Zero Trust Maturity Identity Pillar
Introduction
This section covers the capabilities needed for the Zero Trust Maturity Identity Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
The identity pillar considers how accounts are created and how users log into systems. The ability to identify every user and entity requesting system access is foundational to the concept of zero trust.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Identity Pillar. This includes:
- How to store identities of users as well as authenticate them
- Consideration of identity for the developers and admins creating the system and the end users of the system like providers or the public
- Consideration of non-person entities such as devices, service accounts, and APIs
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency authenticates identity using either passwords or multi-factor authentication (MFA) with static access for entity identity. | Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g., locale or activity). | Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA. | Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. |
- BR-ACID-2: Known Identity Required to Access CMS Information Systems
- BR-ACID-13: OIT Is Responsible for Identity Management of Users with Credentials Provisioned in the CMS Enterprise Directory
- BR-SA-2: Integrate with the CMS Identity Management Services
- BR-UI-12: Authentication
- BR-WS-11: Use Certificate-Based Mutual Authentication for Machine-to-Machine Web Services
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency only uses self-managed, on-premises (i.e., planned, deployed, and maintained by agency) identity stores. | Agency has a combination of self-managed identity stores and hosted identity store(s) (e.g., cloud or other agency) with minimal integration between the store(s) (e.g., Single Sign-on.). | Agency begins to securely consolidate and integrate some self-managed and hosted identity stores. | Agency securely integrates their identity stores across all partners and environments as appropriate. |
- BR-BI-3: Authentication, Auditing, and Logging of All BI User Accounts Must Be Managed from the CMS Enterprise LDAP Directory and Enterprise User Administration
- BR-ACID-3: Single Identity Record for Each Individual Accessing CMS Systems
- BR-ACID-4: User Identities Must Be Vetted and Managed Using a Common Framework
- BR-ACID-10: EUA Manages UserIDs of CMS Employees and Contractors
- BR-SA-2: Integrate with the CMS Identity Management Services
- RP-SAAS-4: Integrate SaaS with CMS Identity Management Systems
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency makes limited determinations for identity risk (i.e., likelihood that an identity is compromised). | Agency determines identity risk using manual methods and static rules to support visibility. | Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities. | Agency determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection. |
- BR-SEC-Gen-22: All Information Systems Must Have a System Risk Assessment in CFACTS
- BR-CCIC-02: Assessment of Information Security and Privacy Risks
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts | Agency authorizes access, including for privileged access requests, that expires with automated review. | Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources. | Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. |
- BR-ACID-1: Valid Purpose Required to Access CMS Information Systems
- BR-ACID-11: CMS Business Owners Provide Privilege Administration
- BR-ACID-13: OIT Is Responsible for Identity Management of Users with Credentials Provisioned in the CMS Enterprise Directory