top of page

What CISA's Updated Zero-Trust Maturity Model Means

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Zero Trust Maturity Model, which offers guidance for federal agencies in implementing zero-trust security architectures.

The latest version adds an "optimal" maturity stage to the initial, advanced and traditional stages of the original guidance document, and updates definitions and metrics. CISA describes the model as one of many possible paths to zero trust. Federal IT experts have said they hope the voluntary document will be implemented swiftly.

Although the update does not address aspects of cybersecurity related to incident response, it provides guidance on the five pillars of identity, devices, networks, applications and workloads, and data. These are intended to be a guide for federal agencies' zero trust strategy implementations, with a focus on identity and data questions.

Richard Bird, CSO, Traceable shared his thoughts on implicit trust and the need for zero trust for APIs:

“Implicit trust within corporate and government agency systems is empirically proven to be a failing architecture. Not only has it failed, it is failing faster every single day with larger and larger breaches and losses. CISA is right to continue to keep their foot on the gas pedal. The time for making excuses for allowing implied and persistent trust has passed.

While the enhanced ZTMM from CISA is another great effort, neither CISA nor NIST SP 800-27 directly addresses the need for Zero Trust for APIs. APIs have rapidly become the DevOps workaround when it comes to ZT. Violations of basic ZT requirements like ‘all communications are secured…’ are rampant in the layer 7 because APIs rarely are included in anyone's security program, let alone their Zero Trust program strategy.” ###


bottom of page