Zero Trust Maturity Applications & Workloads

Introduction

This section covers the capabilities needed for the Zero Trust Maturity Applications and Workloads Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.

CMS Guidance

Applications and workloads include systems, computer programs, and services that execute in on-premises and cloud environments. In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks.

The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Zero Trust Maturity for AWS for CMS Cloud. This includes:

Application-specific threat protections
Application security testing at all stages of development and deployment
Enabling access to applications based on additional user attributes beyond mere presence on specific networks

Capabilities

The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.

Zero Trust Application Access Capabilities
Traditional	Initial	Advanced	Optimal
Agency authorizes access to applications primarily based on local authorization and static attributes.	Agency begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration.	Agency automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles.	Agency continuously authorizes application access, incorporating real-time risk analytics and factors such as behavior or usage patterns.

BR-P-5: Each Portlet Must Control Access to Content / Functionality Based on User and Role Information via the Portal
BR-BI-5: Role-Based Authorization Must Be Used to Manage Access to BI Applications, Queries, Reports, Analytic Functions, Tables, Views, and Stored Procedures
BR-ACID-1: Valid Purpose Required to Access CMS Information Systems
BR-WAN-S-2: CMS Business Partners Only Access the Presentation Zone
BR-WAN-S-4: Business Partner Access Restrictions
BR-F-12: Role-Based Security AAA Must Be Used for Management and User Roles
BR-URL-3: Logs Must Identify the Users Who Access a CMS File Referenced by a URL from the External Networks or CMSNet
BR-URL-4: Logs Must Identify the Users Who Upload a File to a CMS Location Referenced by a URL from the External Networks or CMSNet

Zero Trust Application Threat Protections Capabilities
Traditional	Initial	Advanced	Optimal
Agency threat protections have minimal integration with application workflows, applying general purpose protections for known threats	Agency integrates threat protections into mission critical application workflows, applying protections against known threats and some application-specific threats.	Agency integrates threat protections into all application workflows, protecting against some application-specific and targeted threats.	Agency integrates advanced threat protections into all application workflows, offering real-time visibility and content-aware protections against sophisticated attacks tailored to applications.

BR-SEC-Gen-21: Malware and Malicious Code Scanning Results Must Be Sent to the Security Zone
BR-SEC-Gen-15: Logs Must Be Securely Collected, Aggregated, and Analyzed
BR-SCM-2: All Code Must Be Baselined Prior to Release into Implementation, Validation, and ATO(ed) Production Environments
BR-SBI-1: All Builds Must Occur in Controlled Environments
BR-SBI-2: All Production-Deployed Custom Code Must Be Built and Installed from Version-Controlled Source Code
BR-OSS-5: Use OSS Built from a Controlled Source
BR-OSS-6: Binary Package Management Is Mandatory
BR-OSS-10: CMS OSS Code Released as CMS-Managed Code Requires a Governance and Support Model
RP-CA-10: Validate All Third-Party Containerized Applications before Implementation
BR-OR-5: Libraries of Containers Must Be Maintained in CMS-Only Stores
BR-SEC-Gen-17: Software Assurance Measures
BR-SEC-Gen-18: Malicious Code Protection in CMS Processing Environments
BR-SAAS-1: SaaS Clouds Are Defined by NIST SP-800-145

Zero Trust Accessible Applications Capabilities
Traditional	Initial	Advanced	Optimal
Agency makes some mission critical applications available only over private networks and protected public network connections (e.g., VPN) with monitoring.	Agency makes some of their applicable mission critical applications available over open public networks to authorized users with need via brokered connections.	Agency makes most of their applicable mission critical applications available over open public network connections to authorized users as needed.	Agency makes all applicable applications available over open public networks to authorized users and devices, where appropriate, as needed.

Zero Trust Secure Application Development and Deployment Workflow Capabilities
Traditional	Initial	Advanced	Optimal
Agency has ad hoc development, testing, and production environments with non-robust code deployment mechanisms.	Agency provides infrastructure for development, testing, and production environments (including automation) with formal code deployment mechanisms through CI/CD pipelines and requisite access controls in support of least privilege principles.	Agency uses distinct and coordinated teams for development, security, and operations while removing developer access to production environment for code deployment.	Agency leverages immutable workloads where feasible, only allowing changes to take effect through redeployment, and removes administrator access to deployment environments in favor of automated processes for code deployment.

Zero Trust Application Security Testing Capabilities
Traditional	Initial	Advanced	Optimal
Agency performs application security testing prior to deployment, primarily via manual testing methods.	Agency begins to use static and dynamic (i.e., application is executing) testing methods to perform security testing, including manual expert analysis, prior to application deployment.	Agency integrates application security testing into the application development and deployment process, including the use of periodic dynamic testing methods.	Agency integrates application security testing throughout the software development lifecycle across the enterprise with routine automated testing of deployed applications.

BR-SS-4: Check for Common Security Vulnerabilities
BR-SS-5: Use Static Analysis Tools to Catch Common Security Weaknesses
RP-SS-6: Use Profiling to Perform Dynamic Code Analysis
BR-SS-7: Error Handling Must Not Reveal Information That Could Lead to an Exploit
BR-SEC-Gen-21: Malware and Malicious Code Scanning Results Must Be Sent to the Security Zone

TRA 2024 Revision 3.0 • General Distribution / Unclassified Information