Zero Trust Maturity Networks Pillar
Introduction
This section covers the capabilities needed for the Zero Trust Maturity Networks Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
A network refers to an open communications medium including typical channels such as agency internal networks, wireless networks, and the Internet as well as other potential channels such as cellular and application-level channels used to transport messages.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Network Pillar. This includes:
- Encrypting traffic that leaves the CMS boundary, as well as encrypting internal traffic
- Focusing on network resilience from both normal use and adversaries
- The need to begin executing a plan to break down the perimeters into isolated environments
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
|
Agency defines their network architecture using large perimeter/macro-segmentation with minimal restrictions on reachability within network segments. Agency may also rely on multi-service interconnections (e.g., bulk traffic VPN tunnels). |
Agency begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections. | Agency expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress micro-perimeters and service-specific interconnections. | Agency network architecture consists of fully distributed ingress/egress micro-perimeters and extensive micro-segmentation based around application profiles with dynamic just-in-time and just-enough connectivity for service-specific interconnections. |
- BR-F-3: The CMS TRA Defines a Zoned Architecture
- BR-F-4: Within a CMS Processing Environment, Communication Must Flow Only between Adjacent Zones or within a Single Zone
- BR-SEC-FW-1: Separate Network Interfaces for Each Network Segment and Zone
- BR-WAN-S-3: Communication between CMS Data Centers Is Only Permitted between Like Zones
- BR-WAN-S-12: Management of CMSNet Is Via a Dedicated Logical Network
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency manually implements static network rules and configurations to manage traffic at service provisioning, with limited monitoring capabilities (e.g., application performance monitoring or anomaly detection) and manual audits and reviews of profile changes for mission critical applications. |
Agency establishes application profiles with distinct traffic management features and begins to map all applications to these profiles. Agency expands application of static rules to all applications and performs periodic manual audits of application profile assessments. |
Agency implements dynamic network rules and configurations for resource optimization that are periodically adapted based upon automated risk-aware and risk-responsive application profile assessments and monitoring. | Agency implements dynamic network rules and configurations that continuously evolve to meet application profile needs and reprioritize applications based on mission criticality, risk, etc. |
- BR-CCIC-07: Local Security Information and Event Management Capability
- BR-CCIC-12: CyberScope Data Feeds
- BR-CCIC-18: Perimeter Monitoring Prerequisites
- BR-PMM-3: Monitor Production Environments
- BR-SAAS-7: Integrate with CMS CCIC
- RP-SAAS-3: Continuous Monitoring
- BR-SA-9: Systems Must Define Metrics for IT Health Monitoring
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency encrypts minimal traffic and relies on manual or ad hoc processes to manage and secure encryption keys. | Agency begins to encrypt all traffic to internal applications, to prefer encryption for traffic to external applications, to formalize key management policies, and to secure server/service encryption keys. | Agency ensures encryption for all applicable internal and external traffic protocols, manages issuance and rotation of keys and certificates, and begins to incorporate best practices for cryptographic agility. | Agency continues to encrypt traffic as appropriate, enforces least privilege principles for secure key management enterprise-wide, and incorporates best practices for cryptographic agility as widely as possible. |
- BR-SA-6: Network Communications Must Meet the TRA Rules for Encryption
- BR-CCIC-24: FIPS 140-2 or FIPS 140-3 Validated Encryption Use
- BR-WAN-S-0: Use Mutual Authentication and Encrypted Tunnels between Data Centers
- BR-WAN-S-1: The WAN Must Implement FIPS 140-2 or FIPS 140-3 Compliant Encryption
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency configures network capabilities on a case-by-case basis to only match individual application availability demands with limited resilience mechanisms for workloads not deemed mission critical. | Agency begins to configure network capabilities to manage availability demands for additional applications and expand resilience mechanisms for workloads not deemed mission critical. | Agency has configured network capabilities to dynamically manage the availability demands and resilience mechanisms for the majority of their applications. | Agency integrates holistic delivery and awareness in adapting to changes in availability demands for all workloads and provides proportionate resilience. |