Introduction 

Policy Enforcement and Compliance Monitoring is a function within the Devices pillar described in the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM). This pillar-function pair details security activities that map to four levels of maturity, ranging from the Traditional level to the Optimal level, and highlights the need to enforce device compliance with security policies, maintain visibility into device behavior and continuously monitor device compliance. Learn more about the levels of ZT maturity within the Devices Pillar in our previous post here.  

This blog post summarizes the policy enforcement and compliance monitoring function and outlines how Application Development Organizations (ADOs) can use the pillar-function pair to help manage the evolving risks associated with devices.  

Devices, Virtual Assets and Pillar Functions 

If you ask three of your colleagues to define what a device is, depending on their role within the security/information technology space, you might receive three different answers. The ZTMM states that a device refers to any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more. For cloud environments, assets include compute resources like virtual machines, servers, or containers. The complete list of functions within the Devices pillar can be found here.  

Compliance Monitoring 

At a high level, compliance monitoring is accomplished when teams have visibility into device behavior and continuous verification of insights. AWS Security Hub helps teams monitor their compliance and security posture across the AWS environment. CMS Hybrid Cloud lists AWS Security Hub as a required tool that provides automated checks​ and real-time visibility of aggregated findings from AWS Config and Amazon GuardDuty. 

AWS Config provides a detailed view of the configuration of AWS resources in an AWS account. GuardDuty continuously monitors for potential threats across an AWS environment. Security Hub leverages AWS Config as the underlying service for running checks on resources. The result of the check run via Config is then sent and presented via Security Hub. 

Policy Enforcement 

In general, policy enforcement ensures compliance with CMS security policies. As an example, a patch management policy requires all systems to be up to date with the appropriate and current patches​. Enforcing the requirement to perform routine patching is an example of policy enforcement​. AWS Simple Systems Manager (SSM) is one of the tools approved by CMS Hybrid Cloud for patching to ensure that patches are applied on the documented schedule.   

Measuring Policy Enforcement and Compliance Monitoring 

The ZTMM measures the maturity of policy enforcement and compliance monitoring activities using four levels, beginning with Traditional, where there are few methods of enforcing policies or managing software, configurations, or vulnerabilities, and ending with Optimal, which occurs when there are verified insights for both devices and virtual assets, as well as automated policy enforcement. More specifically:   

• At the Traditional level, ADOs have limited visibility (i.e., ability to inspect device behavior) into device compliance and few methods of enforcing policies or managing software, configurations, or vulnerabilities​   
• At the Initial level, ADOs receive self-reported device characteristics (e.g., keys, tokens, users, etc.), but have limited enforcement mechanisms; there is a preliminary, basic process in place to approve software use and push updates and configuration changes to devices 
• At the Advanced level, there’s verified insights (CMS-controlled remote audit) of ADO resources, including remote policy scans via AWS Security Hub and configuration management; compliance is enforced for most systems and virtual assets and automated methods are used to manage virtual assets 
• At the Optimal level, ADO teams continuously verify insights and enforces compliance throughout the lifetime of devices and virtual assets​, and integrates virtual assets, software, configuration, and vulnerability management across all agency environments; non-compliance is actively prevented by CMS standards and policies 

Increasing ZT Maturity  

ADO teams meet the Initial level of maturity when they utilize AWS Config as provided by CMS Hybrid Cloud. AWS Config continuously monitors and records AWS resource configurations and allows teams to automate the evaluation of recorded configurations against optimal configurations. Moving from the Initial level to Advanced requires verified insights and automated policy enforcement for both devices and virtual assets.  

Teams working in an AWS environment can increase their maturity from Initial to the Advanced level by using AWS Config rules​, ran regularly by AWS Lambda​, and reporting into AWS Security Hub​. AWS Config rules evaluate the configuration settings of AWS resources. A rule can run when a configuration change is detected, or periodically. For example, a rule might check the compliance status of the AWS Systems Manager patch to determine whether there is compliance or non-compliance after a patch installation on an EC2 instance.  

What about ADO teams that are not using AWS tools and services? The Initial level of maturity requires automated compliance monitoring to ensure compliance with security policies. To reach the Advanced level, teams need to use tools to enforce compliance with those policies. Those teams might consider exploring the following to evaluate which features meet the Advanced level of maturity​: 

• CISCO Identity Services Engine (ISE)​ - a network access control and policy enforcement platform providing visibility, control and compliance 
• Microsoft Intune – ​a cloud-based endpoint management solution that provides a suite of tools to manage devices, including virtual endpoints, using device compliance policies   

Takeaway and Next Steps 

The primary takeaway for ADOs is that using AWS Security Hub meets the Initial level of maturity for the policy enforcement and compliance monitoring function as it provides the necessary compliance monitoring as described above. Automating policy enforcement using additional CMS Hybrid Cloud approved tools will help teams transition from Initial to Advanced. As for next steps, the ZT team will continue to research how ADOs accomplish policy enforcement and what additional tools are available to increase maturity for this pillar-function pair. In the meantime, you can read more about the Devices pillar from CISA here and our previous blog on Device Threat Protections here.