CISA Updates Their Zero Trust Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) has recently published their second version of the Zero Trust Maturity Model. The changes made are a result of public comments and requests that they received after publishing their first version in September of 2021.
You may remember President Biden’s cybersecurity executive order in which he called for CISA to develop a zero trust model that could be applies across federal agencies. As agencies look to implement zero trust, and threats continue to advance it’s important that our security frameworks are ad dynamic and willing to evolved with the times.
What is Zero Trust?
To understand the changes made by CISA it’s important to know what zero trust security is. Zero trust is a security concept that treats all assets, including users, as compromised until otherwise authenticated. Zero trust operates off the notion that a breach is inevitable and it seeks to isolate network resources behind their own perimeter rather than just one large firewall. Another facet of zero trust is the “principle of least privilege”. The principle of least privilege only gives users or software access to the resources needed to do their jobs or accomplish a task and nothing more. This limits the attack surface of an organizations by ensuring that even if their is a compromise, the impact is minimal.
Zero Trust Changes
What did CISA change in version 2 of the Zero Trust Maturity Model?
The original maturity model was made up of 5 pillars for agencies to improve upon in order to achieve peak zero trust security. The 5 pillars includes: Identity, Devices, Networks, Applications and Workloads. Additionally, each pillar provided guidance on how Visibility and Analytics, Automation and Orchestration, and Governance capabilities could be used to implement every pillar.
The newly updated model has taken these 5 pillars and the capabilities within and creates four stages or maturity labeled: Traditional, Initial, Advanced, and Optimal. Adding the “Initial” stage is the biggest change from version 1 to 2, and it’s inclusion focuses on aiding organizations just starting to make policy changes and decisions regarding zero trust. Because zero trust can be complex and difficult to implement, adding an initial level of maturity for agencies taking their first steps is extremely beneficial.
Like zero trust, cybersecurity is an ever changing field. If your organization wants to take the next steps in it’s security journey, contact CorpInfoTech today!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
This website is for informational and educational purposes only and does not render professional advice nor is it a substitute for dedicated professional guidance from a competent and duly accredited cybersecurity professional specific to your needs and implementation. There is no endorsement of any kind for products or services listed on this website; it is entirely the readers responsibility to conduct appropriate due diligence and due care in selecting and engaging with any product or service.
Comments are closed