mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,313 @@
|
||||
---
|
||||
name: implementing-cisa-zero-trust-maturity-model
|
||||
description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity.
|
||||
domain: cybersecurity
|
||||
subdomain: zero-trust-architecture
|
||||
tags: [zero-trust, cisa, maturity-model, federal-compliance, governance, nist-800-207, identity, devices, networks, applications, data-security]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
|
||||
# Implementing CISA Zero Trust Maturity Model
|
||||
|
||||
## Overview
|
||||
|
||||
The CISA Zero Trust Maturity Model (ZTMM) Version 2.0, released in April 2023, provides federal agencies and organizations with a structured roadmap for adopting zero trust architecture. The model defines five core pillars -- Identity, Devices, Networks, Applications & Workloads, and Data -- each progressing through four maturity stages: Traditional, Initial, Advanced, and Optimal. Three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance) span all pillars. This skill covers assessment, gap analysis, and progressive implementation across all pillars and maturity levels.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with NIST SP 800-207 Zero Trust Architecture
|
||||
- Understanding of federal cybersecurity mandates (EO 14028, OMB M-22-09)
|
||||
- Access to organizational IT asset inventory and network architecture documentation
|
||||
- Knowledge of identity and access management (IAM) fundamentals
|
||||
- Understanding of network segmentation and microsegmentation concepts
|
||||
|
||||
## CISA ZTMM Five Pillars
|
||||
|
||||
### Pillar 1: Identity
|
||||
|
||||
Identity refers to attributes that uniquely describe an agency user or entity, including non-person entities (NPEs) such as service accounts and machine identities.
|
||||
|
||||
**Traditional Stage:**
|
||||
- Password-based authentication
|
||||
- Limited identity validation
|
||||
- Manual provisioning and deprovisioning
|
||||
|
||||
**Initial Stage:**
|
||||
- MFA deployed for privileged users
|
||||
- Identity governance initiated
|
||||
- Basic identity lifecycle management
|
||||
|
||||
**Advanced Stage:**
|
||||
- Phishing-resistant MFA for all users (FIDO2/WebAuthn)
|
||||
- Continuous identity validation
|
||||
- Automated provisioning tied to HR systems
|
||||
- Identity threat detection and response (ITDR)
|
||||
|
||||
**Optimal Stage:**
|
||||
- Continuous, real-time identity verification
|
||||
- Passwordless authentication across all systems
|
||||
- AI-driven anomaly detection for identity behaviors
|
||||
- Full integration of identity signals into access decisions
|
||||
|
||||
### Pillar 2: Devices
|
||||
|
||||
Devices include any hardware, software, or firmware asset that connects to a network -- servers, laptops, mobile phones, IoT devices, and network equipment.
|
||||
|
||||
**Traditional Stage:**
|
||||
- Limited device inventory
|
||||
- Basic endpoint protection (antivirus)
|
||||
- No device compliance checks
|
||||
|
||||
**Initial Stage:**
|
||||
- Comprehensive device inventory
|
||||
- Endpoint Detection and Response (EDR) deployment
|
||||
- Basic device health checks before network access
|
||||
|
||||
**Advanced Stage:**
|
||||
- Real-time device posture assessment
|
||||
- Automated compliance enforcement
|
||||
- Device certificates for machine identity
|
||||
- Vulnerability scanning integrated into access decisions
|
||||
|
||||
**Optimal Stage:**
|
||||
- Continuous device trust scoring
|
||||
- Automated remediation of non-compliant devices
|
||||
- Full device lifecycle management integrated with zero trust policies
|
||||
- Firmware integrity verification
|
||||
|
||||
### Pillar 3: Networks
|
||||
|
||||
Networks encompass all communications media including internal networks, wireless, and the internet.
|
||||
|
||||
**Traditional Stage:**
|
||||
- Perimeter-based security (firewalls, VPNs)
|
||||
- Flat internal networks
|
||||
- Minimal east-west traffic inspection
|
||||
|
||||
**Initial Stage:**
|
||||
- Initial network segmentation
|
||||
- Encrypted DNS and internal traffic
|
||||
- Basic network monitoring and logging
|
||||
|
||||
**Advanced Stage:**
|
||||
- Microsegmentation of critical assets
|
||||
- Software-defined networking (SDN) for dynamic policy enforcement
|
||||
- Full TLS encryption for all internal communications
|
||||
- Network Detection and Response (NDR)
|
||||
|
||||
**Optimal Stage:**
|
||||
- Fully software-defined, policy-driven network
|
||||
- Zero implicit trust zones
|
||||
- AI-driven network anomaly detection
|
||||
- Automated threat response integrated with network controls
|
||||
|
||||
### Pillar 4: Applications and Workloads
|
||||
|
||||
Applications and workloads include agency systems, programs, and services running on-premises, on mobile devices, and in cloud environments.
|
||||
|
||||
**Traditional Stage:**
|
||||
- Perimeter-protected applications
|
||||
- Manual vulnerability patching
|
||||
- Limited application-level logging
|
||||
|
||||
**Initial Stage:**
|
||||
- Application-level access controls
|
||||
- Web Application Firewalls (WAF)
|
||||
- Regular vulnerability scanning
|
||||
- Application inventory established
|
||||
|
||||
**Advanced Stage:**
|
||||
- Continuous integration of security testing (SAST/DAST)
|
||||
- Application-aware microsegmentation
|
||||
- API security gateways
|
||||
- Immutable infrastructure patterns
|
||||
|
||||
**Optimal Stage:**
|
||||
- Runtime application self-protection (RASP)
|
||||
- Automated application security orchestration
|
||||
- Full DevSecOps pipeline integration
|
||||
- Zero-standing privileges for application access
|
||||
|
||||
### Pillar 5: Data
|
||||
|
||||
Data encompasses all structured and unstructured information, at rest, in transit, and in use.
|
||||
|
||||
**Traditional Stage:**
|
||||
- Basic encryption for data at rest
|
||||
- Limited data classification
|
||||
- No data loss prevention
|
||||
|
||||
**Initial Stage:**
|
||||
- Data classification scheme implemented
|
||||
- DLP policies for sensitive data
|
||||
- Encryption for data in transit (TLS 1.2+)
|
||||
- Basic data inventory
|
||||
|
||||
**Advanced Stage:**
|
||||
- Automated data classification
|
||||
- Fine-grained data access controls
|
||||
- Data activity monitoring
|
||||
- Rights management for sensitive documents
|
||||
|
||||
**Optimal Stage:**
|
||||
- Real-time data flow analytics
|
||||
- AI-driven data classification and protection
|
||||
- Automated response to data exfiltration attempts
|
||||
- Full data lifecycle governance with zero trust principles
|
||||
|
||||
## Cross-Cutting Capabilities
|
||||
|
||||
### Visibility and Analytics
|
||||
|
||||
```
|
||||
Maturity Progression:
|
||||
Traditional -> Manual log review, limited SIEM
|
||||
Initial -> Centralized logging, basic SIEM correlation
|
||||
Advanced -> UEBA, automated threat detection, data lake analytics
|
||||
Optimal -> AI/ML-driven continuous monitoring, predictive analytics
|
||||
```
|
||||
|
||||
### Automation and Orchestration
|
||||
|
||||
```
|
||||
Maturity Progression:
|
||||
Traditional -> Manual incident response, ad-hoc scripts
|
||||
Initial -> Basic SOAR playbooks, automated alerting
|
||||
Advanced -> Integrated SOAR with multi-pillar orchestration
|
||||
Optimal -> Fully autonomous response, self-healing infrastructure
|
||||
```
|
||||
|
||||
### Governance
|
||||
|
||||
```
|
||||
Maturity Progression:
|
||||
Traditional -> Ad-hoc policies, manual compliance checks
|
||||
Initial -> Documented zero trust strategy, basic policy framework
|
||||
Advanced -> Policy-as-code, continuous compliance monitoring
|
||||
Optimal -> Dynamic policy engine, real-time governance decisions
|
||||
```
|
||||
|
||||
## Implementation Process
|
||||
|
||||
### Phase 1: Assessment and Baseline
|
||||
|
||||
1. **Inventory all assets** across the five pillars
|
||||
2. **Map current capabilities** to ZTMM maturity stages
|
||||
3. **Conduct gap analysis** between current and target states
|
||||
4. **Identify quick wins** that move from Traditional to Initial stage
|
||||
5. **Document dependencies** between pillars
|
||||
|
||||
```python
|
||||
# Example: CISA ZTMM Maturity Assessment Scoring
|
||||
class ZTMMAssessment:
|
||||
PILLARS = ['Identity', 'Devices', 'Networks', 'Applications', 'Data']
|
||||
STAGES = ['Traditional', 'Initial', 'Advanced', 'Optimal']
|
||||
CROSS_CUTTING = ['Visibility_Analytics', 'Automation_Orchestration', 'Governance']
|
||||
|
||||
def __init__(self):
|
||||
self.scores = {}
|
||||
|
||||
def assess_pillar(self, pillar, capabilities):
|
||||
"""
|
||||
Assess a pillar against ZTMM criteria.
|
||||
capabilities: dict of capability_name -> maturity_stage
|
||||
"""
|
||||
stage_values = {stage: i for i, stage in enumerate(self.STAGES)}
|
||||
scores = [stage_values.get(stage, 0) for stage in capabilities.values()]
|
||||
avg_score = sum(scores) / len(scores) if scores else 0
|
||||
|
||||
overall_stage = self.STAGES[int(avg_score)]
|
||||
self.scores[pillar] = {
|
||||
'capabilities': capabilities,
|
||||
'average_score': avg_score,
|
||||
'overall_stage': overall_stage
|
||||
}
|
||||
return self.scores[pillar]
|
||||
|
||||
def generate_roadmap(self):
|
||||
"""Generate prioritized improvement roadmap."""
|
||||
roadmap = []
|
||||
for pillar, data in self.scores.items():
|
||||
for capability, stage in data['capabilities'].items():
|
||||
stage_idx = self.STAGES.index(stage)
|
||||
if stage_idx < 3: # Not yet Optimal
|
||||
next_stage = self.STAGES[stage_idx + 1]
|
||||
roadmap.append({
|
||||
'pillar': pillar,
|
||||
'capability': capability,
|
||||
'current': stage,
|
||||
'target': next_stage,
|
||||
'priority': 3 - stage_idx # Higher priority for lower maturity
|
||||
})
|
||||
return sorted(roadmap, key=lambda x: x['priority'], reverse=True)
|
||||
```
|
||||
|
||||
### Phase 2: Identity Foundation
|
||||
|
||||
1. Deploy phishing-resistant MFA (FIDO2/WebAuthn)
|
||||
2. Implement identity governance and administration (IGA)
|
||||
3. Establish continuous identity verification
|
||||
4. Integrate identity providers with all applications
|
||||
5. Deploy identity threat detection and response
|
||||
|
||||
### Phase 3: Device Trust
|
||||
|
||||
1. Complete asset inventory with automated discovery
|
||||
2. Deploy EDR across all endpoints
|
||||
3. Implement device compliance checking
|
||||
4. Establish device certificate infrastructure
|
||||
5. Create device trust scoring mechanism
|
||||
|
||||
### Phase 4: Network Transformation
|
||||
|
||||
1. Implement network segmentation strategy
|
||||
2. Deploy microsegmentation for critical assets
|
||||
3. Enable encrypted DNS (DoH/DoT)
|
||||
4. Enforce TLS 1.3 for all internal communications
|
||||
5. Deploy NDR capabilities
|
||||
|
||||
### Phase 5: Application Security
|
||||
|
||||
1. Implement application-level access controls
|
||||
2. Deploy WAF and API security gateways
|
||||
3. Integrate security testing into CI/CD pipelines
|
||||
4. Establish application inventory and classification
|
||||
5. Implement runtime protection
|
||||
|
||||
### Phase 6: Data Protection
|
||||
|
||||
1. Implement data classification framework
|
||||
2. Deploy DLP across endpoints and network
|
||||
3. Enable data activity monitoring
|
||||
4. Implement rights management
|
||||
5. Establish data lifecycle governance
|
||||
|
||||
## Compliance Mapping
|
||||
|
||||
| CISA ZTMM Pillar | OMB M-22-09 Requirement | NIST 800-207 Section |
|
||||
|---|---|---|
|
||||
| Identity | MFA for agency staff | 3.1.1 |
|
||||
| Devices | EDR for federal endpoints | 3.1.2 |
|
||||
| Networks | Encrypt DNS traffic | 3.1.3 |
|
||||
| Applications | Application security testing | 3.1.4 |
|
||||
| Data | Data categorization | 3.1.5 |
|
||||
|
||||
## Metrics and KPIs
|
||||
|
||||
- **Identity Pillar**: Percentage of users with phishing-resistant MFA
|
||||
- **Device Pillar**: Percentage of devices with real-time posture assessment
|
||||
- **Network Pillar**: Percentage of network segments microsegmented
|
||||
- **Application Pillar**: Percentage of applications with zero trust access controls
|
||||
- **Data Pillar**: Percentage of sensitive data classified and protected
|
||||
- **Overall**: ZTMM stage achieved per pillar (target: Advanced minimum)
|
||||
|
||||
## References
|
||||
|
||||
- [CISA Zero Trust Maturity Model v2.0](https://www.cisa.gov/zero-trust-maturity-model)
|
||||
- [CISA ZTMM v2.0 PDF](https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf)
|
||||
- [NIST SP 800-207 Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
|
||||
- [OMB Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
|
||||
- [NSA Zero Trust Pillars Guidance](https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF)
|
||||
- [Microsoft Guidance for CISA ZTMM](https://www.microsoft.com/en-us/security/blog/2024/12/19/new-microsoft-guidance-for-the-cisa-zero-trust-maturity-model/)
|
||||
@@ -0,0 +1,116 @@
|
||||
# CISA ZTMM Assessment Template
|
||||
|
||||
## Organization Information
|
||||
- **Organization Name**: _______________
|
||||
- **Assessment Date**: _______________
|
||||
- **Assessment Lead**: _______________
|
||||
- **Pillar Owners**:
|
||||
- Identity: _______________
|
||||
- Devices: _______________
|
||||
- Networks: _______________
|
||||
- Applications: _______________
|
||||
- Data: _______________
|
||||
|
||||
## Pillar Assessment Worksheet
|
||||
|
||||
### Identity Pillar
|
||||
|
||||
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|
||||
|---|---|---|---|---|---|---|
|
||||
| Authentication | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Identity Stores | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Risk Assessment | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Access Management | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Identity Lifecycle | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
|
||||
### Devices Pillar
|
||||
|
||||
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|
||||
|---|---|---|---|---|---|---|
|
||||
| Policy Enforcement | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Asset Management | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Device Compliance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Device Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
|
||||
### Networks Pillar
|
||||
|
||||
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|
||||
|---|---|---|---|---|---|---|
|
||||
| Network Segmentation | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Encryption | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Network Resilience | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
|
||||
### Applications & Workloads Pillar
|
||||
|
||||
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|
||||
|---|---|---|---|---|---|---|
|
||||
| Access Authorization | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Accessibility | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Application Security | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
|
||||
### Data Pillar
|
||||
|
||||
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|
||||
|---|---|---|---|---|---|---|
|
||||
| Data Inventory | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Data Categorization | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Data Availability | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Data Access | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Data Encryption | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
|
||||
|
||||
## Gap Analysis Summary
|
||||
|
||||
| Pillar | Current Stage | Target Stage | Gap | Priority |
|
||||
|---|---|---|---|---|
|
||||
| Identity | ___ | Advanced | ___ | ___ |
|
||||
| Devices | ___ | Advanced | ___ | ___ |
|
||||
| Networks | ___ | Advanced | ___ | ___ |
|
||||
| Applications | ___ | Advanced | ___ | ___ |
|
||||
| Data | ___ | Advanced | ___ | ___ |
|
||||
|
||||
## OMB M-22-09 Compliance Checklist
|
||||
|
||||
- [ ] Phishing-resistant MFA deployed for all agency staff
|
||||
- [ ] Complete device inventory with EDR coverage
|
||||
- [ ] DNS and HTTP traffic encrypted
|
||||
- [ ] Applications treated as internet-connected with regular testing
|
||||
- [ ] Data categorization and automated discovery implemented
|
||||
|
||||
## Roadmap Priorities
|
||||
|
||||
### Quick Wins (0-3 months)
|
||||
1. _______________
|
||||
2. _______________
|
||||
3. _______________
|
||||
|
||||
### Short-term (3-6 months)
|
||||
1. _______________
|
||||
2. _______________
|
||||
3. _______________
|
||||
|
||||
### Medium-term (6-12 months)
|
||||
1. _______________
|
||||
2. _______________
|
||||
3. _______________
|
||||
|
||||
### Long-term (12-24 months)
|
||||
1. _______________
|
||||
2. _______________
|
||||
3. _______________
|
||||
@@ -0,0 +1,51 @@
|
||||
# Standards Reference: CISA Zero Trust Maturity Model
|
||||
|
||||
## Primary Standards
|
||||
|
||||
### CISA Zero Trust Maturity Model v2.0 (April 2023)
|
||||
- **Source**: Cybersecurity and Infrastructure Security Agency
|
||||
- **Scope**: Federal agencies and organizations implementing zero trust
|
||||
- **Five Pillars**: Identity, Devices, Networks, Applications & Workloads, Data
|
||||
- **Four Maturity Stages**: Traditional, Initial, Advanced, Optimal
|
||||
- **Cross-Cutting**: Visibility & Analytics, Automation & Orchestration, Governance
|
||||
|
||||
### NIST SP 800-207: Zero Trust Architecture
|
||||
- **Published**: August 2020
|
||||
- **Tenets**: Never trust, always verify; assume breach; least privilege access
|
||||
- **Deployment Models**: Device agent/gateway, enclave, resource portal
|
||||
- **Key Requirement**: Policy decision point (PDP) and policy enforcement point (PEP)
|
||||
|
||||
### Executive Order 14028: Improving the Nation's Cybersecurity
|
||||
- **Signed**: May 12, 2021
|
||||
- **Mandate**: Federal agencies must adopt zero trust architecture
|
||||
- **Timeline**: Agencies required to develop zero trust implementation plans
|
||||
|
||||
### OMB Memorandum M-22-09: Federal Zero Trust Strategy
|
||||
- **Published**: January 2022
|
||||
- **Requirements per pillar**:
|
||||
- Identity: Phishing-resistant MFA for all staff
|
||||
- Devices: EDR deployed across federal endpoints
|
||||
- Networks: DNS traffic encrypted, HTTP traffic encrypted
|
||||
- Applications: Application security testing in CI/CD
|
||||
- Data: Data categorization and automated classification
|
||||
|
||||
## Supporting Standards
|
||||
|
||||
### NSA Zero Trust Pillar Guidance Series (2024)
|
||||
- User Pillar (February 2024)
|
||||
- Device Pillar (March 2024)
|
||||
- Data Pillar (April 2024)
|
||||
- Application & Workload Pillar (April 2024)
|
||||
- Network & Environment Pillar (May 2024)
|
||||
- Visibility & Analytics Pillar (May 2024)
|
||||
- Automation & Orchestration Pillar (June 2024)
|
||||
|
||||
### DISA Zero Trust Reference Architecture
|
||||
- Department of Defense specific implementation
|
||||
- Aligns with NIST 800-207 and CISA ZTMM
|
||||
- Covers DoD-specific compliance requirements
|
||||
|
||||
### FedRAMP Zero Trust Requirements
|
||||
- Cloud service providers must support zero trust
|
||||
- Continuous monitoring requirements
|
||||
- Identity federation standards
|
||||
@@ -0,0 +1,102 @@
|
||||
# Workflows: CISA Zero Trust Maturity Model Implementation
|
||||
|
||||
## Workflow 1: Initial Maturity Assessment
|
||||
|
||||
```
|
||||
Step 1: Establish Assessment Team
|
||||
- Identify stakeholders from IT, security, compliance, and business units
|
||||
- Assign pillar owners for each of the five ZTMM pillars
|
||||
- Define assessment timeline and reporting cadence
|
||||
|
||||
Step 2: Inventory Current Capabilities
|
||||
- Identity: Catalog authentication methods, identity providers, MFA coverage
|
||||
- Devices: Enumerate all endpoints, document endpoint security tools
|
||||
- Networks: Map network architecture, segmentation, encryption status
|
||||
- Applications: List all applications, classify access controls
|
||||
- Data: Identify data repositories, classification, DLP status
|
||||
|
||||
Step 3: Map to ZTMM Stages
|
||||
- For each pillar, evaluate each function against the four maturity stages
|
||||
- Document evidence for current stage determination
|
||||
- Identify gaps between current and target maturity
|
||||
- Rate cross-cutting capabilities (visibility, automation, governance)
|
||||
|
||||
Step 4: Produce Assessment Report
|
||||
- Pillar-by-pillar maturity scores
|
||||
- Gap analysis with prioritized recommendations
|
||||
- Quick wins vs. long-term transformation items
|
||||
- Resource requirements and estimated timelines
|
||||
```
|
||||
|
||||
## Workflow 2: Identity Pillar Advancement (Traditional to Advanced)
|
||||
|
||||
```
|
||||
Phase A: MFA Deployment
|
||||
1. Inventory all user accounts (privileged, standard, service)
|
||||
2. Select phishing-resistant MFA solution (FIDO2/WebAuthn)
|
||||
3. Deploy MFA for privileged accounts first
|
||||
4. Extend MFA to all user accounts
|
||||
5. Implement MFA for service accounts and APIs
|
||||
6. Configure conditional access policies
|
||||
|
||||
Phase B: Identity Governance
|
||||
1. Implement identity lifecycle management
|
||||
2. Connect IAM to HR system for automated provisioning
|
||||
3. Establish access certification reviews
|
||||
4. Deploy identity threat detection
|
||||
5. Implement just-in-time access for elevated privileges
|
||||
|
||||
Phase C: Continuous Verification
|
||||
1. Integrate identity signals into access decisions
|
||||
2. Deploy risk-based authentication
|
||||
3. Implement session-level re-authentication for sensitive actions
|
||||
4. Enable behavioral analytics for identity anomalies
|
||||
```
|
||||
|
||||
## Workflow 3: Cross-Pillar Integration
|
||||
|
||||
```
|
||||
Step 1: Establish Unified Policy Engine
|
||||
- Define access policies that incorporate all five pillars
|
||||
- Implement Policy Decision Point (PDP) per NIST 800-207
|
||||
- Deploy Policy Enforcement Points (PEP) at all access boundaries
|
||||
|
||||
Step 2: Integrate Signal Sources
|
||||
- Identity signals -> trust score component
|
||||
- Device posture -> trust score component
|
||||
- Network context -> trust score component
|
||||
- Application risk -> trust score component
|
||||
- Data sensitivity -> access control component
|
||||
|
||||
Step 3: Implement Continuous Evaluation
|
||||
- Real-time trust scoring engine
|
||||
- Dynamic policy adjustment based on risk
|
||||
- Automated access revocation on policy violation
|
||||
- Audit logging for all access decisions
|
||||
|
||||
Step 4: Measure and Report
|
||||
- Track maturity progression per pillar quarterly
|
||||
- Report to leadership with ZTMM scorecard
|
||||
- Adjust roadmap based on threat landscape changes
|
||||
- Document lessons learned for continuous improvement
|
||||
```
|
||||
|
||||
## Workflow 4: Governance and Compliance Reporting
|
||||
|
||||
```
|
||||
Step 1: Establish Zero Trust Governance Board
|
||||
- Executive sponsor, CISO, pillar owners, compliance
|
||||
- Monthly review of zero trust maturity progress
|
||||
- Annual strategic review and roadmap adjustment
|
||||
|
||||
Step 2: Continuous Compliance Monitoring
|
||||
- Map ZTMM controls to OMB M-22-09 requirements
|
||||
- Automate evidence collection for each pillar
|
||||
- Generate compliance dashboards
|
||||
- Prepare for FISMA and other audit requirements
|
||||
|
||||
Step 3: Reporting to CISA
|
||||
- Submit agency zero trust implementation plan
|
||||
- Provide quarterly progress updates
|
||||
- Document deviations and remediation plans
|
||||
```
|
||||
@@ -0,0 +1,415 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
CISA Zero Trust Maturity Model Assessment and Roadmap Generator.
|
||||
|
||||
Evaluates organizational zero trust maturity across the five CISA ZTMM pillars
|
||||
(Identity, Devices, Networks, Applications, Data) and three cross-cutting
|
||||
capabilities (Visibility & Analytics, Automation & Orchestration, Governance).
|
||||
Generates gap analysis, prioritized roadmap, and compliance mapping.
|
||||
"""
|
||||
|
||||
import json
|
||||
import csv
|
||||
import datetime
|
||||
from dataclasses import dataclass, field
|
||||
from enum import IntEnum
|
||||
from typing import Optional
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
class MaturityStage(IntEnum):
|
||||
TRADITIONAL = 0
|
||||
INITIAL = 1
|
||||
ADVANCED = 2
|
||||
OPTIMAL = 3
|
||||
|
||||
|
||||
PILLAR_FUNCTIONS = {
|
||||
"Identity": [
|
||||
"authentication",
|
||||
"identity_stores",
|
||||
"risk_assessment",
|
||||
"access_management",
|
||||
"identity_lifecycle",
|
||||
"visibility_analytics",
|
||||
"automation_orchestration",
|
||||
"governance",
|
||||
],
|
||||
"Devices": [
|
||||
"policy_enforcement",
|
||||
"asset_management",
|
||||
"device_compliance",
|
||||
"device_threat_protection",
|
||||
"visibility_analytics",
|
||||
"automation_orchestration",
|
||||
"governance",
|
||||
],
|
||||
"Networks": [
|
||||
"network_segmentation",
|
||||
"threat_protection",
|
||||
"encryption",
|
||||
"network_resilience",
|
||||
"visibility_analytics",
|
||||
"automation_orchestration",
|
||||
"governance",
|
||||
],
|
||||
"Applications": [
|
||||
"access_authorization",
|
||||
"threat_protection",
|
||||
"accessibility",
|
||||
"application_security",
|
||||
"visibility_analytics",
|
||||
"automation_orchestration",
|
||||
"governance",
|
||||
],
|
||||
"Data": [
|
||||
"data_inventory",
|
||||
"data_categorization",
|
||||
"data_availability",
|
||||
"data_access",
|
||||
"data_encryption",
|
||||
"visibility_analytics",
|
||||
"automation_orchestration",
|
||||
"governance",
|
||||
],
|
||||
}
|
||||
|
||||
OMB_M2209_REQUIREMENTS = {
|
||||
"Identity": {
|
||||
"requirement": "Agency staff use enterprise-managed identities with phishing-resistant MFA",
|
||||
"target_stage": MaturityStage.ADVANCED,
|
||||
"key_actions": [
|
||||
"Deploy FIDO2/WebAuthn for all users",
|
||||
"Integrate identity provider with all applications",
|
||||
"Implement authorization based on user attributes",
|
||||
],
|
||||
},
|
||||
"Devices": {
|
||||
"requirement": "Federal government has a complete inventory of authorized devices and can prevent/detect/respond to incidents",
|
||||
"target_stage": MaturityStage.ADVANCED,
|
||||
"key_actions": [
|
||||
"Deploy EDR on all endpoints",
|
||||
"Maintain real-time asset inventory",
|
||||
"Enforce device compliance before access",
|
||||
],
|
||||
},
|
||||
"Networks": {
|
||||
"requirement": "Agencies encrypt all DNS and HTTP traffic within their environment",
|
||||
"target_stage": MaturityStage.ADVANCED,
|
||||
"key_actions": [
|
||||
"Encrypt all DNS traffic (DoH/DoT)",
|
||||
"Enforce HTTPS for all web traffic",
|
||||
"Implement network microsegmentation",
|
||||
],
|
||||
},
|
||||
"Applications": {
|
||||
"requirement": "Agencies treat all applications as internet-connected and routinely test them",
|
||||
"target_stage": MaturityStage.ADVANCED,
|
||||
"key_actions": [
|
||||
"Integrate SAST/DAST into CI/CD",
|
||||
"Remove application access from VPN dependencies",
|
||||
"Implement application-level access policies",
|
||||
],
|
||||
},
|
||||
"Data": {
|
||||
"requirement": "Agencies have thorough data categorization and employ automated tools",
|
||||
"target_stage": MaturityStage.ADVANCED,
|
||||
"key_actions": [
|
||||
"Implement data classification scheme",
|
||||
"Deploy automated data tagging",
|
||||
"Enable DLP across all data channels",
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@dataclass
|
||||
class FunctionAssessment:
|
||||
function_name: str
|
||||
current_stage: MaturityStage
|
||||
target_stage: MaturityStage
|
||||
evidence: str = ""
|
||||
gaps: list = field(default_factory=list)
|
||||
recommendations: list = field(default_factory=list)
|
||||
|
||||
|
||||
@dataclass
|
||||
class PillarAssessment:
|
||||
pillar_name: str
|
||||
functions: list = field(default_factory=list)
|
||||
overall_stage: MaturityStage = MaturityStage.TRADITIONAL
|
||||
compliance_gap: bool = False
|
||||
|
||||
def calculate_overall(self):
|
||||
if not self.functions:
|
||||
return
|
||||
scores = [f.current_stage.value for f in self.functions]
|
||||
avg = sum(scores) / len(scores)
|
||||
self.overall_stage = MaturityStage(int(avg))
|
||||
|
||||
def check_compliance(self):
|
||||
req = OMB_M2209_REQUIREMENTS.get(self.pillar_name)
|
||||
if req:
|
||||
self.compliance_gap = self.overall_stage < req["target_stage"]
|
||||
|
||||
|
||||
@dataclass
|
||||
class RoadmapItem:
|
||||
pillar: str
|
||||
function_name: str
|
||||
current_stage: str
|
||||
target_stage: str
|
||||
priority: int # 1=highest, 4=lowest
|
||||
effort: str # low, medium, high
|
||||
recommendations: list = field(default_factory=list)
|
||||
dependencies: list = field(default_factory=list)
|
||||
|
||||
|
||||
class ZTMMAssessment:
|
||||
"""Full CISA Zero Trust Maturity Model assessment engine."""
|
||||
|
||||
def __init__(self, organization_name: str):
|
||||
self.organization = organization_name
|
||||
self.assessment_date = datetime.datetime.now().isoformat()
|
||||
self.pillar_assessments: dict[str, PillarAssessment] = {}
|
||||
self.roadmap: list[RoadmapItem] = []
|
||||
|
||||
def assess_function(
|
||||
self,
|
||||
pillar: str,
|
||||
function_name: str,
|
||||
current_stage: int,
|
||||
target_stage: int = 3,
|
||||
evidence: str = "",
|
||||
gaps: Optional[list] = None,
|
||||
) -> FunctionAssessment:
|
||||
current = MaturityStage(current_stage)
|
||||
target = MaturityStage(target_stage)
|
||||
fa = FunctionAssessment(
|
||||
function_name=function_name,
|
||||
current_stage=current,
|
||||
target_stage=target,
|
||||
evidence=evidence,
|
||||
gaps=gaps or [],
|
||||
)
|
||||
if pillar not in self.pillar_assessments:
|
||||
self.pillar_assessments[pillar] = PillarAssessment(pillar_name=pillar)
|
||||
self.pillar_assessments[pillar].functions.append(fa)
|
||||
return fa
|
||||
|
||||
def calculate_maturity(self):
|
||||
for pa in self.pillar_assessments.values():
|
||||
pa.calculate_overall()
|
||||
pa.check_compliance()
|
||||
|
||||
def generate_roadmap(self) -> list[RoadmapItem]:
|
||||
self.roadmap = []
|
||||
effort_map = {0: "high", 1: "medium", 2: "low", 3: "low"}
|
||||
|
||||
for pillar_name, pa in self.pillar_assessments.items():
|
||||
for func in pa.functions:
|
||||
if func.current_stage < func.target_stage:
|
||||
gap = func.target_stage.value - func.current_stage.value
|
||||
next_stage = MaturityStage(func.current_stage.value + 1)
|
||||
item = RoadmapItem(
|
||||
pillar=pillar_name,
|
||||
function_name=func.function_name,
|
||||
current_stage=func.current_stage.name,
|
||||
target_stage=next_stage.name,
|
||||
priority=max(1, 4 - gap),
|
||||
effort=effort_map.get(func.current_stage.value, "high"),
|
||||
recommendations=func.recommendations,
|
||||
)
|
||||
self.roadmap.append(item)
|
||||
|
||||
self.roadmap.sort(key=lambda x: (x.priority, x.effort != "low"))
|
||||
return self.roadmap
|
||||
|
||||
def get_compliance_status(self) -> dict:
|
||||
status = {}
|
||||
for pillar_name, pa in self.pillar_assessments.items():
|
||||
req = OMB_M2209_REQUIREMENTS.get(pillar_name, {})
|
||||
status[pillar_name] = {
|
||||
"current_stage": pa.overall_stage.name,
|
||||
"required_stage": req.get("target_stage", MaturityStage.ADVANCED).name,
|
||||
"compliant": not pa.compliance_gap,
|
||||
"requirement": req.get("requirement", "N/A"),
|
||||
"key_actions": req.get("key_actions", []),
|
||||
}
|
||||
return status
|
||||
|
||||
def get_summary(self) -> dict:
|
||||
summary = {
|
||||
"organization": self.organization,
|
||||
"assessment_date": self.assessment_date,
|
||||
"pillars": {},
|
||||
"overall_maturity": "TRADITIONAL",
|
||||
}
|
||||
stages = []
|
||||
for name, pa in self.pillar_assessments.items():
|
||||
summary["pillars"][name] = {
|
||||
"stage": pa.overall_stage.name,
|
||||
"score": pa.overall_stage.value,
|
||||
"functions_assessed": len(pa.functions),
|
||||
"compliance_gap": pa.compliance_gap,
|
||||
}
|
||||
stages.append(pa.overall_stage.value)
|
||||
|
||||
if stages:
|
||||
avg = sum(stages) / len(stages)
|
||||
summary["overall_maturity"] = MaturityStage(int(avg)).name
|
||||
summary["overall_score"] = round(avg, 2)
|
||||
|
||||
return summary
|
||||
|
||||
def export_report(self, output_path: str):
|
||||
report = {
|
||||
"summary": self.get_summary(),
|
||||
"compliance_status": self.get_compliance_status(),
|
||||
"roadmap": [
|
||||
{
|
||||
"pillar": r.pillar,
|
||||
"function": r.function_name,
|
||||
"current": r.current_stage,
|
||||
"target": r.target_stage,
|
||||
"priority": r.priority,
|
||||
"effort": r.effort,
|
||||
}
|
||||
for r in self.roadmap
|
||||
],
|
||||
"detailed_assessments": {},
|
||||
}
|
||||
|
||||
for name, pa in self.pillar_assessments.items():
|
||||
report["detailed_assessments"][name] = {
|
||||
"overall_stage": pa.overall_stage.name,
|
||||
"functions": [
|
||||
{
|
||||
"name": f.function_name,
|
||||
"current": f.current_stage.name,
|
||||
"target": f.target_stage.name,
|
||||
"evidence": f.evidence,
|
||||
"gaps": f.gaps,
|
||||
}
|
||||
for f in pa.functions
|
||||
],
|
||||
}
|
||||
|
||||
path = Path(output_path)
|
||||
path.parent.mkdir(parents=True, exist_ok=True)
|
||||
with open(path, "w") as f:
|
||||
json.dump(report, f, indent=2)
|
||||
return report
|
||||
|
||||
def export_csv(self, output_path: str):
|
||||
path = Path(output_path)
|
||||
path.parent.mkdir(parents=True, exist_ok=True)
|
||||
with open(path, "w", newline="") as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow([
|
||||
"Pillar", "Function", "Current Stage", "Target Stage",
|
||||
"Gap", "Priority", "Effort", "Evidence"
|
||||
])
|
||||
for name, pa in self.pillar_assessments.items():
|
||||
for func in pa.functions:
|
||||
gap = func.target_stage.value - func.current_stage.value
|
||||
writer.writerow([
|
||||
name, func.function_name,
|
||||
func.current_stage.name, func.target_stage.name,
|
||||
gap, max(1, 4 - gap),
|
||||
"high" if func.current_stage == MaturityStage.TRADITIONAL else "medium",
|
||||
func.evidence,
|
||||
])
|
||||
|
||||
|
||||
def run_sample_assessment():
|
||||
"""Run a sample assessment demonstrating the ZTMM assessment process."""
|
||||
assessment = ZTMMAssessment("Example Federal Agency")
|
||||
|
||||
# Identity Pillar Assessment
|
||||
assessment.assess_function("Identity", "authentication", 1, 3,
|
||||
evidence="MFA deployed for 60% of users, not phishing-resistant",
|
||||
gaps=["No FIDO2/WebAuthn deployment", "Service accounts lack MFA"])
|
||||
assessment.assess_function("Identity", "identity_stores", 1, 3,
|
||||
evidence="Centralized AD, partial cloud identity integration")
|
||||
assessment.assess_function("Identity", "risk_assessment", 0, 3,
|
||||
evidence="No risk-based authentication in place")
|
||||
assessment.assess_function("Identity", "access_management", 1, 3,
|
||||
evidence="Basic RBAC, no attribute-based access control")
|
||||
assessment.assess_function("Identity", "identity_lifecycle", 1, 3,
|
||||
evidence="Manual provisioning, no HR integration")
|
||||
|
||||
# Devices Pillar Assessment
|
||||
assessment.assess_function("Devices", "policy_enforcement", 1, 3,
|
||||
evidence="MDM deployed, basic compliance checks")
|
||||
assessment.assess_function("Devices", "asset_management", 1, 3,
|
||||
evidence="Partial inventory, no IoT coverage")
|
||||
assessment.assess_function("Devices", "device_compliance", 0, 3,
|
||||
evidence="No real-time compliance checking")
|
||||
assessment.assess_function("Devices", "device_threat_protection", 1, 3,
|
||||
evidence="EDR on 70% of endpoints")
|
||||
|
||||
# Networks Pillar Assessment
|
||||
assessment.assess_function("Networks", "network_segmentation", 0, 3,
|
||||
evidence="Flat network, basic VLAN segmentation only")
|
||||
assessment.assess_function("Networks", "threat_protection", 1, 3,
|
||||
evidence="Perimeter firewall, no NDR")
|
||||
assessment.assess_function("Networks", "encryption", 1, 3,
|
||||
evidence="TLS for external, plaintext internal")
|
||||
assessment.assess_function("Networks", "network_resilience", 1, 3,
|
||||
evidence="Basic redundancy, no SD-WAN")
|
||||
|
||||
# Applications Pillar Assessment
|
||||
assessment.assess_function("Applications", "access_authorization", 1, 3,
|
||||
evidence="VPN-based access for internal apps")
|
||||
assessment.assess_function("Applications", "threat_protection", 1, 3,
|
||||
evidence="WAF for public apps only")
|
||||
assessment.assess_function("Applications", "application_security", 0, 3,
|
||||
evidence="Annual pen tests, no CI/CD security integration")
|
||||
|
||||
# Data Pillar Assessment
|
||||
assessment.assess_function("Data", "data_inventory", 0, 3,
|
||||
evidence="No comprehensive data inventory")
|
||||
assessment.assess_function("Data", "data_categorization", 1, 3,
|
||||
evidence="Basic classification, manual process")
|
||||
assessment.assess_function("Data", "data_access", 1, 3,
|
||||
evidence="Role-based access, no fine-grained controls")
|
||||
assessment.assess_function("Data", "data_encryption", 1, 3,
|
||||
evidence="Encryption at rest for databases, not all storage")
|
||||
|
||||
# Calculate and report
|
||||
assessment.calculate_maturity()
|
||||
roadmap = assessment.generate_roadmap()
|
||||
|
||||
print("=" * 70)
|
||||
print(f"CISA ZTMM Assessment: {assessment.organization}")
|
||||
print(f"Date: {assessment.assessment_date}")
|
||||
print("=" * 70)
|
||||
|
||||
summary = assessment.get_summary()
|
||||
print(f"\nOverall Maturity: {summary['overall_maturity']} (Score: {summary.get('overall_score', 'N/A')})")
|
||||
print("\nPillar Maturity Scores:")
|
||||
for pillar, data in summary["pillars"].items():
|
||||
compliance = " [COMPLIANCE GAP]" if data["compliance_gap"] else " [COMPLIANT]"
|
||||
print(f" {pillar:20s}: {data['stage']:12s} (Score: {data['score']}){compliance}")
|
||||
|
||||
print("\nOMB M-22-09 Compliance Status:")
|
||||
compliance = assessment.get_compliance_status()
|
||||
for pillar, status in compliance.items():
|
||||
icon = "PASS" if status["compliant"] else "FAIL"
|
||||
print(f" [{icon}] {pillar}: {status['current_stage']} / Required: {status['required_stage']}")
|
||||
|
||||
print(f"\nPrioritized Roadmap ({len(roadmap)} items):")
|
||||
for i, item in enumerate(roadmap[:10], 1):
|
||||
print(f" {i}. [{item.pillar}] {item.function_name}: "
|
||||
f"{item.current_stage} -> {item.target_stage} "
|
||||
f"(Priority: {item.priority}, Effort: {item.effort})")
|
||||
|
||||
# Export reports
|
||||
assessment.export_report("ztmm_assessment_report.json")
|
||||
assessment.export_csv("ztmm_assessment_report.csv")
|
||||
print("\nReports exported: ztmm_assessment_report.json, ztmm_assessment_report.csv")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
run_sample_assessment()
|
||||
Reference in New Issue
Block a user