From FUD to Framework: unpacking CISA's Zero Trust Maturity Model

CISA’s recent Zero Trust Maturity Model (ZTMM) release is a significant step forward for the industry. Here’s my take.

There’s too much vendor FUD out there

Nearly every vendor claims that you will get Zero Trust if you buy their product. This isn’t possible for several reasons. First, Zero Trust is about process more than it is about products. It’s also not something that can be attained all at once. No one goes from a traditional security model to “full zero trust.” The organization needs to digest what Zero Trust is and how radical a shift it requires to do it right. This doesn’t happen overnight, and thinking that one can buy a security product or two to solve the problem only slows the adoption of Zero Trust principles in the industry and an enterprise.

Zero Trust is a journey

The ZTMM attempts to create a framework for measuring where an organization is on the Zero Trust journey (traditional, initial, advanced, and optimal). Before the release of this model, organizations needed more real guidance to measure their progress. This is an excellent first step; however, v2 of the ZTMM still needs hard metrics for measuring maturity and is subjective. For example, under the identity pillar, traditional shows passwords or MFA. Initial, MFA with passwords, and advanced, phishing-resistant MFA. Where does an organization fit on the maturity continuum if they have a mix? Either future models will need to address this, or organizations will need to develop their own weighted scoring model.

A practical example of this is IBM, in 2021, found a $1.76m cost difference in breeches where mature Zero Trust was deployed vs. no Zero Trust. With the new ZTMM, organizations now have a solid shot at figuring out where they are on the journey (and, consequently, how much they’ll save on their next breach).

It’s another layer of paint but nowhere near the final coat

I use this analogy because, too often, as security practitioners, we think in a very binary fashion. I have Zero Trust, or I don’t. I am secure, or I am not. Etc. v2 of the ZTMM is an essential step forward in commoditizing Zero Trust. Here, commoditization is good because it means that the principles espoused through Zero Trust will have a better shot at becoming the industry norm. Models that legitimize and allow for benchmarking do precisely this. It also helps that it was published by CISA and not a vendor.

Caveat emptor still applies as the model overlooks that 61% of applications don’t support modern authentication standards like SAML, OIDC, and SCIM. Applications that fall into this category are what I refer to as nonfederated or unmanageable applications, and they generate a significant percentage of breaches (the precise percentage I’ll share in future research in the coming weeks). 

When it comes to Zero Trust and maturity, the vast majority of organizations are going to be stuck in the traditional and initial phases until they find solutions to bridge the gap between their identity provider and the mountain of apps in their enterprise that don’t support the necessary standards for achieving a maturity score of advanced and optimal, like FIDO2. Organizations will face a long road to Zero Trust maturity until this challenge is addressed holistically with a combination of process and security solutions.

While v2 of the ZTMM is far from perfect, it is one of the best pieces of work I’ve seen in advancing the democratization of Zero Trust. It is a welcome step forward, and CISA should be congratulated on the effort.