Understanding the CISA and Forrester Zero Trust Maturity Models

The Cloud Security Alliance (CSA) recently hosted a webinar titled Understanding the Two Zero Trust Maturity Models: CISA & Forrester. Jason Garbis, Founder and Principal at Numberline Security and co-chair of the Zero Trust Working Group at CSA, moderated a panel discussion comparing the Forrester zero trust maturity model with version two of the Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust maturity model. Panelists included John Kindervag (Senior Vice President, Cybersecurity Strategy, ON2IT) Chase Cunningham (Vice President, Security Market Research, G2), John Simms (Security Architect, CISA), and Sean Connelly (Trusted Internet Connection [TIC] Program Manager and Security Architect, CISA). Read on for a summary of the discussion.

The Forrester Model

During his time at Forrester, John Kindervag created the concept of zero trust and the original zero trust maturity model. He opened the discussion by acknowledging that transitioning from a traditional, perimeter-based security model to zero trust can’t be done all at once. He advocates for a five step model based on his experiences deploying zero trust.

1. Define your “protect surface.” Kindervag recommended thinking in terms of protect surfaces instead of an attack surface. Protect surfaces should be critical portions of your infrastructure that are small and can be easily known.
2. Map transaction flows. It’s critically important to understand workflows and how data moves through your organization so the controls and policies you create in the next steps meet the needs of the protect surface(s), Kindervag notes.
3. Architect your environment. Identify where you need controls and what form they should take (e.g., policies, processes, technologies, etc.).
4. Create zero trust policies. Keep in mind that your policies may need to shift over time.
5. Monitor and maintain the network. Zero trust is a strategy, not a project with an endpoint.

Kindervag and his team at Forrester agreed that maturity is a good way to measure how well an organization is performing in cybersecurity. They adopted the Carnegie Mellon maturity model, which defines the stages of maturity as: initial, repeatable, defined, managed, and optimized. Kindervag recommends examining each protect surface in your organization through this lens and assigning a maturity score to each.

Garbis noted that this process is inherently iterative, which can help the process feel more manageable. If your organization is new to zero trust, he suggests starting with the smallest possible protect surface, like a code repository, and completing the five steps before moving on to another protect surface.

The biggest challenge for many organizations switching to zero trust, according to Kindervag, is the shift in mentality. Once people make this change, the technical side tends to fall into place. He also said many organizations struggle with purchasing decisions and implementing technologies they’ve already purchased. The key here, Kindervag said, is to remember that your controls, architecture, and technologies all need to work together as a system to achieve the objective, which is to protect the protect surface.

The CISA Zero Trust Maturity Model

John Simms said that CISA developed its original zero trust maturity model in spring 2021 in preparation for Executive Order 14028, which requires federal departments and agencies to develop a zero trust strategy. The CISA zero trust maturity model is based on the definition of zero trust provided by the National Institute of Standards and Technology (NIST) Special Publication 800-207.

Simms described the CISA model as consisting of five pillars representing key functions: identity, devices, networks, applications and workloads, and data. In the Department of Defense (DoD) zero trust reference architecture, which is also largely based on the zero trust architecture defined in NIST Special Publication 800-207, visibility and analytics, automation and orchestration, and governance are treated not as pillars of their own, but as cross-cutting aspects that support each pillar. In contrast to the Forrester zero trust maturity model, the CISA model articulates only four levels of maturity: traditional, initial, advanced, and optimal.

CISA released version 2 of its maturity model this spring. Sean Connelly said this update was driven by the realization that the model needs to be scalable to work with agencies both large and small. Connelly also mentioned that the Solarwinds breach had a large impact on the updated model, as this incident highlighted the need for new ways to protect identities. CISA also worked alongside the White House and the Office of Management and Budget to review zero trust architecture, implementation, and budget plans from large and small agencies. These discussions helped shape version 2 of the maturity model.

The Reality of Zero Trust

Kindervag suggested that both the CISA and Forrester zero trust maturity models are worthwhile because they each show a possible path to zero trust maturity. Because every organization and protect surface is unique, organizations will have to find their own way.

Measuring maturity tends to be difficult. Kindervag stated that most assessors are focused purely on compliance, not maturity or success metrics. This can be dangerous, because as Cunningham pointed out, compliance is not the same as security. Kindervag suggested that maturity metrics should be built into systems, tools, and controls to make it easier to assess maturity. Simms noted that measures and metrics for zero trust success are still in the early stages of development.

Kindervag noted two opportunities that could drive better metrics, however. From one side, vendors are well positioned to describe the maturity levels in their areas of focus. This resonates with customers, but Kindervag said, many vendors shy away from naming other products, even though almost no organization has a homogenous security stack sourced from one vendor. Kindervag has also noticed that cyber insurance carriers are starting to focus more on security maturity under the assumption that a more mature organization will be less likely to experience a breach and therefore require a payout.

On a final note, Kindervag emphasized the importance of simplicity. Humans have a tendency to overcomplicate things, he said, but overcomplication leads to lower adoption. “Greatness in reality beats perfection in conceptualization,” Kindervag said. It’s also important to avoid trying to do too much too quickly or give in to the frustration that “it will never be done.” Garbis summed up the ongoing nature of zero trust with a succinct metaphor: “You’re never done with laundry, either.”