September 22, 2023

6 min

5 Key Takeaways From CISA's Zero Trust Guidance 2.0

The Cybersecurity and Infrastructure Security Agency (CISA) recently updated their guidance on zero-trust maturity in April of this year, shedding new light on the importance of zero trust in today’s expanding threat landscape. Here’s what to know.

Zero trust is the security term on nearly every organization’s mind these days — and with good reason. Though many organizations are in varying stages of zero-trust maturity, the zero-trust security model remains a fundamental approach to protecting access to networks and assets.

In fact, zero-trust initiatives have become so widely adopted, the Cybersecurity and Infrastructure Security Agency (CISA) has stepped into the breach once again to update their guidelines for zero-trust maturity.

Considered one of the primary roadmaps to zero-trust maturity, CISA’s Zero Trust Maturity Model Version 2.0, released in April 2023, sheds new light on the ever-evolving realm of cybersecurity, reaffirming the importance of this cybersecurity strategy in today's rapidly evolving threat landscape.

These updated guidelines take into account a number of lessons learned from organizations and government agencies that have already implemented zero-trust initiatives, incorporating guidance for successful implementation with an emphasis on visibility and governance.

So, what does this new, updated guidance mean for organizations in the middle of their journey to zero trust? Here’s what to know.

1. Identity is more important than ever.

One of the central tenets of zero-trust architecture is that identity — an attribute or set of attributes that uniquely describe a user or entity — represents the new perimeter.

Rather than relying solely on traditional network perimeters as in traditional network-centric security models, zero-trust initiatives should prioritize identity-based access control. CISA drives home the importance of robust identity and access management (IAM) as a cornerstone of zero-trust strategies, mandating rigorous identity verification before granting access to resources, regardless of a user's location.

Creating a modernized IAM program involves continuously verifying the identity of users and devices before and during granting access to resources, whether they are inside or outside the network.

2. Changes made to maturity level definitions.

When CISA’s Zero Trust Guidance was first released, it included three levels of zero-trust maturity to better describe where organizations may find themselves on the path to zero trust. Those levels were:

  1. Traditional, describing organizations that had just begun the process of implementing zero-trust strategies.
  2. Advanced, describing organizations that had implemented zero-trust initiatives throughout their organizations.
  3. Optimal, describing organizations that had implemented zero-trust policies throughout their organizations and were currently optimizing their strategies to better achieve their security goals.

However, many organizations found that assessing themselves across just these three levels was difficult since most legacy security functions were somewhere between traditional and advanced. In response, CISA’s updated guidance added an additional maturity level to give organizations a bit more latitude in their self-assessments, thus bridging the gap between traditional and advanced. 

CISA’s revised maturity levels are:

  • Traditional: This includes manual configurations and assignment of attributes, static security policies and coarse dependencies on external systems, along with manual incident response and mitigation processes. 
  • Initial: This new stage is the phase at which automation is introduced. This includes attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems.
  • Advanced: This stage now introduces cross-functional coordination, building toward enterprisewide awareness, with centralized visibility and identity control, some incident response to predefined mitigations and increased detail in dependencies with external systems.
  • Optimal: This final stage of zero-trust implementation features fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, alignment with open standards for cross-functional interoperability, and centralized visibility.

3. Emphasis is on cross-cutting capabilities: visibility, automation and governance.

Maturity levels aren’t the only area in which CISA felt it was necessary to expand on their previous guidance. Because of the ever-evolving nature of cyberthreats, CISA also drives home the importance of continuous monitoring and adaptive security through greater visibility, more widespread use of automation and clearer governance roles to better allow agencies to assess, plan and maintain the investments needed to progress toward a zero-trust architecture.

In fact, visibility and analytics, automation and orchestration, and governance have each been separated into their own individual levels of maturity, separate from the traditional pillars of:

  • Identity
  • Devices
  • Networks
  • Data
  • Applications and Workloads

Each pillar now includes specific details around visibility and analytics, automation and orchestration, in addition to governance capabilities to support integration with that pillar and across the model:

Visibility and Analytics: The updated guidance posits that a focus on visibility and cyber-related data analysis can help inform policy decisions, facilitate response activities and build a risk profile to develop proactive security measures before an incident occurs.

Automation and Orchestration: CISA states that an “optimal” zero-trust architecture will make full use of automated tools and workflows that support security response functions across products and services while maintaining oversight, security and interaction of the development process.

Governance: Referring to the enforcement of cybersecurity policies, procedures and processes within and across pillars, CISA’s new guidelines reinforce that governance in support of zero-trust principles is essential to managing and mitigating security risks as well as fulfillment of federal requirements.

4. Culture and support are still the largest barriers to success.

One of CISA’s core principles states that instilling a zero-trust culture is paramount to successful integration. More than the technology itself, ensuring top-down support for cybersecurity initiatives to make the changes that are necessary to implement zero trust can make or break your organization’s success.

Because modern technology integrates everything from company systems to company values, initiating a culture change starts by engaging all stakeholders in the process of creating a holistic security-first mindset that eliminates siloed approaches. When an organization is employing a zero-trust mindset, they’ll know that the “always verify, never trust” principle extends beyond the traditional perimeters.

This also means that organizations who have not assessed their current trust level may have unknowingly bred “loose trust” cultures over a period of time. One example could be employees holding an entrance door open for others. While seemingly courteous, letting an unknown person into your building can be potentially hazardous and lead to an internal breach. Everyone from the executive level down must be in the practice to never trust systems — or people — adjacent to your systems.

It's up to security leaders to communicate the level of security that they require, educate their teams on how to reach that level, and enforce it.

5. Start your zero-trust journey with governance and visibility.

Whether you’re looking to kickstart your journey toward zero trust or hoping to further instill a zero-trust mindset within your company culture, developing policies, assessing risk and verifying with visibility across key systems is the best place to begin.

Though you may be tempted to use zero-trust strategies to tackle your organization’s largest, most difficult problems first, starting with a few smaller “wins” can be an effective, less risky way to build credibility across teams.

One great entry point for cross-pillar integration would be within your data backup and restoration systems. If there is one crucial place in your organization that would benefit from zero trust, it’s the systems that you rely on to restore your most critical data. Zero trust is your last line of defense against pervasive threats like ransomware and ensuring that your data remain safe from cyberattacks is essential. From there, communicating this win across teams will help illustrate the value of zero-trust policies at every level of your organization.

Reaching Optimal Zero-Trust Maturity

It’s important to remember that zero trust is a guiding philosophy, not a single architecture.  Implementing zero-trust best practices and principles is a journey in which your organization consistently works toward achieving higher levels of maturity.

Reaching CISA’s optimal level of zero-trust architecture will not happen overnight. Even organizations with extensive experience in cybersecurity or zero-trust strategies can benefit from a third-party voice to cut across cultural boundaries within and outside of IT.

An expert partner with deep expertise in zero-trust strategy, planning and execution can help your organization design, develop and implement a plan to achieve optimal zero-trust maturity in a timeframe that fits your organization’s specific needs.

Story by Contributor Contributor

John Candillo

CDW Expert
John Candillo is a field CISO at CDW. He is an accomplished cybersecurity expert with more than 20 years in security. John specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He has designed several processes and assessments to help organizations align security initiatives and quantify risk in a way that translates cybersecurity into the lang