What is the CISA Zero Trust Maturity Model?
In direct response to Executive Order 14028, Improving the Nation’s Cybersecurity, the Cybersecurity & Infrastructure Security Agency (CISA) has released new guidance around zero trust architecture. CISA urges agencies to develop cybersecurity plans grounded in zero trust concepts: preventing unauthorized access to data and services and making access control enforcement as granular as possible. CISA’s newly released Zero Trust Maturity Model aims to assist agencies in designing ZTA implementation plans.
ZTA, as defined by the National Institute of Standards and Technology (NIST), is “an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies.” The federal government faces a number of challenges in transitioning to ZTA, most obviously that legacy systems rely on implicit trust, which conflicts with the concept of adaptive trust inherent to ZTA.
This guidance from CISA is the latest to underscore a broader theme for agencies: as everything moves to the cloud, the need to test and secure everything – including a growing number of web-enabled applications – has become paramount. Traditional or legacy approaches that focus on the network layer are no longer sufficient to address cyberthreats.
A deeper dive on Pillar #4: Application Workload
The document’s fourth pillar specifically outlines traditional, advanced, and optimal approaches to functions such as threat protection, application security, and governance capability.
Traditional approaches in threat protection and application security are described as those that lack integration with application workflows and where the agency is performing application security testing prior to deployment, primarily through static and manual testing methods.
On the other hand, in an optimal approach, the agency deeply integrates threat protections into application workflows, making application security testing a core aspect of the development and deployment process, including regular automated testing for production applications. The document also urges continuous and dynamic application health and security monitoring, along with granular testing policies and reporting to bolster critical governance capabilities.
A call to action for modern web application security
In each of these cases, the push for the optimal approach to securing application workloads is a clear call for the level of orchestration, automation, and governance that can only be provided by modern web application security testing solutions.
CISA states: “Continuous integration and continuous deployment models that integrate security testing and verification into each step of the process can help provide assurances about deployed applications.” In doing so, it makes it clear that modern AppSec requires the ability to shift left and integrate into the software development life cycle (SDLC), building security into development as early as possible.
But agencies can’t stop there. CISA goes on to say: “This methodology can be applied to the entire application life cycle to include monitoring of the health and security, through both external and internal means, of deployed applications, including each component of an application’s workflow.” When shifting left, agencies can’t lose sight of the bigger picture. This section makes the case for regular automated scanning and retesting to cover the large attack surface that remains exposed on the right (apps in staging and production).
Why modern AppSec is the only way forward for agencies
Though at face value a relatively small part of the recent ZTA guidance, web application security will have a disproportionate impact on agencies’ ability to deliver compliant applications at scale. The more than 1.9B web apps in use today can have serious vulnerabilities that put government agencies at risk, and there is no such thing as an unimportant application.
As agencies everywhere move to a cloud-first environment where data and functionality is accessible from anywhere in the world, it’s essential they have modern solutions that provide full visibility into every website and application. Modern vulnerability scanning approaches such as Invicti’s DAST and IAST solutions can help agencies continually diagnose and mitigate security risks for all their web applications.
When supported by modern web application security testing solutions, agencies will be able to meet the latest ZTA guidance and, in doing so, help enhance federal cybersecurity and help secure public information and critical infrastructure.