The long-awaited second version of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) is here after more than a year of public comments and agency responses.
The latest model points federal agencies, and all organizations that work with them, toward a Zero Trust security architecture. The White House laid the groundwork for zero trust in May 2021 with Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which led to OMB’s January 2022 Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The target date for federal agencies to reach specific Zero Trust goals, including requiring phishing-resistant MFA, is the end of FY2024.
Identity is one of the key pillars in the ZTMM, and the government categorizes identity through four stages of maturity including Traditional, Initial, Advanced and Optimal. Authentication is front and center in this memo, and CISA offered additional details on specific authentication requirements for each of the four phases:
- Traditional: Agency authenticates identity using either passwords or MFA with static access for entity identity.
- Initial: Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes.
- Advanced: Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV.
- Optimal: Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.
With the critical need to take a more secure approach to cybersecurity health, Yubico encourages every agency to move quickly toward the advanced and optimal stages where SMS one-time passcodes and push-based applications become a thing of the past. It’s an exciting time for security, because we now have official recognition from the government that not all MFA is created equal — phishing-resistant features are key to fully protecting federal agencies, and that’s now in print.
What are the barriers to Zero Trust adoption?
ZTMM contains some interesting acknowledgments that the road to Zero Trust will have a few bumps. Among the road to Zero Trust adoption, the memo cited:
- Legacy systems rely on “implicit trust,” meaning access and authorization are infrequently assessed and based on fixed attributes. That principle doesn’t align with zero trust’s core assumption of adaptive evaluation.
- Buy-in is required agency-wide, but especially from senior leadership. The memo is honest about the transition needing a collective effort to “transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy.”
- Agencies are beginning their journeys to Zero Trust from different starting points. Some agencies may be further along or better positioned to make these advancements than others.
Regardless of this, the second version of the ZTMM is a signal to agencies that there is no U-turn possible on the transition to zero trust — it’s full steam ahead, and agencies will need to get on board if they haven’t already.
Read more about Zero Trust architectures in our white paper, “Accelerate your Zero Trust strategy with phishing-resistant MFA.”