CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
Zero Trust 2.0: Strengthening security for a shifting threat landscape
Receive CohnReznick insights and event invitations on topics relevant to your business and role.
Subscribe
With the number and size of threat vectors growing rapidly, organizations increasingly need more security around all users, devices, and networks, irrespective of whether they are connected within or outside of the enterprise IT infrastructure. It is increasingly critical to implement a new, more robust cybersecurity model or framework that facilitates well-informed risk-based decisions on people, process, and technology.
Recognizing the urgency to fortify their defenses, many forward-thinking entities have already adopted Zero Trust Architecture as a strategic approach. As described in the National Institute of Standards and Technology’s (NIST) primer, Zero Trust is built on the premise that “trust is never granted implicitly but must be continually evaluated.” People, processes, and technology all need to be evaluated and enhanced.
A new resource is now available for organizations looking to implement Zero Trust: Version 2.0 of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. Released in April, this model “provides an approach to achieve continued modernization efforts related to Zero Trust within a rapidly evolving environment and technology landscape,” CISA writes.
While it is specifically tailored for federal agencies as required by EO 14028, private organizations are equally encouraged to adopt the CISA Zero Trust Maturity Model in their business environment, as it’s “one of many paths that an organization can take in designing and implementing their transition plan to Zero Trust architecture,” CISA writes. By harnessing the model, organizations can gain valuable insights into their Zero Trust posture, enabling them to proactively, incrementally implement Zero Trust principles, process changes, and technology solutions that protect their data assets and business functions.
Zero Trust 2.0 builds upon CISA’s existing model, better equipping organizations to enhance their security postures and confront emerging threats head-on. This updated version introduces critical components and changes that address the evolving challenges faced by modern enterprises.
Key enhancements
- Revised maturity evolution: CISA has added the maturity stage “Initial” to the model, and realigned text for consistency across all five pillars: Identity, Devices, Networks, Applications and Workloads, and Data.
- Purpose and Office of Management and Budget (OMB) alignment: The Zero Trust Maturity Model is no longer considered a temporary solution; it now provides continued support for federal agencies in designing and implementing their Zero Trust Architecture framework. The model has been aligned with OMB’s M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” to support a cohesive approach to cybersecurity.
- Expanded content and guidance: Zero Trust 2.0 offers expanded content and additional functions for each pillar and clarified intent of three cross-cutting pillars: Visibility and Analytics, Automation and Orchestration, and Governance.
The maturity levels
CISA’s 2.0 model features the following maturity levels:
- Traditional – Manual configuration for assignments, response, and mitigation, coupled with static security policies and solutions one pillar at a time, and least privilege established only at provisioning
- Initial (New) – Early stages of automation and configuration of lifecycles, policy decisions, and enforcement
- Advanced – Some automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination
- Optimal – Fully automated, just-in-time lifecycles and assignments of attributes, coupled with dynamic least privilege access and cross-pillar interoperability with continuous monitoring
See the CISA model for full descriptions and attributes of each level.
As professionals committed to building robust security frameworks, consider the following actionable items to advance your Zero Trust implementation:
- Assess your Zero Trust maturity: Leverage the CISA Zero Trust Maturity Model to gain a comprehensive understanding of your organization’s Zero Trust posture. Identify areas for improvement and prioritize the implementation of Zero Trust policies, process changes, and technology solutions.
- Focus areas for incremental implementation: Zero Trust implementation cannot simply be conducted with a wholesale replacement of technology; it is an iterative process. Pay close attention to these critical areas that contribute to your overall Zero Trust maturity:
- User identity
- Endpoint inventory and management
- Application workload residing on-premises or in the cloud
- Network segmentation
- Data classification and mapping
- Automation and orchestration
- Visibility and analytics
- Continuous adaptation and improvement: Achieving an advanced or “Optimal” CISA maturity level does not signal the end of your Zero Trust journey. Recognize that cyber threats constantly evolve, advance, and mature, requiring ongoing adaptation and improvement to effectively protect your organization’s attack surfaces.
It should be noted that there are a number of guidelines from federal agencies on Zero Trust, in addition to the CISA model. The Department of Defense (DOD) released its Zero Trust strategy in November 2022, outlining its ZT goals and objectives within the five-year planning horizon of the Future Years Defense Program (FYDP) starting in FY2023 to FY2027 and beyond. The DOD’s strategy is in alignment with the CISA update, as well as the NIST SP 800-207 Zero Trust Architecture framework. Thus, it is likely that organizations adopting any of these frameworks will also cover what is outlined in the others.
Further alignment is on the horizon. In January 2022, President Biden signed a National Security Memorandum (NSM) stating that at minimum, National Security Systems must adhere to the same network cybersecurity measures required for federal civilian networks under Executive Order 14028.
The National Cybersecurity Strategy Implementation Plan, just unveiled by the White House, will provide further relief to federal agencies, streamlining assessments of similar mandates and requirements. The Plan, and a request for public comment released soon after, aim to address “existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.” A singular unified approach will help provide the strongest defense against the continual onslaught and evolution of cyber-attacks.
Embracing Zero Trust 2.0 signifies an organization’s commitment to proactive risk mitigation, informed decision-making, and the continuous evaluation of trust. By leveraging this framework, organizations can chart a course toward a robust security posture and establish a culture of perpetual vigilance against emerging threats. In this new era of heightened cyber threats, a resilient security framework built upon the foundations of Zero Trust is indispensable.
Contact our team for more information on how to assess and strengthen your Zero Trust plans.
Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Adonye Chamberlain, Manager, Cybersecurity, Technology Risk, and Privacy
703.744.7409
Related services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Bill Hughes
CPA, CDFM, CGFM, CGMA, CICA, Partner - Federal Market Leader
View full biography
Related Insights
-
InsightNew SEC cybersecurity guidelines: Next steps for public companiesBhavesh Vadhani, Scott CorzineNew rules require public companies to elevate their cybersecurity risk management and disclosure practices. Read key changes, deadlines, and action items.
-
InsightFederal agencies face complex cyber compliance – but relief is underwayBhavesh Vadhani, Bill Hughes, Adonye ChamberlainWith a new national cybersecurity strategy expected to create a baseline cybersecurity standard, read how to get a head start in the meantime.
-
InsightPractical Infrastructure: A blueprint for program management successRoman CastilloVideo series explores program management guidance for state, local, trial agency execs and administrators.
-
InsightToday’s boards need cyber expertise more than everCyber risk is fundamentally unlike every other risk that companies face, and boards should add expertise accordingly. Read why – and how to get started.