Zero Trust Maturity Devices Pillar
Introduction
This section covers the capabilities needed for the Zero Trust Maturity Devices Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
The devices pillar highlights the importance of consistently tracking and monitoring devices to understand their security posture prior to granting access to systems. For applications, this will include physical servers as well as digital assets such as virtual machines and containers.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Device Pillar. This includes:
- How to maintain a complete inventory of every device a system operates through the CDM program
- Managing supply chain risks for both devices and the software it runs
- Preventing and detecting incidents on those devices
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. |
Agency receives self-reported device characteristics (e.g., keys, tokens, users, etc., on the device) but has limited enforcement mechanisms. Agency has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices. |
Agency has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Agency uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches. |
Agency continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Agency integrates device, software, configuration, and vulnerability management across all agency environments, including for virtual assets. |
- BR-SEC-Gen-2: Software and Hardware Components Must Adhere to a Secure Baseline Configuration
- BR-SEC-Gen-3: Disable All Unnecessary Features and Capabilities
- BR-SEC-Gen-11: Periodic and Continuous Configuration Compliance Scanning Is Required
- BR-CCIC-14: Hardware Asset Management Capability
- BR-CCIC-16: Configuration Settings Management Capability
- BR-SV-12: Perform Asset Management of Virtual Instances
- RP-SV-14: Use VM Configuration Templates
- BR-IoT-1: CMS IoT Platforms Must Comply with CMS Requirements for CMS Processing Environments
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency does not track physical or virtual assets in an enterprise-wide or cross-vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with a limited view of enterprise risks. | Agency tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework, (e.g., NIST SCRM.) | Agency begins to develop a comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments. | Agency has a comprehensive, at-or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. |
- BR-CI-4: Obtain TRB Approval for CMS-Owned Equipment
- BR-CI-5: Acquisition of New IaaS or PaaS Cloud Service Providers
- BR-F-6: Mainframes Must Be Dedicated to CMS
- BR-IoT-1: CMS IoT Platforms Must Comply with CMS Requirements for CMS Processing Environments
- RP-IoT-1: CMS-Managed IoT Devices Should Comply with NIST SP 1800-15 and the Latest MUD Specifications
- BR-SEC-FW-11: Utilize Firewalls from Two or More Different Vendors
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency does not require visibility into devices or virtual assets used to access resources. | Agency requires some devices or virtual assets to report characteristics then use this information to approve resource access. | Agency’s initial resource access considers verified device or virtual asset insights. | Agency’s resource access considers real-time risk analytics within devices and virtual assets. |
- BR-F-3: The CMS TRA Defines a Zoned Architecture
- BR-F-4: Within a CMS Processing Environment, Communication Must Flow Only between Adjacent Zones or within a Single Zone
- BR-EFT-11: CMS Data Files May Only Be Transferred to the Data Zone
- RP-DSS-5: A Storage Service Data Store Should Not Be Accessible from More Than One Zone
- BR-F-12: Role-Based Security AAA Must Be Used for Management and User Roles
- BR-SV-1: Apply Separation of Duties to Virtualization Administration
- BR-SV-2: Provide Hypervisor Root Access Only to Specific Administrative Accounts
- BR-SV-3: Different Administration Account on Blade Controllers and Hypervisors
- BR-SV-16: Originate Administrator Access to Blade Controllers and Hypervisors from the Management Zone
- BR-SA-4: Use TRB-Validated Mediation and Data Access Services to Access Data in the Data Zone
- BR-WS-4: Use TRB-Approved Data Zone Mediation and Data Access Services to Access Data in the Data Zone
- BR-WS-9: Inter-Zone Web Services Must Transverse a Mediated Service
- BR-WS-12: Messages Must Pass through All Intermediate Zones
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency manually deploys threat protection capabilities to some devices. | Agency has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration. | Agency begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring. | Agency has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. |
- BR-PMM-3: Monitor Production Environments
- BR-SEC-Gen-11: Periodic and Continuous Configuration Compliance Scanning Is Required
- BR-SEC-Gen-12: Host Intrusion Detection Capabilities on All IT Components
- BR-SEC-Gen-21: Malware and Malicious Code Scanning Results Must Be Sent to the Security Zone
- BR-CCIC-09: Local Information Sharing and Cyber Threat Intelligence Support
- BR-CCIC-25: Insider Threat Detection