CISA’s new Zero Trust Maturity Model gives MFA a push – Yubico

David Treece

David Treece

3 minute read

The long-awaited second version of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) is here after more than a year of public comments and agency responses.

The latest model points federal agencies, and all organizations that work with them, toward a Zero Trust security architecture. The White House laid the groundwork for zero trust in May 2021 with Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which led to OMB’s January 2022 Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The target date for federal agencies to reach specific Zero Trust goals, including requiring phishing-resistant MFA, is the end of FY2024. 

Identity is one of the key pillars in the ZTMM, and the government categorizes identity through four stages of maturity including Traditional, Initial, Advanced and Optimal. Authentication is front and center in this memo, and CISA offered additional details on specific authentication requirements for each of the four phases:

  • Traditional: Agency authenticates identity using either passwords or MFA with static access for entity identity.
  • Initial: Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes.
  • Advanced: Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV.
  • Optimal: Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.

With the critical need to take a more secure approach to cybersecurity health, Yubico encourages every agency to move quickly toward the advanced and optimal stages where SMS one-time passcodes and push-based applications become a thing of the past. It’s an exciting time for security, because we now have official recognition from the government that not all MFA is created equal — phishing-resistant features are key to fully protecting federal agencies, and that’s now in print.

What are the barriers to Zero Trust adoption? 

ZTMM contains some interesting acknowledgments that the road to Zero Trust will have a few bumps. Among the road to Zero Trust adoption, the memo cited: 

  • Legacy systems rely on “implicit trust,” meaning access and authorization are infrequently assessed and based on fixed attributes. That principle doesn’t align with zero trust’s core assumption of adaptive evaluation. 
  • Buy-in is required agency-wide, but especially from senior leadership. The memo is honest about the transition needing a collective effort to “transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy.” 
  • Agencies are beginning their journeys to Zero Trust from different starting points. Some agencies may be further along or better positioned to make these advancements than others. 

Regardless of this, the second version of the ZTMM is a signal to agencies that there is no U-turn possible on the transition to zero trust — it’s full steam ahead, and agencies will need to get on board if they haven’t already. 

——

Read more about Zero Trust architectures in our white paper, “Accelerate your Zero Trust strategy with phishing-resistant MFA.”

, , ,
Talk to our teamTalk to our team

Share this article:
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless
  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard