Login
CISA Releases the Zero Trust Maturity Model 2.0

CISA Releases the Zero Trust Maturity Model 2.0

by | Apr 27, 2023 | Cybersecurity Frameworks

In April of 2023, CISA released version 2.0 of their Zero Trust Maturity Model.

What is CISA?

The Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. federal agency that is responsible for strengthening cybersecurity across the government.  The agency also provides resources for helping U.S. companies reducing cyber risk.

What is Zero Trust?

At a high level, Zero Trust is a cybersecurity methodology that assumes a breach can occur at any time.  As such, each resource should have the least amount of privileges needed to perform their job and should be continuously authenticated to confirm authorization.  The National Security Telecommunications Advisory Committee (NSTAC) describes Zero Trust as a cybersecurity strategy that treats every resource as untrusted.  While most other security models use the location of an individual or device as a means to provide access, Zero Trust focuses on the data that is being accessed.

CISA Zero Trust Overview

CISA states that their maturity model is not the only way to accomplish Zero Trust.  However, CISA’s model is clear, concise, possibly the easiest model to understand, and CISA has a strong reputation for solid recommendations.  In CISA’s Zero Trust Maturity Model, there are five pillars, or categories, that contain controls for moving towards a Zero Trust Architecture.  The five pillars are Identity, Devices, Networks, Applications & Workloads, and Data as shown in the image below.

CISA Zero Trust 2.0 Pillars
Five pillars of CISA’s Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency Cybersecurity Division, 2023)

There are a total of 36 security controls, or “functions” as CISA calls it, across all of the pillars.  While there are unique security controls for each pillar, there are three control types that are within each pillar.  These three control types that are cross-cutting through each pillar are Visibility and Analytics, Automation and Orchestration, and Governance.  The cross-cutting controls can be used to coordinate implementation and interoperability of functions across the pillars.

The CISA Zero Trust model contains four maturity stages for each of the 36 security controls.  Organizations start with the Traditional stage and move to Initial, Advanced, and finally Optimal.  Each maturity stage provides an increasing level of protection and adoption complexity.

CISA Zero Trust 2.0 Maturity Stages
CISA Zero Trust 2.0 Maturity Stages

Implementation Challenges

Implementing Zero Trust is not a trivial task.  There are 36 major functions that need to be optimized before achieving the highest maturity level.  This is a process that will most likely take years for an organization to complete.  Some of the challenges with implementing Zero Trust are:

  • Cost – An organization will probably need to purchase new security tools and hire additional staff to reach the higher levels of maturity.  For example, an organization may have multi-factor authentication (MFA) with SMS (text message), but the more mature levels require “phishing-resistant MFA” such as Yubikeys or Feitian USB security keys.  Purchasing the security keys and educating staff can be costly.
  • Time – It takes time to implement each of these security measures.  This includes both implementation time and employee education time.
  • Process Change – There are numerous challenges to implementing new processes.  Taking our MFA implementation example, an organization will need to change how they perform multi-factor authentication across the organization.
  • Legacy Systems – Many legacy systems were not designed with security in mind.  These legacy systems may implicitly trust everyone, or have a single shared account.

CISA describes the Zero Trust implementation as a journey.  Each stage of this journey requires more levels of effort while achieving greater protection.

CISA Zero Trust Maturity Model 2.0 Journey. Image of a mountain with the Zero Trust journey between maturity levels.
CISA Zero Trust Maturity Model 2.0 Journey (Cybersecurity and Infrastructure Security Agency Cybersecurity Division, 2023)

Benefits of Zero Trust

Moving towards higher levels of maturity within Zero Trust have enormous security benefits which is why organizations strive to achieve this goal.  At the Optimal maturity level, the risk of a security breach is minimized.  Zero Trust can also help companies achieve compliance goals by moving well beyond the initial compliance requirements.  There are also customer and business benefits as an organization with a higher level of security earns more trust from its customer base.

Changes from CISA Zero Trust v1.0 to v2.0

CISA has made a number changes from their Zero Trust maturity model 1.0 released in 2021 to version 2.0 that was released in April of 2023.

Color code chart for changes to the framework
Color code chart for changes

Moving from Three to Four Maturity Stages

The largest change is moving from three to four maturity stages.  As CISA states, the Zero Trust Maturity Model is a journey which will most likely take time to implement.  Having more stages provides greater insight into an organization’s progress.

Changes to the Zero Trust Maturity Stages
Changes to the Zero Trust Maturity Stages

Pillar Changes

There are still five pillars within the CISA Zero Trust Maturity Model 2.0, however the naming has changed slightly.

Changes to the Zero Trust Pillars
Changes to the Zero Trust Pillars

Security Functions within Pillars

The CISA Zero Trust Maturity Model has moved from 31 security controls (called “Functions” within the model) to 36 controls.  The changes are listed below and grouped by each of the five pillars.

Chart depicting changes to the Zero Trust Identity Pillar
Identity Pillar updates
Chart depicting changes to the Zero Trust Devices Pillar
Devices Pillar updates
Chart depicting changes to the Zero Trust Networks Pillar
Networks Pillar updates
Chart depicting changes to the Application and Workloads Pillar
Application and Workloads Pillar updates
Chart depicting changes to the Zero Trust Data Pillar
Data Pillar updates

Velocity Can Help with the CISA Zero Trust Maturity Model Journey

At Stern Security, we have added the CISA Zero Trust Maturity Model into our Velocity platform.  Any organization can easily map their Zero Trust journey within Velocity.  Try Velocity for free today.

Velocity, Stern Security's SaaS platform has added CISA's Zero Trust Maturity Model.
Velocity contains CISA’s Zero Trust Maturity Model

Conclusion

The 2.0 version of CISA’s Zero Trust Maturity Model is a well-organized and highly regarded framework to follow in order to achieve Zero Trust goals.  Increasing an organization’s Zero Trust maturity is a journey that will take time and resources, but will greatly reduce cybersecurity risk.  CISA’s model is a recommended approach for completing an organization’s Zero Trust goals.

Works Cited

Cybersecurity and Infrastructure Security Agency Cybersecurity Division. (2021, June). Zero Trust Maturity Model: Pre-decisional Draft Version 1.0. CISA.gov.

Cybersecurity and Infrastructure Security Agency Cybersecurity Division. (2023, April). Zero Trust Maturity Model: Version 2.0. CISA.gov.

Velocity Goes Freemium

Velocity Goes Freemium

by | Mar 17, 2022 | Strategy

Background

Our company mission is to “Secure the Planet”.  This means that we aim to provide education and solutions that any company in the world can use to reduce cyber risk.  Our flagship product, Velocity, is a web application (SaaS product) which companies can use to evaluate their own cybersecurity posture as well as to evaluate cyber risks in all of their third-party vendors.  While we strive to have fair pricing and various levels that companies of any size can subscribe to, it’s clear that some organizations simply do not have funds budgeted to spend on cybersecurity or to try new products. We’re moving Velocity to a freemium model so any company can measure their baseline security posture for free.

Details

If we’re serious about securing the planet and providing solutions for all organizations regardless of size and budget, we needed to expand our offerings. From my many years working in the cybersecurity industry, both on the customer side and the consulting side, I know that many organizations do not evaluate their security posture at all.  Many of those that do, still measure their security posture using an inefficient, often inaccurate, spreadsheet approach. They list every cybersecurity measure that they should be doing in one column and then they state whether they are completing the task or not in another column.  It’s easy, but inefficient, painful to manage, difficult to track progress, and tough to update.  Velocity eliminates the need for spreadsheets to measure internal risk with these known frameworks. The free version of Velocity is an easy and economical tool for any company in the world to measure their cyber security posture.

What is included?

In the free version of Velocity, companies can evaluate their own security posture using any of several frameworks.  Additionally, companies receive access to dashboards that give critical insight into their security posture.  As an added benefit, companies  eliminate the use of inefficient spreadsheets to evaluate risk.  The frameworks that are included in the free version of Velocity are as follows:

  1. CISA Shields Up – To address increased risk due to Russia’s invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA) released security guidance for organizations.  This free valuable guidance is built into Velocity. We will continue to update this significant resource on Velocity as the guidance updates and transforms.
  2. CMMC 2.0 Level 1 – In late 2021, the Department of Defense (DoD) released CMMC 2.0 which is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  There are three levels within this model and most defense contractors will need to adhere to Level 1. Organizations can evaluate their compliance with Level 1 CMMC 2.0 for free within Velocity. The smaller subset of organizations that access more classified information can pay for a Velocity subscription to evaluate their compliance with the higher levels within this framework.  Our company pays to have certified CMMC staff.  For more information on CMMC, please review our latest article on the subject:  https://www.sternsecurity.com/blog/cmmc-2-0-program-update/
  3. CIS v8 Group 1 – The Center for Internet Security (CIS) has a well-known list of cybersecurity controls that are recommended for all organizations.  The latest version (v8 as of this writing) splits the security framework into three groups depending on the size and cybersecurity maturity of the organization.  The free version of Velocity includes the first group, Implementation Group 1.  Organizations looking to evaluate their maturity with Groups 2 and 3 can upgrade to a paid subscription within Velocity.  Our company pays an annual license fee to utilize this security framework.

How do we pay for this?

We have to pay for this somehow as we definitely cannot help secure the planet if we don’t have the funds to run our product.  While several frameworks (or parts of frameworks) are free, we have over 10 other major security and compliance frameworks that companies can pay a subscription for. We continue to add more frameworks.  We pay subscription fees which we pass on to companies who subscribe to additional features within Velocity.  Additionally, we charge companies to evaluate the security posture of their vendors.  While utilizing the free version, there is an easy path to upgrade to a paid subscription to utilize other frameworks or evaluate vendors.

How do I get my free account?

Go to https://www.velocitysec.com and create your free account today!

Conclusion

I’m incredibly excited to announce our freemium version of Velocity.  This is the result of months of hard work from an amazing team.  We are so proud of the result and what it can do for the world.  Now that Velocity is offering this freemium model, we see a clear path to making our motto “Secure the Planet” a reality.  Velocity is not going to solve every cybersecurity problem, but it does give organizations actionable items they can perform to reduce risk.  Now any company in the world can measure their baseline security for free on a beautiful web interface.

Sincerely,
Jon Sternstein, Founder