CISA’s new Zero Trust Maturity Model gives MFA a push – Yubico

The long-awaited second version of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) is here after more than a year of public comments and agency responses.

The latest model points federal agencies, and all organizations that work with them, toward a Zero Trust security architecture. The White House laid the groundwork for zero trust in May 2021 with Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which led to OMB’s January 2022 Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The target date for federal agencies to reach specific Zero Trust goals, including requiring phishing-resistant MFA, is the end of FY2024. 

Identity is one of the key pillars in the ZTMM, and the government categorizes identity through four stages of maturity including Traditional, Initial, Advanced and Optimal. Authentication is front and center in this memo, and CISA offered additional details on specific authentication requirements for each of the four phases:

  • Traditional: Agency authenticates identity using either passwords or MFA with static access for entity identity.
  • Initial: Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes.
  • Advanced: Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV.
  • Optimal: Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.

With the critical need to take a more secure approach to cybersecurity health, Yubico encourages every agency to move quickly toward the advanced and optimal stages where SMS one-time passcodes and push-based applications become a thing of the past. It’s an exciting time for security, because we now have official recognition from the government that not all MFA is created equal — phishing-resistant features are key to fully protecting federal agencies, and that’s now in print.

What are the barriers to Zero Trust adoption? 

ZTMM contains some interesting acknowledgments that the road to Zero Trust will have a few bumps. Among the road to Zero Trust adoption, the memo cited: 

  • Legacy systems rely on “implicit trust,” meaning access and authorization are infrequently assessed and based on fixed attributes. That principle doesn’t align with zero trust’s core assumption of adaptive evaluation. 
  • Buy-in is required agency-wide, but especially from senior leadership. The memo is honest about the transition needing a collective effort to “transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy.” 
  • Agencies are beginning their journeys to Zero Trust from different starting points. Some agencies may be further along or better positioned to make these advancements than others. 

Regardless of this, the second version of the ZTMM is a signal to agencies that there is no U-turn possible on the transition to zero trust — it’s full steam ahead, and agencies will need to get on board if they haven’t already. 

——

Read more about Zero Trust architectures in our white paper, “Accelerate your Zero Trust strategy with phishing-resistant MFA.”

Talk to our teamTalk to our team

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU