What is CISA?
The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.
CISA is responsible for helping safeguard the nation’s critical infrastructure and public gatherings by enhancing stakeholder capacity to mitigate risks. In order to achieve that, CISA leads a collaborative effort to assure the security, resilience, and reliability of the nation’s cyber systems. CISA drives national efforts through collaboration with private sector, academia, and government partners to build a diverse cyber workforce, foster development and use of secure technologies, and promote best practices.
What is Zero Trust?
As defined by the National Institute of Standards and Technology (NIST) 800-207, “Zero Trust is the term for an evolving set of cybersecurity paradigms that more defenses from static, network based perimeters to focus on users, assets, and resources.”
In order to establish Zero Trust guidelines, NIST and the Cybersecurity and Infrastructure Security Agency (CISA) examined how federal networks were being protected and how data and assets within those networks were protected across the industry.
NIST and CISA concluded that most organizations are heavily dependent on their perimeter-based defenses, like firewalls, VPNs, in order to control initial access to networks. However, once users gained access to the network, their activities were not well monitored or well tracked. Traditional perimeter security measures generally consider all users trusted once inside a network—including threat actors and malicious insiders. Zero Trust helps organizations prevent data breaches and protect assets by assuming no entity is trusted inside or outside the network. Zero Trust recognizes that when it comes to security, trust is a vulnerability.
What is the CISA Zero Trust Maturity Model 2.0?
CISA’s Zero Trust Maturity Model (ZTMM) provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This ZTMM is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” (3)(b)(ii),1 which requires that agencies develop a plan to implement a Zero Trust Architecture (ZTA). While the ZTMM is tailored for federal agencies as required by EO 14028, all organizations should review and consider adoption of the approaches outlined in this document.
What are the pillars of the CISA Zero Trust Maturity Model 2.0?
CISA’s Zero Trust Maturity Model is broken into five foundational pillars of Zero Trust: Identity, Devices, Networks, Applications & Workloads, and Data. Each pillar contains requirements that align to levels of maturity (traditional, initial, advanced, optimal).
- Identity: Focuses on verifying and authenticating users and their associated devices.
- Devices: Ensures devices are secure and properly managed, regardless of ownership.
- Networks: Emphasizes managing internal and external network traffic rather than relying solely on perimeters.
- Applications and Workloads: Implements granular access controls and protection policies for both on-premises and cloud-based applications.
- Data: Continuous monitoring and encryption of data, regardless of its state.
The CISA ZTMM also supports three cross-cutting capabilities:
- Visibility & analytics: Provides insights into network traffic and security posture.
- Automation & orchestration: Simplifies tasks and automates security processes.
- Governance: Establishes policies and standards for security management.
Which organizations can use the CISA ZTMM 2.0?
The NIST ZTMM 2.0 was developed as a guide for US government agencies to maintain and improve cybersecurity as they digitally transform their processes and systems. However, it has proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors.
What are the penalties for non-compliance with the CISA ZTMM 2.0?
Adherence to the CISA ZTMM is voluntary. However, proof that an organization follows the NIST Framework’s best practices may provide a layer of defense against fines and penalties in the case of a data breach showing good faith efforts of an organization in information security.
How Thales helps with CISA ZTMM 2.0 compliance?
Thales’ solutions can help organizations comply with the CISA Zero Trust Maturity Model 2.0 requirements by simplifying compliance and automating security, reducing the burden on security and compliance teams.
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.