/
Zero Trust Segmentation

Where Does Zero Trust Segmentation Slot Into CISA's New Zero Trust Maturity Model?

Last week, CISA released its highly anticipated Zero Trust Maturity Model 2.0 – an updated iteration of the industry-affirming Zero Trust Maturity Model (ZTMM) first released back in 2021.  

At a high level, CISA’s ZTMM outlines how modern organizations can build cyber resilience “within a rapidly evolving environment and technology landscape.” It’s also a critical extension of the Biden Administration's 2021 Executive Order on Improving the Nation’s Cybersecurity which required federal agencies to develop and implement a Zero Trust Architecture (ZTA).

While devoid of the specifics and, overall, a more general outline of longer-term federal resilience objectives (as architecture guides like these often are), it’s always promising to see federal Zero Trust momentum continue! And with segmentation guidance sprinkled throughout, across pillars and maturity levels, updated tactics like these will help federal agencies more effectively achieve their cyber resilience objectives.

Here’s where segmentation slots in

Oftentimes, when people in federal IT think of segmentation, the first thing they think of is the network. The updated ZTMM is no different. Network Segmentation is included as an entire technical capability in section 5.3 – pertaining to the Network Pillar of CISA’s ZTA. CISA writes that in the initial stage, Network Segmentation looks like this: “Agency begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections.”  

In practical terms, this means to begin practicing least privilege (i.e., limit implicit trust) and start segmenting critical workloads away from the server. Sounds simple enough, right?

CISA then expands on what Network Segmentation functionality looks like across maturity levels – from implementing macrosegmentation at more traditional levels, to applying more coarse-grained microsegmentation in advanced and optimal stages.

For advanced federal agencies, Network Segmentation application can look like this: “Agency expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress microperimeters and service-specific interconnections.”  

With solutions like Illumio Endpoint, Illumio makes it simple and seamless for organizations across maturity levels to apply Zero Trust Segmentation (ZTS) all the way to the endpoint.  

ZTS principles are not just limited to the network bucket. In section 5.4, which discusses application and workload security, CISA writes that in the initial stage: “Agency begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration.”  

In the advanced stage, “Agency automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles.”  

These are also places where visibility and segmentation can help – creating enforcement boundaries around identities and devices, enforcing least privilege principles, and automating policies based on verified context.

Other key takeaways from a federal CTO

While not necessarily front and center in the new ZTMM, the reality is that segmentation fits across all buckets – and it’s essential (and feasible) for organizations of all Zero Trust levels. Frankly, it’s promising to see the technology finally getting the kudos it deserves, but there’s still work and education to be done.  

Particularly as federal agencies look to reach the more advanced stages of Zero Trust maturity, visibility and segmentation are critical. Visibility across the entire hybrid environment (cloud, on-premises, endpoint, IT/OT) is key to understanding what you have so you know what to protect. And commonsense policy can be put in place to authorize access – based on device compliance or other requirements – providing consistent enforcement without silos.

ZTS isn’t just a proactive control for federal agencies looking to amp up their ZTA. It’s also an essential proactive strategy – ensuring that when federal agencies do get breached, missions can continue unimpeded. In fact, organizations leveraging Illumio ZTS saw a 66% reduction in the impact (or blast radius) of a breach and saved $3.8 million due to fewer outages and downtime. At the end of the day, a true ZTA accounts for both maturing organizations but also advanced and persistent threats.

You can learn more about how Illumio’s ZTS can help your federal agency realize your Zero Trust goals.

Related topics

Related articles

The Evolution of Adaptive Segmentation
Zero Trust Segmentation

The Evolution of Adaptive Segmentation

Illumio’s initial innovation around the Adaptive Security Platform (ASP) came to address those challenges directly. Some key foundational elements were identified that would allow us to build our solution:

10 Reasons State and Local Governments Should Implement Zero Trust Segmentation
Zero Trust Segmentation

10 Reasons State and Local Governments Should Implement Zero Trust Segmentation

Learn how state and local governments can leverage microsegmentation to secure their critical data, assets, and systems.

Cybersecurity Awareness Month: Our Top 5 Segmentation Tips for a More Secure Organization
Zero Trust Segmentation

Cybersecurity Awareness Month: Our Top 5 Segmentation Tips for a More Secure Organization

This Cybersecurity Awareness Month, take note of these five Zero Trust Segmentation tips to protect your organization and limit damage from ransomware and cyberattacks.

7 Reasons Why the Federal Sector Should Choose Illumio for Zero Trust Segmentation
Zero Trust Segmentation

7 Reasons Why the Federal Sector Should Choose Illumio for Zero Trust Segmentation

Learn how Illumio provides superior, reliable microsegmentation for branches of the Federal sector.

3 Challenges Federal Agencies Face When Implementing Modern Cybersecurity
Cyber Resilience

3 Challenges Federal Agencies Face When Implementing Modern Cybersecurity

The U.S. federal government collects the personal information of almost every citizen. And federal agencies hold valuable data, some of which could put the country in danger if it was released.

Gerald Caron Shares 5 Zero Trust Insights for Federal Agencies
Zero Trust Segmentation

Gerald Caron Shares 5 Zero Trust Insights for Federal Agencies

Gerald Caron, former CIO at the U.S. Dept. of Health and Human Services, discusses Zero Trust insights and implementing cybersecurity at government agencies.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?