Applying the CISA Zero Trust Maturity Model to Individual Systems

The OMB memo M-24-14 requires that all US Federal departments and agencies “document current and target maturity levels in each pillar for all high value assets and high impact systems as well as the agency target maturity level for those systems to be achieved by the end of FY26″

This is a new and slightly different usage of the CISA Zero Trust Maturity Model — the original model from CISA was intended to be applied to the agency as a whole, rather than for individual systems.
This workbook provides you with a way to easily measure and report on your per-system current and target maturity, and will help you meet these reporting requirements.

Quick Link: Current version of the Zero Trust Maturity Model spreadsheet: v1.0.0:

• Google Sheets Link
• Excel version

This spreadsheet contains the evaluation of two example systems, to illustrate how the model should be used.

Note that downloading the Google Sheets file as Microsoft Excel introduces some minor function and formatting errors.

This Google Sheets version is read-only to preserve its integrity, but freely available to be copied and used by your organization.

To receive updates from Numberline Security about this site, subscribe here, or follow us on LinkedIn and Mastodon.

Spreadsheet Overview:

This spreadsheet has 3 tabs:

Instructions Worksheet

This worksheet contains an overview and instructions

System_Maturity Worksheet

This worksheet is designed to let you to easily self-assess your organization’s current and target maturity level, for each of your systems.

1. Step 1: For each row, enter the system’s name in Column A:

Example:

Step 2: For each of the functions within the pillars, select the system’s current maturity from the dropdown list, and add any desired notes.

(Be sure to expand each pillar’s group via the (+) control, in order to view all the pillar’s functions

Each pillar’s overall current maturity will be automatically calculated, and shown within that column group:

Step 3: For each pillar, select the system’s target maturity from the dropdown list

Current_Rating Worksheet

Each pillar’s maturity score will be displayed, and shown in shaded format on this worksheet.

Shading is shown for the levels Traditional, Initial, Advanced, Optimal, corresponding to the T, I, A, O labels.

Questions, Feedback, or Commentary?

We’d like to see how you’re using this document, and hear suggestions for changes and improvements. Contact us via email at info@NumberlineSecurity.com.

Additional Information on the CISA Zero Trust Maturity Model

The CISA Maturity Model : Overview

Note: We highly recommend that you thoroughly read the CISA Zero Trust Maturity Model in order to get the most value from this site.

The CISA Zero Trust Maturity Model introduces five pillars, three cross-cutting capabilities, and four maturity levels, shown in the image below.

Source: CISA Zero Trust Maturity Model, Figure 3

CISA defines each of the terms as follows (all quoted verbatim from the CISA Maturity Model):

The pillars are defined as:

Identity: An identity refers to an attribute or set of attributes that uniquely describes an agency user or entity, including non-person entities

Devices: A device refers to any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more

Networks: A network refers to an open communications medium including typical channels such as agency internal networks, wireless networks, and the Internet as well as other potential channels such as cellular and application-level channels used to transport messages.

Applications & Workloads: Applications and workloads include agency systems, computer programs, and services that execute on-premises, on mobile devices, and in cloud environments.

Data: Data includes all structured and unstructured files and fragments that reside or have resided in federal systems, devices, networks, applications, databases, infrastructure, and backups (including on-premises and virtual environments) as well as the associated metadata.

The three cross-cutting capabilities are defined as follows:

Visibility and Analytics: Visibility refers to the observable artifacts that result from the characteristics of and events within enterprise-wide environments.11 The focus on cyber-related data analysis can help inform policy decisions, facilitate response activities, and build a risk profile to develop proactive security measures before an incident occurs

Automation and Orchestration: Zero trust makes full use of automated tools and workflows that support security response functions across products and services while maintaining oversight, security, and interaction of the development process for such functions, products, and services.

Governance: Governance refers to the definition and associated enforcement of agency cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of zero trust principles and fulfillment of federal requirements

And the maturity levels are defined as:

Traditional: Manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.

Initial: Starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.

Advanced: Wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).

Optimal: Fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.

Assessing Your Maturity

CISA provides two ways for organizations to assess their maturity.

At the highest level, they included a table showing attributes of each maturity level, for each of the five pillars. this is shown below, directly from the CISA Zero Trust Maturity Model report

While useful as a high-level set of goals, we believe that CISA’s detailed view is more actionable and more valuable for organizations. This view relies on the 40 functions that they’ve defined across the five pillars, and for each of these they’ve provided a description of at each level of maturity.

For example, the Network Segmentation function maturity levels are defined as follows: