In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released version two of their Zero Trust Maturity Model (ZTMM). This version incorporates feedback from experts and the community in response to their initial June 2021 draft. CISA has kept its conceptual view of a Zero Trust Architecture (ZTA),  incorporating five pillars and three cross-cutting capabilities. However, it has significantly reviewed the functions that build each pillar and capability. CISA’s understanding and explanation of a ZTA have dramatically improved from the initial draft and evolved into a more forward-looking and actionable model with less implicit trust.

Before we address some of these changes, let’s suppose you’re unfamiliar with how to use a maturity model. A maturity model is one of many ways to obtain flexible or loose direction along a given journey toward a destination and measure your progress. For our purposes, the CISA ZTMM describes each “function” of a ZTA (a capability or service that your system should provide) across four levels of maturity, Traditional, Initial, Advanced, and Optimal. 

What do I need to do? 

Frankly, nothing -- at least not immediately. The Zero Trust Team is updating our adaptation of the CISA ZTMM for AWS systems before moving on to differently platformed systems. For those that have answered our data call already, Thank you! And do not worry. You won’t have to do it again right away. 

Why does this matter? 

Traditional system defense has been outgrown by the world we live in today. We no longer exist in a world of small, barely connected islands but a vast and wildly interconnected menagerie of loosely related systems. The always-online and accessible-from-anywhere application is not a fever dream of the newest generation but a reality of the current world we inhabit. The latest version of the ZTMM accepts this reality and adequately describes modern systems. Below, I describe some of the more impactful changes and functions that you may want to keep a bit more “top of mind.” And, I encourage everyone to have a look themselves, it’s realistically only 20 pages. 

Networks 

First, the entire Networks pillar has had some intense light shone upon it (In my opinion). The functions have moved from a description of networking mired in the past to a thoroughly forward-looking conceptualization of the network. ZTMM Version Two covers seven functions within the Networks pillar: Network Segmentation, Network Traffic Management, Traffic Encryption, Network Resilience, Visibility and Analytics Capability, Automation and Orchestration Capability, and Governance Capability. Some of these functions are only partially relevant to your responsibility level or contract requirements because this model is directed at the agency level. Still, a few are essential to start conceptualizing now. You may pay particular attention to the Automation and Orchestration Capability. which brings networking changes into the Infrastructure as Code (IaC) and Continuous Integration/Continuous Deployment (CI/CD) pipeline. The “Visibility and Analytics Capability” function has expanded as well, from only having visibility into “most things that happen” to supporting threat-hunting activities and being able to report normalized analytics for inter-agency correlation. This type of both broad and deep visibility in some way spans all five pillars. The language within Network Segmentation has been more thoroughly reworked to indicate the goals of a ZTA. Micro-segmentation terminology is not doing as much of the heavy lifting, with version two expanding the language to say, more precisely, “service-specific interconnections.” In a ZTA, network boundaries exist at the application or service level rather than the systems level. 

Identity 

Another new function that warrants attention is Access Management from the Identity pillar. In this function, the Role Based Access Control (RBAC) that we all know and love would put your system in the ‘Traditional’ or ‘Initial’ maturity. To move to Advanced maturity, access should be limited down to the session for both actions taken and resources accessed. Suppose you want to be at Optimal maturity. In that case, that access should not only be part of an automated system (that incorporates risk indicators from disparate systems) but should limit to not only what is being done but by whom, which means that “roles” and “groups” are not the limiting factors anymore but part of the rich tapestry of risk-informed access control. 

Conclusion 

The ZTMM is not a list of individual prescribed settings that promise security through compliance. Instead, the model describes the functions a system should be able to carry out to meet increasing levels of security. Is it easy? No. Is it worth it? Yes. Is it exciting? I don’t know; that’s a deeply personal question, but if you’re interested in getting into a system's conceptual nitty-gritty details to protect it based on the actual risk, then Zero Trust and this maturity model are great places to start.

About the author: Jeff Bond is a Security Architect at Aquia, Inc., supporting the Zero Trust Team at CMS.