Comparing CISA Zero Trust Maturity Model vs. DoD Zero Trust Reference Architecture

Zero Trust
Written By Aquia
Mack Wartenberger
Security Architect

There’s no denying the buzz surrounding zero trust (ZT) security. From the commercial sector to the federal space, ZT has emerged as a top consideration for organizations looking to prioritize their future planning and defend against constantly evolving cybersecurity threats. While all this momentum for zero trust adoption is great, it can feel overwhelming to know what kind of zero trust is the best fit for your specific use case, and which ZT authority you should be listening to. 

Two federal agencies, the Cybersecurity Infrastructure Security Agency (CISA) and the U.S. Department of Defense (DoD) each has their own unique interpretation of how best to implement zero trust. The reality is that CISA and DoD offer comprehensive models that are related (sharing foundational tenants like the importance of least-privilege, microsegmentation, and continuous monitoring) but they are tailored to different contexts.

There's a prevailing generalization that CISA models are exclusively designed for civilian agencies, while the DoD approach is specifically for defense, but the reality is that both approaches offer useful guidance for agencies and organizations of all kinds. 

  • CISA Zero Trust Maturity Model: This is one of the primary sources of guidance for the CISA approach to zero trust — designed as a guide for federal agencies and other organizations. It focuses on enhancing cybersecurity posture through gradual implementation of zero trust principles. This maturity-based approach is adaptable to a variety of industries and organizational contexts.

  • DoD Zero Trust Reference Architecture: The DoD’s zero trust guidance stems primarily from this reference architecture. The model is highly prescriptive and tailored specifically for defense operations, emphasizing security and resilience in critical defense-related activities. It aligns closely with national defense priorities and provides detailed guidance for implementing zero trust.

As security leaders responsible for overseeing technical architecture designs, strategy, and implementations, determining the most appropriate zero trust approach for your organization is crucial. This blog post aims to provide a detailed comparison of the CISA Zero Trust Maturity Model and the DoD Zero Trust Reference Architecture across key categories to help you make an informed decision.

CISA vs. DoD Zero Trust Pillars

In order to effectively assess the maturity of an agency (and to inform roadmaps for implementations) both CISA and the DoD divide the scope of their zero trust recommendations between “pillars” of an effective security ecosystem. These pillars cover all the disparate aspects of a security system, from user identity and data management to networks (virtual and physical). 

While the CISA and DoD models break apart security systems into similar categories, CISA includes three cross-cutting functions that are present throughout the system, while the DoD, in its more prescriptive guidance, rolls those cross-cutting functions into additional pillars of their own.

The CISA model defines five pillars plus three cross-cutting functions.

CISA’s zero trust pillars:

  1. Identity: verifications, authentications, and authorizations for all interactions within the system.

  2. Devices: securing and managing devices (physical and virtual.)

  3. Data: encryption, access controls, and monitoring to ensure Data integrity and confidentiality.

  4. Applications and Workloads: preventing unauthorized access and exploitation through secure practices and acquisition practices.

  5. Networks: security measures to monitor, segment, and control traffic to protect against threats

CISA’s cross-cutting functions:

  1. Governance: policies, procedures, and oversight to ensure adherence to security standards and practices.

  2. Automation and Orchestration: automated tools and processes to streamline security operations and responses.

  3. Visibility and Analytics: continuously monitoring and analyzing security data to detect, respond to, and mitigate threats.

The pillars in the CISA model cover the broad scope of activities possible for an organization, and the cross-cutting functions serve as universally applicable connectors between the specific pillars, ensuring that the majority of security functions (be they cloud, on-premises, or hybrid) can be covered by this model.

The DoD model encompasses seven pillars, but makes protecting data the central focus of all it’s ZT activities.

The DoD’s zero trust pillars:

  • User: identity verification, continuous authentication, and monitoring of activities to prevent unauthorized access to data and mitigate insider threats

  • Device: continuous monitoring and management to prevent unauthorized access to data and to maintain the integrity of the network

  • Data: ensuring that data is protected, monitored, and accessible only to authorized users and devices. Safeguarding data integrity, confidentiality, and availability. 

  • Applications and Workloads: processing, storing, and transmitting data securely. Ensures applications are developed, deployed, and operated securely.

  • Network and Environment: infrastructure and the various environments in which data and resources reside. Aims to protect the communication paths, control access, and ensure integrity and security.

  • Automation and Orchestration: automating processes and orchestrating responses to incidents to reduce human error, increase the speed of detection and response, and ensure consistent application of security policies.

  • Visibility and Analytics: insights into network activity, user behavior, and system performance to enhance security. Collecting, analyzing, and acting on data to maintain awareness of, and respond to, security incidents.

Significantly, the DoD zero trust model does not include a governance pillar. The DoD interprets governance as being integrated throughout all the pillars, ensuring that security policies, procedures, and compliance requirements are embedded in each aspect of the model.

Roadmaps (Or Lack Thereof…)

CISA’s zero trust guidance offers a generally defined vision and architecture, allowing for flexibility and customization to fit various industries and organizational contexts. This approach ensures that organizations can scale and adapt their zero trust implementations. CISA does not, however, provide a roadmap for their recommendations. Planning and implementing CISA-defined zero trust functions falls much more to the agencies or organizations involved, which can provide useful flexibility, but can also present challenges in clarity and timing. 

The DoD on the other hand is much more explicit with its guidance, and includes a step-by-step roadmap for implementing security capabilities. The DoD reference architecture provides three specific courses of action (COAs) for different operational environments, and prescribes specific recommendations for durations for each phase of implementation for zero trust capabilities.

  • COA 1: General existing brownfield.*

  • COA 2: Cloud-based greenfield.*

  • COA 3: Private cloud greenfield.

*For those who are unfamiliar, ​​the terms "brownfield" and "greenfield" are used to describe different starting points and environments for implementing security solutions, particularly when adopting new frameworks like zero trust. “Brownfield” refers to existing environments with legacy systems, requiring integration of new security measures into established infrastructures. “Greenfield” describes new environments built from scratch, allowing for the design and implementation of modern, optimal security solutions without legacy constraints.

Once again, the CISA model offers a bit more flexibility for interpretation, but also leaves a lot of the planning work up to the organizations trying to determine their paths to zero trust maturity. The DoD provides nearly down-to-the-moment guidelines on addressing the scope of possible zero trust implementations, but their guidance doesn’t leave much room for customization or interpretation. That clarity can be useful in terms of identifying the iterative steps needed to complete a security activity, but its guidance could be overboard for organizations outside of Defense.

Maturity Levels

Both the CISA and DoD approaches classify a zero trust system with maturity levels. These “grades” align to the level of security robustness present in a system. Similar to the reference architecture itself, the CISA maturity levels are more general and open to interpretation, while the DoD levels are more prescriptive.

The CISA model outlines four distinct maturity levels:

  • Traditional: Legacy systems with minimal zero trust principles.

  • Initial: Basic implementation of zero trust concepts.

  • Advanced: More sophisticated and comprehensive zero trust measures.

  • Optimal: Full integration and continuous improvement of zero trust practices.

The DoD model features a mix of target and advanced levels:

  • Target: The desired state for a given capability.

  • Advanced: Enhanced security measures that exceed the target state.

This difference in maturity levels is all about flexibility. 

The CISA model outlines fairly gradual increases in the robustness of zero trust implementations. It also makes allowances for organizations who might be behind in adopting zero trust best-practice. Take for example “authentication” within the “identity” pillar. Starting with “traditional” maturity, CISA outlines agencies using passwords and static access controls (both fairly outdated) and moves maturity up incrementally via implementations like multi-factor authentication (MFA) for “initial”, phishing-resistant/FIDO2 MFA (“advanced”), and culminating in “optimal” identity authentication, which is characterized by continuous verification via phishing-resistant MFA. 

The DoD model takes a slightly different approach. Let’s consider the multi-factor authentication capability outlined in the DoD Execution Roadmap for Course of Action (COA) 1. Target Level ZT (the lowest maturity level) outlines how agencies should implement a centralized identity provider (IdP) and MFA solution to enhance security.. No allowances are made for systems that aren’t ready for comprehensive IdP or MFA adoption, as the assumption here is that organizations following this roadmap will have met any minimum requirements for defense organizations. COA 1 then outlines two iterative stages of Advanced Level ZT, outlining how agencies should ensure their IdP supports alternative MFA methods that comply with cybersecurity standards like FIPS 140-2 and FIPS 197use alternative tokens for authentication, among other implementations.

The guidance from the DoD even goes so far as to suggest specific timeframes for each phase of ZT implementation, and outlines products and tool types that could assist organizations in achieving these security objectives. That’s some very specific guidance. The good news: agencies will know exactly what to do. The bad news: this level of security stringency might not be appropriate for organizations who don’t require this degree of security.

tl;dr: CISA vs. DoD

CISA Zero Trust Maturity Model

The CISA approach is characterized by its flexibility and broad applicability, making it suitable for a wide range of organizations, including federal agencies and private sector entities. It emphasizes continuous assessment and improvement, allowing organizations to progress through four maturity levels: traditional, initial, advanced, and optimal. Each level builds on the previous one, promoting a holistic and scalable approach to security. The CISA model is structured around five pillars (identity, devices, data, applications and workloads, and networks) and three cross-cutting functions (governance, automation and orchestration, and visibility and analytics). This structure ensures a comprehensive and adaptive security posture that can evolve with emerging threats and technological advancements.

DoD Zero Trust Reference Architecture

The DoD’s Zero Trust model is highly prescriptive and specifically tailored for the defense industrial base (DIB). It aligns closely with national defense priorities, providing a detailed framework designed to secure critical defense infrastructure. The model’s strategic goals are organized into seven pillars (user, device, data, applications and workloads, network and environment, automation and orchestration, and visibility and analytics) and are evaluated based on capabilities and activities. The DoD’s approach includes distinct maturity levels and detailed implementation tiers, known as trust zones, which offer a clear path for organizations to follow. The roadmap outlines three specific courses of action, accommodating various operational environments. The DoD emphasizes cultural adoption and technology acceleration, aiming to achieve its zero trust objectives by FY 2027.

Conclusion

For industry leaders responsible for technical architecture implementations, choosing between the CISA and DoD zero trust models depends on your organization’s specific needs and context. If your organization requires flexibility, scalability, and a broad applicability, the CISA model is likely more appropriate. Conversely, if your organization operates within a defense context or requires a highly prescriptive and detailed approach aligned with national defense priorities, the DoD model is the better choice. In practice, our team at Aquia has even explored use cases where we leverage the CISA model for planning and overarching strategy for our customers, and then use the DoD model to inform specific implementation details and roadmaps-effectively leveraging both models to our advantage. The world is your oyster here, just keep in mind that any decisions surrounding these specific frameworks should be predicated on a clear understanding of you, or your customers, business objectives, requirements, and needs. (For more on that, check out our blog on leveraging a criticality analysis to gain that kind of visibility.) Understanding these differences will help you develop a robust zero trust strategy that meets your organization’s security goals.

If you’d like to learn more about how we can help you navigate zero trust architecture implementation and adoption, give us a shout. We’d love to speak with you.

Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.

Previous

TL;DR: The NSA’s “Advancing Zero Trust Maturity Throughout the Automation and Orchestration Pillar” Cybersecurity Information Sheet
Next

Embracing Secure Access Service Edge (SASE) to Streamline Government Missions