CISA

Cybersecurity and Infrastructure Security Agency (CISA):

(1) CISA's Cloud Security Reference Architecture (TRA)

(2) CISA's Trusted Internet Connection 3.0 (TIC 3.0)

(3) CISA's Secure Cloud Business Applications (SCuBA)

CISA -- Cloud & ZT Security in Depth Guidance -- SCuBA -- ZTMM. 🛑

CISA Website:

BLUF: CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. They are designed for collaboration and partnership. Learn about our layered mission to reduce the nation’s cyber and physical infrastructure risk. -- Mission -- We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. -- Vision -- A secure and resilient critical infrastructure for the American people.
URL: https://www.cisa.gov/
CISA's Cloud & ZT Security in Depth Guidance. (3)
1. - 1. CISA's Cloud Security Reference Architecture (TRA) v2.0 -- BLUF: (1) Start Here: This is your foundational strategic document. It defines the "what" and "why" of secure cloud adoption and introduces the necessity of Zero Trust principles within a cloud context. It's the high-level blueprint. (2) To guide agencies (offers strategic direction, vision, high-level) in adopting cloud technology. To identify, detect, protect, respond, and recover from cyber incidents while improving cybersecurity across the .gov enterprise. As outlined in Section 3(c)(ii) of EO 14028.
    2. TIC 3.0 Security Capabilities Catalog (116) (TIC 3.0) -- BLUF: (1) Next (Architectural): Once you have the strategic direction from the TRA, TIC 3.0 helps you design the secure network architecture and connectivity required for your distributed cloud environment. It addresses "how" and "where" secure traffic flows, aligning with the TRA's principles. (2) Provides ~116 security capabilities (offers architectural framework) aligned with ZT to secure network architectures in cloud and remote work.
    3. CISA's Secure Cloud Business Applications (SCuBA) -- BLUF: (1) Next (Implementation): With your strategy and network architecture in place, SCuBA provides the concrete, actionable baselines and tools to secure your specific SaaS applications. This is the tactical "how-to" for widely used cloud business apps. (2) SCuBA provides tailored cloud solutions guidance and secure configuration baselines (SCBs) for Microsoft 365 (M365) and Google Workspace (GWS) applications. (3) Takes the high-level principles of the TRA and the architectural guidance of TIC 3.0 and translates (offers) them into concrete, specific, actionable SaaS application settings (configurations), security baselines, and automated assessment tools specifically for widely used SaaS business applications (like Microsoft 365 and Google Workspace). It answers, "How do I configure these specific cloud applications to be secure?" and "How can I assess my compliance with those secure configurations?" -- SCuBA is more tactical and product-specific.
      - Secure Configuration Baselines (SCBs): Detailed, prescriptive configurations for specific SaaS platforms (e.g., M365, Google Workspace) to minimize vulnerabilities and align with best practices.
      - Tools:
        ScubaGear (for M365) is a no-cost assessment tool that verifies M365 tenant configuration alignment to the policies described in SCuBA’s secure configuration baselines. CISA has made this tool and the baselines available to all agencies and private sector organizations seeking security improvements. Visit CISA’s GitHub and PowerShell Gallery to view the M365 baselines and download the ScubaGear assessment tool. -- See Microsoft's Baseline implementation guidance of 7 MS products.
        ScubaGoggles (for Google).
    4. Next actions would be continuous assessment, monitoring, and improvement, or perhaps operations and incident response.

CISA's ZTMM:

1. - HUB: https://www.cisa.gov/zero-trust-maturity-model
  - Reference Hub: https://zerotrust.cyber.gov/
  - ZTMM v2 -- BLUF -- EO 14028, "Improving the Nation's Cybersecurity," pushes agencies to adopt Zero Trust Cybersecurity Principles and adjust their network architectures accordingly
    1. PDF: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf (April 2023, Version 2.0)
  - Federal ZT Strategy: https://zerotrust.cyber.gov/federal-zero-trust-strategy/
  - CISA's "Objectives" to "EO 14028 Goals": 🛑
    1. EO Key Points/Goals (6): (1) Remove Barriers to Threat Information Sharing Between Government and the Private Sector. (2) Modernize and implement stronger cybersecurity standards in the federal government. (3) Improve software supply chain security. (4) Establish a Cyber Safety Review Board. (5) Create a Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents. (6) Improve Investigative and Remediation Capabilities. -- Each above Key Points/Goals has Sub-Goals.
    2. CISA's "Objectives" to #1-EO Key Points/Goals.
    3. Technical Reference Architecture (TRA) in Cloud Security: (Link1, Link2) -- What is a TRA? -- A blueprint or roadmap that outlines the recommended structure and components for building a specific type of system or solution -- Includes (5) -- (1) Recommended technologies and components: The TRA suggests specific hardware, software, and services that are suitable for the particular system. This might include infrastructure elements like servers, networks, and security tools, as well as application components like databases, middleware, and specific software functionalities. (2) Reference diagrams and models: The TRA typically includes diagrams and models that visually represent the architecture, showing how different components interact and connect. This provides a clear picture of the overall system design. (3) Best practices and standards: The TRA incorporates industry best practices and standards relevant to the type of system being built. This ensures that the system is secure, reliable, and scalable. (4) Security considerations: Security is a crucial element of any architecture, and the TRA will outline specific security measures and controls to be implemented. (5) Scalability and performance guidelines: The TRA addresses how the system can be scaled to meet future demands and how to achieve optimal performance.
    4. Zero Trust Principles to Enterprise Mobility: https://www.cisa.gov/sites/default/files/2023-01/Zero_Trust_Principles_Enterprise_Mobility_For_Public_Comment_508C.pdf
    5. Federal Government Cybersecurity Incident & Vulnerability Response -- BLUF -- Operational Procedures for Planning and Conducting Cybersecurity. This document presents two playbooks: one for "Incident Response" and one for "Vulnerability Response." response. Incident and Vulnerability Response Activities in FCEB Systems Playbooks

CISA's 5-Pillars and 37-Functions:

1. - Pillars (5) -- (1) Identity; (2) Devices; (3) Networks; (4) Apps & Workloads; (5) Data; (>) Cross-Cutting Capabilities.
    1. Pillar-1: Identity
      - Functions (7): (1) Authentication (2) Identity Stores (3) Risk Assessments (4) Access Management (New Function) (5) Visibility and Analytics Capability (6) Automation and Orchestration Capability; (7) Governance Capability. ~ Note: Each function has maturity level definitions; see pages 13–15.
    2. Pillar-2: Devices
      - Functions (7): (1) Policy Enforcement & Compliance Monitoring (New Function); (2) Asset & Supply Chain Risk Management (New Function); (3) Resources Access (Formerly Data Access); (4) Device Threat Protection (New Function); (5) Visibility and Analytics Capability; (6) Automation and Orchestration Capability; (7) Governance Capability. ~ Note: Each function has maturity level definitions; see pages 16–19.
    3. Pillar-3: Networks
      - Functions (7): (1) Network Segmentation; (2) Network Traffic Management (New Function); (3) Traffic Encryption (Formerly Encryption); (4) Network Resilience (New Function); (5) Visibility and Analytics Capability; (6) Automation and Orchestration Capability (7) Governance Capability. ~ Note: Each function has maturity level definitions; see pages 20-22.
    4. Pillar-4: Applications and Workloads
      - Functions (8): (1) Application Access (Formerly Access Authorization); (2) Application Threat Protections (Formerly Threat Protections); (3) Accessible Applications (Formerly Accessibility); (4) Secure Application Development and Deployment Workflow (New Function); (5) Application Security Testing (Formerly Application Security); (6) Visibility and Analytics Capability; (7) Automation and Orchestration Capability; (8) Governance Capability. ~ Note: Each function has maturity level definitions; see pages 23-25.
    5. Pillar-5: Data
      - Functions (8): (1) Data Inventory Management; (2) Data Categorization (New Function); (3) Data Availability (New Function); (4) Data Access; (5) Data Encryption; (6) Visibility and Analytics Capability; (7) Automation and Orchestration Capability; (8) Governance Capability. ~ Note: Each function has maturity level definitions; see pages 26-28.
    6. Cross-Cutting Capabilities (3) / Functions (3): These functions provide opportunities to integrate advancements across each of the five pillars above. {pg.29-30]
      - Visibility and Analytics: Supports comprehensive visibility that informs policy decisions and facilitates response activities. ~ Note: This function has maturity level definitions; see pages 29-30.
      - Automation and Orchestration -- Leverage these insights to support robust and streamlined operations to handle security incidents and respond to events as they arise. ~ Note: This function has maturity level definitions; see pages 29-30.
      - Governance (2) -- (1) Enables agencies to manage and monitor their regulatory, legal, environmental, federal, and operational requirements in support of risk-based decision-making. (2) Also ensure the right people, process, and technology are in place to support mission, risk, and compliance objectives. ~ Note: This function has maturity level definitions; see pages 29-30.

CISA's Maturity Levels.

BLUF: The below maturity levels are the measurements that coincide with the above pillars.
Maturity Levels: (4)
1. Traditional—manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry. ~ Note: Not used in HHS.
2. Initial—starting automation of attribute assignment and configuration of lifecycles, policy decisions, and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.
3. Advanced—wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).
4. Optimal—fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.

CISA -- ZTMM (Implement ZT) -- via CISA Pillars -- (5 Steps + 3 Cross Cutting Capabilities)

CISA's ZT Maturity Model (ZTMM): Implementing Zero Trust (ZT) is a process, not a one-time event.

CISA ZTMM v2.0:
- PDF: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf -- (April 2023, Version 2.0)
- Website: https://www.cisa.gov/zero-trust-maturity-model
- Description: CISA's ZTMM provides a framework for organizations to assess their Zero Trust maturity level and identify areas for improvement. It helps you understand where you are on your Zero Trust journey and what steps to take next.
- Value: It offers a practical roadmap for implementation, breaking down Zero Trust into manageable stages and providing actionable guidance.
Not-CISA, but Use for Knowledge: (5⭐)
- The ZTMM Resource Center (by Numberline Security). -- BLUF: Provides an Overview; Free Interactive worksheets; CISA ZTMM Pillar Image; AV-2 of each Pillar & Maturity Model; Etc.
Zero Trust Technical Reference Architecture: https://www.cisa.gov/zero-trust-maturity-model
Executive Office of the President, OMB, M-22-09: Federal ZT Strategy: Shows each Pillar with "Vision" statement and "Action" (aka "Objective") statements: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
Pillars (5): -- BLUF: Pillars are derived from CISA. Each Pillar (1) Identity, (2) Devices, (3) Networks, (4) Applications and Workloads, and (5) Data involves a gradual progression through four maturity levels: (1) Traditional, (2) Initial, (3) Advanced, and (4) Optimal. Each maturity level builds upon the previous one, enhancing your security posture. -- Also -- See OMB's M-22-09: Federal ZT Strategy, showing each pillar with a "Vision" statement and an "Action" (aka "Objectives") statement (link: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).
- Here's a breakdown of each pillar (aka Goals) with maturity levels (aka Objectives) based on CISA:
  1. Identity (w/ Initial maturity steps): BLUF -- An identity refers to an attribute or set of attributes that uniquely describes an agency user or entity, including non-person entities. -- Agencies should ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access. Agencies should integrate identity, credential, and access management solutions where possible throughout their enterprise to enforce strong authentication, grant tailored context-based authorization, and assess identity risk for agency users and entities. Agencies should integrate their identity stores and management systems, where appropriate, to enhance awareness of enterprise identities and their associated responsibilities and authorities. Table 2 lists identity functions about zero trust and considerations for Visibility and Analytics, Automation and Orchestration, and Governance within the context of identity.
    1. The maturity steps are. This pillar focuses on authenticating and authorizing users and devices before granting access to resources. It involves creating a unified identity and access management (IAM) system and implementing multi-factor authentication (MFA) for all users.
      - Traditional Level (3): (1) Basic user authentication: Utilize traditional methods like passwords and multi-factor authentication (MFA). (2) Limited user segmentation: Implement basic access controls based on pre-defined groups or roles. (3) Static provisioning: Manually manage user accounts and permissions.
      - Initial Level (4): (1) Stronger authentication: Introduce advanced MFA methods like hardware tokens or biometrics. (2) Dynamic user segmentation: Implement context-aware access controls based on user attributes, device characteristics, and access requests. (3) Automated provisioning and de-provisioning: Use automated tools to manage user accounts and permissions based on lifecycle events. (4) Identity federation: Enable single sign-on (SSO) for integrated access across internal and external applications.
      - Advanced Level (3): (1) Continuous authentication: Monitor user activity and device posture for continuous risk assessment and adaptive access control. (2) Zero-knowledge authentication: Implement passwordless authentication methods for improved security and user experience. (3) Identity threat detection and response: Use advanced analytics to identify and respond to suspicious identity-related activities.
      - Optimal Level (3) (1) Adaptive authentication and authorization: Automatically adjust security measures based on dynamic risk assessment and user context. (2) Self-sovereign identity: Empower users with control over their identity data and credentials. (3) Biometric verification for high-risk access: Utilize advanced biometric verification for critical systems and privileged access.
  2. Devices (w/ Initial maturity steps) (2): (1) This pillar focuses on securing all IoT devices that connect to an organization’s network. It involves creating a comprehensive inventory of all devices connected to the organization's network and implementing endpoint detection and response (EDR) solutions. (2) ZTMM emphasizes securing all devices, not just specific endpoint categories. This includes laptops, desktops, mobile devices, servers, switches, routers, and even printers. The focus is on securing these devices through patching, endpoint security software, data loss prevention (DLP), and configuration management.
    1. The maturity steps are:
      - Traditional Level (3): (1) Basic endpoint protection: Utilize traditional antivirus and anti-malware software. (2) Limited device inventory and management: Maintain manual records of connected devices and their configurations. (3) Static device access controls: Apply basic network segmentation to separate devices based on type or function.
      - Initial Level (4): (1) Advanced endpoint protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions. (2) Automated device inventory and management: Implement tools for discovering, identifying, and monitoring all connected devices. (3) Dynamic device access controls: Enforce context-aware access controls based on device posture, risk assessment, and user authorization. (4) Endpoint encryption: Encrypt sensitive data at rest and in transit.
      - Advanced Level (4): (1) Continuous device monitoring and patching: Implement automated vulnerability scanning and patching processes for endpoint software. (2) Application whitelisting and blacklisting: Restrict execution to authorized applications only. (3) Endpoint isolation and containment: Ability to isolate compromised devices to prevent lateral movement of threats. (4) Zero-trust endpoint access: Implement multi-factor authentication (MFA) and device posture verification for access to sensitive resources.
      - Optimal Level (3): (1) Predictive analytics and threat intelligence: Utilize advanced analytics to predict and prevent cyberattacks targeting endpoints.(2) Self-healing endpoints: Implement endpoint software with self-healing capabilities to remediate threats automatically. (3) Secure boot and hardware-based security: Leverage hardware-based security features like Trusted Platform Modules (TPMs) for enhanced endpoint protection.
  3. Networks (w/ Initial maturity steps) (2): (1) This pillar focuses on securing all network traffic, regardless of the user’s location or resource. It involves implementing network segmentation and micro-segmentation to limit resource access and use secure communication protocols such as Transport Layer Security (TLS). (2) Also limits lateral movement in case of a breach. It also involves securing network devices like firewalls, intrusion detection and prevention systems (IDS and IPS), and wireless access points.
    1. The maturity steps are:
      - Traditional Level (3): [OV-1] (1) Basic network segmentation: Separate networks based on high-level classifications like "public," "internal," and "restricted." (2) Static network access controls: Apply fixed firewall rules and access control lists (ACLs) based on IP addresses or subnets. (3) Limited network visibility and monitoring: Rely on basic network monitoring tools for rudimentary traffic analysis.
      - Initial Level (4): [OV-1] (1) Microsegmentation: Implement granular network segmentation to isolate critical systems and resources. (2) Dynamic network access controls: Enforce context-aware access controls based on user identity, device posture, and application data. (3) Network traffic encryption: Encrypt sensitive data in transit across the network. (4) Advanced network visibility and monitoring: Utilize security information and event management (SIEM) tools for comprehensive network traffic analysis and threat detection.
      - Advanced Level: [OV-1] (1) Zero-trust network access (ZTNA): Implement ZTNA solutions for least-privilege access and continuous authorization for all network connections. (2) Intrusion detection and prevention systems (IDS/IPS): Deploy IDS/IPS systems to detect and block malicious network activity. (3) Network traffic analysis (NTA): Utilize NTA tools for in-depth analysis of network traffic behavior to identify anomalies and potential threats. (4) Automated network security response: Implement automated incident response playbooks for efficient threat mitigation.
      - Optimal Level (4): (1) Self-healing networks: Leverage tools with automated remediation capabilities to quickly address network security incidents. (2) Deception technology: Deploy deception techniques to lure attackers and gather intelligence on their tactics. (3) Network security validation: Regularly conduct penetration testing and red teaming exercises to identify and address network vulnerabilities. (4) Continuous network security improvement: Implement a culture of continuous improvement with ongoing monitoring, evaluation, and optimization of network security controls.
  4. Applications and Workloads (w/ Initial maturity steps): This pillar focuses on securing all applications and workloads, whether they’re hosted on-premises or in the cloud. It involves implementing application-level access controls and using secure coding practices to prevent vulnerabilities. It also involves implementing least privilege access control, application whitelisting, vulnerability management, and data encryption for sensitive data.
    1. The maturity steps are:
      - Traditional Level (3): (1) Basic access controls: Apply user-based access controls to applications and workloads. (2) Limited visibility and monitoring: Rely on basic logging and monitoring tools for rudimentary application and workload activity tracking. (3) Static security configurations: Apply manual security configurations to applications and workloads.
      - Initial Level (4): [OV-1] (1) Least-privilege access control: Implement granular access controls based on user roles and application context. (2) Application-level security tools: Deploy web application firewalls (WAFs) and other application-specific security tools. (3) Security information and event management (SIEM): Integrate application and workload logs with SIEM systems for centralized monitoring and threat detection. (4) Dynamic security configurations: Implement automated security configuration management tools.
      - Advanced Level (4): [OV-1] (1) Zero-trust application access (ZTNA): Leverage ZTNA solutions for least-privilege access and continuous authorization for all application connections. (2) Containerization and microservices: Utilize containerization and microservices architecture for improved isolation and resilience of applications. (3) DevSecOps integration: Integrate security practices throughout the software development lifecycle (SDLC). (4) Threat intelligence and threat hunting: Utilize threat intelligence feeds and proactive threat-hunting techniques to identify and address potential vulnerabilities in applications and workloads.
      - Optimal Level (4): [OV-1] (1) Self-healing applications: Implement security tools with automated remediation capabilities to quickly address security incidents in applications and workloads. (2) Runtime application self-protection (RASP): Deploy RASP solutions to monitor and protect applications from runtime attacks. (3) Continuous application security testing (CAST): Regularly conduct automated security testing of applications to identify and address vulnerabilities. (4) Adaptive security posture management (ASPM): Implement ASPM solutions to continuously monitor and optimize the security posture of applications and workloads.
  5. Data (w/ Initial maturity steps): This pillar focuses on securing all data at rest and in transit. This includes data encryption, data loss prevention (DLP), data classification, and data backups.
    1. The maturity steps are:
      - Traditional Level (3): (1) Basic data classification and labeling: Classify and label data based on sensitivity levels. (2) Limited data access controls: Apply role-based access control (RBAC) for data access. (3) Static data security configurations: Implement fixed data encryption and retention policies.
      - Initial Level (4): (1) Data loss prevention (DLP): Deploy DLP tools to prevent unauthorized data exfiltration. (2) Dynamic data access controls: Enforce context-aware access controls based on user, device, and data attributes.(3) Data encryption in transit and at rest: Encrypt data at rest and in transit across all storage and transfer channels. (4) Automated data security configuration management: Implement tools for automated data security configuration management.
      - Advanced Level (4): (1) Data tokenization and anonymization: Utilize data tokenization and anonymization techniques to reduce data exposure. (2) Data security analytics and threat detection: Use advanced analytics to identify and respond to suspicious data activity. (3) Continuous data monitoring and auditing: Continuously monitor and audit data access and manipulation. (4) Data-centric security architecture: Architect security solutions around data protection and data-centric controls.
      - Optimal Level (4): (1) Self-healing data platforms: Implement solutions with automated data incident response and remediation capabilities. (2) Data residency and sovereignty: Control the physical location and legal jurisdiction of your data. (3) Deception technology for data: Deploy data deception techniques to lure attackers and gather intelligence. (4) Continuous data security improvement:
  6. Planning (Optional)-- (~ Note: This level is NOT in CISA. HHS Added it).
  7. Cross-Cutting Capabilities (3): Cross-Cutting Capabilities span across each Pillar above. (1) Visibility and Analytics, (2) Automation and Orchestration, and (3) Governance.
    1. Visibility and Analytics – Focusing on data analysis allows enterprises to better inform policy decisions and action response activities and build out risk profiles so security teams can proactively take measures before incidents occur.
      - The maturity steps are:
        Traditional Level (3): (1) Basic data collection: Collect data from siloed systems with limited integration. (2) Static reporting and analysis: Generate basic reports using manual analysis techniques. (3) Limited threat detection and response: Rely on pre-defined rules and manual intervention for threat detection and response.
        Initial Level (4): (1) Centralized data collection and integration: Implement tools to collect and integrate data from various security solutions across your environment. (2) Automated reporting and basic analytics: Generate automated reports and leverage basic analytics to identify trends and anomalies. (3) Threat detection with rudimentary correlation: Utilize basic correlation rules to identify and alert potential threats. (4) Basic incident response planning and procedures: Establish an initial incident response plan and procedures for handling security incidents.
        Advanced Level (4): (1) Advanced data collection and integration: Use advanced data collection tools and techniques to capture broader telemetry across all layers of your infrastructure. (2) Advanced analytics and threat intelligence: Leverage advanced analytics techniques and integrate threat intelligence feeds to identify sophisticated threats and predict security incidents. (3) Automated threat detection and response: Implement automated playbooks for targeted threat response and containment. (4) Incident response optimization and automation: Continuously improve your incident response plan and automate key response processes.
        Optimal Level (4): (1) Real-time data processing and analysis: Implement tools for real-time data processing and analysis to enable immediate threat detection and response. (2) Predictive analytics and proactive threat hunting: Utilize advanced predictive analytics and proactive threat hunting techniques to identify and address potential threats before they impact your environment. (3) Automated security orchestration and response: Implement automated security orchestration and response (SOAR) solutions for coordinated and efficient incident response. (4) Continuous improvement and feedback loop: Establish a culture of continuous improvement by evaluating data and incorporating feedback to optimize your security posture.
    2. Automation and Orchestration (2) – (1) Focuses on automating security tasks and workflows to streamline your security operations and response (2) The automated tools and workflows support security response functions while maintaining oversight, security, and interaction of the development process for such functions, products, and services.
      - The maturity steps are:
        Traditional Level (3): (1) Manual security tasks: Manually execute security tasks and workflows on an ad-hoc basis. (2) Limited scripting and automation: Utilize basic scripts for repetitive tasks but lack centralized or integrated automation. (3) Reactive incident response: Primarily rely on manual intervention for incident response and remediation.
        Initial Level (3): (1) Basic security automation tools: Implement basic security automation tools and scripts for routine tasks and security controls enforcement. (2) Work order tracking and management: Establish a system for work order tracking and management to maintain accountability and visibility into completed tasks. (3) Automated incident response playbooks: Develop basic automated playbooks for initial incident response and containment actions.
        Advanced Level (3): (1) Security orchestration and automation (SOAR) platform: Implement a centralized SOAR platform to orchestrate and automate diverse security tasks and workflows across all pillars. (2) Automated investigation and remediation: Develop automated processes for incident investigation, root cause analysis, and remediation actions. (3) Integration with external services: Integrate your SOAR platform with external services like threat intelligence feeds and ticketing systems for enhanced response capabilities.
        Optimal Level (3): (1) Machine learning and AI-powered automation: Utilize machine learning and AI to automate complex security tasks and decision-making processes. (2) Self-healing security infrastructure: Implement self-healing capabilities within your security controls to automatically address minor incidents and vulnerabilities. (3) Continuous improvement and optimization: Regularly analyze and optimize your automation workflows to continuously improve efficiency and effectiveness.
    3. Governance – This refers to the definition and enforcement of cybersecurity policies, procedures, and processes. Senior leadership in an enterprise holds accountability in managing and mitigating security risks in support of Zero Trust Principles from the top down.
      - The maturity steps are:
        Traditional Level (3): (1) Ad-hoc security decision-making: Security decisions are made reactively without a clear strategy or defined roles and responsibilities. (2) Limited risk management: Basic risk assessments are conducted with minimal mitigation plans and oversight. (3) Compliance-driven security posture: Security efforts primarily focus on compliance with regulations rather than proactive risk mitigation.
        Initial Level (4): (1) Zero Trust strategy and roadmap: Develop a formal Zero Trust strategy and roadmap outlining goals, priorities, and timelines for implementation. (2) Defined roles and responsibilities: Establish clear roles and responsibilities for ZTMM implementation and ongoing maintenance. (3) Risk Management Framework: Implement a standardized Risk Management Framework for identifying, assessing, and mitigating security risks across all pillars. (4) Metrics and measurement: Define key performance indicators (KPIs) and metrics to track progress and measure the effectiveness of your ZTMM implementation.
        Advanced Level (4): (1) Continuous monitoring and evaluation: Regularly monitor and evaluate your ZTMM implementation, identifying areas for improvement and adaptation. (2) Security awareness and training: Implement ongoing security awareness and training programs for all employees to support a culture of Zero Trust. (3) Incident response and business continuity planning: Develop and test comprehensive incident response and business continuity plans to ensure effective recovery from security incidents. (4) Integration with other governance processes: Integrate ZTMM governance with other existing governance processes and frameworks within your organization.
        Optimal Level (4): (1) Automated governance controls: Implement automated governance controls to enforce security policies and compliance requirements consistently. (2) Continuous improvement and feedback loop: Foster a culture of continuous improvement by actively seeking feedback and incorporating it to optimize your ZTMM governance practices. (3) Executive sponsorship and commitment: Secure ongoing executive sponsorship and commitment to ensure ZTMM remains a strategic priority and receives necessary resources. (4) Benchmarking and best practices: Regularly benchmark your ZTMM implementation against industry best practices and adapt your approach accordingly.

Common -- Key Steps to Implement Zero Trust: (4)

1. Know The Company's Security Posture:

Define, then Protect (the Surface): Identify critical data, assets, applications, and services (DAAS) that require the highest level of protection. This helps focus resources and avoid over-complicating access for less critical areas.
Understand your Users and Devices: Categorize users by role, device types, and access needs. This helps with granular access control based on context and risk.
Analyze your Existing Security Posture: Assess existing security controls and identify vulnerabilities or gaps that leave you open to compromise.

2. Design and Define:

Develop your Zero Trust Policy: Establish clear rules and guidelines for access control, authentication, authorization, and data protection. Use the "Who, What, When, Where, Why, and How" approach to define access requirements thoroughly.
Choose Technology and Tools: Select technology solutions that align with your ZT goals and can integrate seamlessly with your existing infrastructure. Consider Multi-Factor Authentication (MFA), Microsegmentation, Secure Access Service Edge (SASE), Data Loss Prevention (DLP), and Endpoint Security. See Azure "Frameworks to Leverage"
Create an Implementation Roadmap: Set a realistic timeline and milestones for deploying Zero Trust components, prioritizing based on your risk assessment and business needs.

3. Implement and Secure:

Focus on Continuous Authentication and Authorization (A&A): Don't rely solely on initial logins; continuously verify user and device identities throughout access sessions.
Enforce Least Privilege Access Control: Grant users only the minimum level of access needed to perform their tasks. This minimizes the potential damage in case of breaches.
Implement Microsegmentation: Divide your network into smaller, logically isolated segments to prevent attackers from moving laterally within your system.
Secure your Endpoints: Deploy endpoint security solutions like antivirus, anti-malware, and endpoint detection and response (EDR) to protect devices from malware and unauthorized access.
Integrate Data Security: Implement tools and policies for data encryption, data loss prevention, and data lifecycle management to protect sensitive information at rest and in transit.

4. Monitor and Adapt:

Continuously Monitor your Network and Systems: Actively look for suspicious activity, security incidents, and anomalies that could indicate potential breaches.
Conduct Regular Security Assessments and Penetration Testing: Identify vulnerabilities and weaknesses in your defenses before attackers do.
Educate and Train Employees: Raise awareness about cybersecurity best practices, phishing scams, and social engineering tactics to empower employees to be part of the defense.
Be Agile and Adapt: The threat landscape constantly evolves, so be prepared to update your Zero Trust strategy and adapt your defenses as needed.

Remember, Zero Trust is not a destination, but a continuous journey. Implementing these steps will put you on the right track toward building a more secure and resilient organization.

Resources:

National Institute of Standards and Technology (NIST) Special Publication 800-207: Zero Trust Architecture https://www.nist.gov/publications/zero-trust-architecture
Cloud Security Alliance (CSA) Zero Trust Adoption Framework: https://cloudsecurityalliance.org/zt/
MITRE ATT&CK Framework: https://attack.mitre.org/

ZT Implementation Timeline (Example: HHS).

CISA -- Guidance (Implement ZT to PQC)

Initial Start -- The best process depends on your specific risk profile, resources, and security goals.

Conduct a thorough "Security Assessment" can help you determine the most efficient and effective path forward.

Consider a Combined Approach (ZTA & PQC).

Implement ZTA as a foundation: ZTA's principles of least privilege and continuous verification align well with securing against future quantum threats.
Gradually integrate PQC solutions: Start with low-risk or less-critical systems and data to test and adapt PQC algorithms alongside ZTA.
Prioritize key assets: Focus on protecting high-value data and systems with PQC first, while applying ZTA principles to the broader environment.
Additional points to keep in mind:

ZTA implementation is typically faster and less resource-intensive than PQC migration.
PQC technology is still evolving, and standards are not yet finalized.
Both ZTA and PQC are essential for robust, long-term security.

Do -- Prioritize if...:

ZTA is/your...:
1. Current security posture is weak: You lack strong access controls, identity management, and threat detection, making your network vulnerable to common attacks.
2. Data breaches are a major concern: You handle sensitive data that would be devastating if leaked or compromised.
3. Regulatory compliance is crucial: You operate in an industry with strict data security regulations.
4. Quantum threat seems distant: Your risk tolerance for potential future vulnerabilities from quantum computers is low.
PQC if your...:

Zero Trust implementation is already advanced: You have a robust ZTA framework in place and want to strengthen the cryptographic foundation.
Long-term security is critical: You have critical long-term assets like intellectual property or infrastructure that need protection from future quantum threats.
Store-now-decrypt-later attacks are a concern: You have sensitive data that attackers might be storing now to decrypt later when quantum computers become powerful enough.
Government regulations mandate PQC adoption: You operate in a jurisdiction with mandated timelines for PQC implementation.

CISA ZTMM & DOD ZTA -- (ZT Comparable).

DOD's 7 Pillars & Capabilities/Goals [Slide 10 or Slide 16].
CISA's 5 Pillars + Cross-Cutting Capabilities:
1. (1) Identity (2) Devices (3) Networks (4) Applications & Workloads, and (5) Data -- & --
2. (6) Cross-Cutting Capabilities (3): Visibility and Analytics, Automation and Orchestration, and Governance)

DOD ZTA Framework = 7 Pillars

CISA TIC.3.0 Info (Trusted Internet Connection) -- Summary.

CISA TIC 3.0 (Trusted Internet Connection).

BLUF: The CISA TIC 3.0 "Security Capabilities Catalog" focuses on enhancing network and boundary security across federal agencies.
PDF: CISA TIC 3.0: Volume 3, Security Capabilities Catalog, Nov 2024, v.3.2.
Purpose and Scope:
1. The TIC initiative aims to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.
2. The catalog provides a list of deployable security controls, capabilities, and best practices to guide secure implementation within discrete networking environments.
ZTA Alignment:
1. The document emphasizes the alignment of TIC 3.0 with the principles of Zero Trust Architecture, focusing on strict access controls and continuous verification.
TIC 3.0 Objectives & Capabilities:
1. Objectives, Descriptions & Functions: (5)
  - Manage Traffic: Observe, validate, and filter data connections.
  - Protect Traffic Confidentiality: Ensure confidentiality and integrity of data in transit.
  - Protect Traffic Integrity:
  - Ensure Service Resiliency: Promote resilient application and security services.
  - Ensure Effective Response: Promote timely reaction and adapt future responses to discovered threats.
2. Capabilities: (2)
  - Universal Security Capabilities: Enterprise-level capabilities that outline guiding principles for TIC use cases, such as backup and recovery, central log management, and incident response planning.
  - Policy Enforcement Point (PEP) Capabilities: Network-level capabilities that inform technical implementation for relevant use cases, including files, email, web, networking, resiliency, DNS, intrusion detection, enterprise, UCC, data protection, services, and identity.
Implementation Guidance:
1. Agencies have the discretion to apply security objectives at a level commensurate with the resources being protected.
2. The catalog is periodically updated to reflect modern security practices and technologies.
3. Agencies are encouraged to use shared services and ensure policy enforcement parity across all access points.
Key Updates and Additions:
1. Addition of several security capabilities, including User Awareness and Training, Domain Name Monitoring, and Application Container.
2. Introduction of new PEP security capabilities like Resource Containment, CISA’s Protective DNS Service, and Network Detection and Response.
3. Mapping of security capabilities to NIST Cybersecurity Framework (CSF) functions.
Summary: (8)
1. BLUF: The Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog is a comprehensive guide outlining security measures for federal agencies to protect their networks and data. -- This document serves as a critical resource for federal agencies to enhance their cybersecurity posture in alignment with modern security practices and technologies.
2. Purpose: The catalog aims to guide federal agencies in implementing security controls and capabilities to protect federal information across various computing environments, especially as they adopt mobile and cloud technologies.
3. Security Objectives: The TIC 3.0 initiative focuses on managing and protecting network traffic, ensuring service resiliency, and effectively responding to threats. These objectives are mapped to the NIST Cybersecurity Framework (CSF) functions: Govern, Identify, Protect, Detect, Respond, and Recover.
4. Security Capabilities: The document lists both universal and Policy Enforcement Point (PEP) security capabilities. Universal capabilities are broad principles applicable to all use cases, while PEP capabilities are specific technical implementations.
5. Update:
  - Version 3.2 (November 2024): Updated the security capabilities list based on new NIST mappings and added "Govern" to the list of security objectives.
6. Important Capabilities:
  - Universal Capabilities: Include backup and recovery, central log management, incident response planning, and strong authentication.
  - PEP Capabilities: Cover areas like email security, web protection, network segmentation, and intrusion detection.
7. Implementation Guidance: Agencies are encouraged to apply these capabilities based on their risk tolerance and specific needs. The document emphasizes the importance of visibility and telemetry in monitoring security posture.
8. Future Updates: The catalog will continue to evolve with updates based on emerging technologies, threat landscapes, and business mission needs.