint detection and response (EDR) tool should be deployed to gather in depth data about processes that can be used to highlight unusual activity.  EDR tools use advanced behavioral analysis, machine learning and threat intelligence to identify and respond to cyber threats that may evade traditional security measures.

Some of the more popular EDR vendors/tools include:

• CrowdStrike Falcon
• Trellix XDR Platform
• SentinelOne Singularity
• Microsoft Defender

Transition away from traditional device threat protection  

To increase maturity within the device threat protection function, one thing ADO teams should consider is how the system deploys threat protection capabilities for all devices. Teams might increase their maturity from Traditional to Initial by having some automated processes in place for deploying and updating threat protection capabilities to servers, either physical or virtual machines. 

In fact, some teams are using gold images to deploy threat protection capabilities for physical devices. The FY24 HHS Data Call responses show that teams are using CMS Cloud Gold Images.  Responses also show that teams are using Trend Micro Deep Security which provides a single platform for server security to protect physical, virtual, and cloud servers as well as hypervisors and virtual desktops. 

Takeaway

The primary takeaway for ADO teams is that CMS Gold Images and Trend Micro are resources that you might use to increase your current ZT maturity within the device threat protection function of the Devices pillar.  The ZT Team plans to perform more research to identify additional tools that might increase maturity within the device threat protection function of the Device pillar.​  In the meantime, you can read more about the Devices pillar here, here, and here.  Stay tuned for more information about the Devices pillar!

About the author

Ambler Jackson is a Cybersecurity Engineer at Noblis, Inc., supporting the CMS Zero Trust team.