Where Does Zero Trust Segmentation Slot Into CISA's New Zero Trust Maturity Model?

Last week, CISA released its highly anticipated Zero Trust Maturity Model 2.0 – an updated iteration of the industry-affirming Zero Trust Maturity Model (ZTMM) first released back in 2021.  

At a high level, CISA’s ZTMM outlines how modern organizations can build cyber resilience “within a rapidly evolving environment and technology landscape.” It’s also a critical extension of the Biden Administration's 2021 Executive Order on Improving the Nation’s Cybersecurity which required federal agencies to develop and implement a Zero Trust Architecture (ZTA).

While devoid of the specifics and, overall, a more general outline of longer-term federal resilience objectives (as architecture guides like these often are), it’s always promising to see federal Zero Trust momentum continue! And with segmentation guidance sprinkled throughout, across pillars and maturity levels, updated tactics like these will help federal agencies more effectively achieve their cyber resilience objectives.

Here’s where segmentation slots in

Oftentimes, when people in federal IT think of segmentation, the first thing they think of is the network. The updated ZTMM is no different. Network Segmentation is included as an entire technical capability in section 5.3 – pertaining to the Network Pillar of CISA’s ZTA. CISA writes that in the initial stage, Network Segmentation looks like this: “Agency begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections.”  

In practical terms, this means to begin practicing least privilege (i.e., limit implicit trust) and start segmenting critical workloads away from the server. Sounds simple enough, right?

CISA then expands on what Network Segmentation functionality looks like across maturity levels – from implementing macrosegmentation at more traditional levels, to applying more coarse-grained microsegmentation in advanced and optimal stages.

For advanced federal agencies, Network Segmentation application can look like this: “Agency expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress microperimeters and service-specific interconnections.”  

With solutions like Illumio Endpoint, Illumio makes it simple and seamless for organizations across maturity levels to apply Zero Trust Segmentation (ZTS) all the way to the endpoint.  

ZTS principles are not just limited to the network bucket. In section 5.4, which discusses application and workload security, CISA writes that in the initial stage: “Agency begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration.”  

In the advanced stage, “Agency automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles.”  

These are also places where visibility and segmentation can help – creating enforcement boundaries around identities and devices, enforcing least privilege principles, and automating policies based on verified context.

Other key takeaways from a federal CTO

While not necessarily front and center in the new ZTMM, the reality is that segmentation fits across all buckets – and it’s essential (and feasible) for organizations of all Zero Trust levels. Frankly, it’s promising to see the technology finally getting the kudos it deserves, but there’s still work and education to be done.  

Particularly as federal agencies look to reach the more advanced stages of Zero Trust maturity, visibility and segmentation are critical. Visibility across the entire hybrid environment (cloud, on-premises, endpoint, IT/OT) is key to understanding what you have so you know what to protect. And commonsense policy can be put in place to authorize access – based on device compliance or other requirements – providing consistent enforcement without silos.

ZTS isn’t just a proactive control for federal agencies looking to amp up their ZTA. It’s also an essential proactive strategy – ensuring that when federal agencies do get breached, missions can continue unimpeded. In fact, organizations leveraging Illumio ZTS saw a 66% reduction in the impact (or blast radius) of a breach and saved $3.8 million due to fewer outages and downtime. At the end of the day, a true ZTA accounts for both maturing organizations but also advanced and persistent threats.

You can learn more about how Illumio’s ZTS can help your federal agency realize your Zero Trust goals.

‍