Zero Trust Maturity Data Pillar

Introduction

This section covers the capabilities needed for the Zero Trust Maturity Data Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.

CMS Guidance

Data includes all structured and unstructured files and fragments that reside or have resided in federal systems, devices, networks, applications, databases, infrastructure, and backups (including on-premises and virtual environments) as well as the associated metadata.

The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Data Pillar. This includes:

How data should be protected on devices, in applications, and on networks
How data should be inventoried, categorized, and labeled, as well as protected at rest and in transit
The advantage of cloud security services for monitor access to sensitive data and the preferred practice of implementing enterprise-wide logging and information sharing

Capabilities

The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.

Zero Trust Data Inventory Management Capabilities
Traditional	Initial	Advanced	Optimal
Agency manually identifies and inventories some agency data (e.g., mission critical data).	Agency begins to automate data inventory processes for both on-premises and in cloud environments, covering most agency data, and begins to incorporate protections against data loss.	Agency automates data inventory and tracking enterprise-wide, covering all applicable agency data, with data loss prevention strategies based upon static attributes and/or labels.	Agency continuously inventories all applicable agency data and employs robust data loss prevention strategies that dynamically block suspected data exfiltration.

Zero Trust Data Categorization Capabilities
Traditional	Initial	Advanced	Optimal
Agency employs limited and ad hoc data categorization capabilities.	Agency begins to implement a data categorization strategy with defined labels and manual enforcement mechanisms.	Agency automates some data categorization and labeling processes in a consistent, tiered, targeted manner with simple, structured formats and regular review.	Agency automates data categorization and labeling enterprise-wide with robust techniques; granular, structured formats; and mechanisms to address all data types.

Zero Trust Data Availability Capabilities
Traditional	Initial	Advanced	Optimal
Agency primarily makes data available from on-premises data stores with some off-site backups.	Agency makes some data available from redundant, highly available data stores (e.g., cloud) and maintains off-site backups for on-premises data.	Agency primarily makes data available from redundant, highly available data stores and ensures access to historical data.	Agency uses dynamic methods to optimize data availability, including historical data, according to user and entity need.

Zero Trust Data Access Capabilities
Traditional	Initial	Advanced	Optimal
Agency governs user and entity access (e.g., permissions to read, write, copy, grant others access, etc.) to data through static access controls.	Agency begins to deploy automated data access controls that incorporate elements of least privilege across the enterprise.	Agency automates data access controls that consider various attributes such as identity, device risk, application, data category, etc., and are time limited where applicable.	Agency automates dynamic just-in-time and just-enough data access controls enterprise-wide with continuous review of permissions.

BR-DL-6: Data sets remain within the data owner’s security boundary
BR-DL-9: The data owner determines the users, groups, roles, and policies that govern data access
BR-AWS-5: Users Must Be Authenticated by AWS S3 Using a CMS-Managed IAM UserID When Accessing Data in CMS S3 Buckets
RP-AWS-1: Use Amazon AWS Security / Access Features for S3

Zero Trust Data Encryption Capabilities
Traditional	Initial	Advanced	Optimal
Agency encrypts minimal agency data at rest and in transit and relies on manual or ad hoc processes to manage and secure encryption keys.	Agency encrypts all data in transit and, where feasible, data at rest (e.g., mission critical data and data stored in external environments) and begins to formalize key management policies and secure encryption keys.	Agency encrypts all data at rest and in transit across the enterprise to the maximum extent possible, begins to incorporate cryptographic agility, and protects encryption keys (i.e., secrets are not hard coded and are rotated on a regular basis).	Agency encrypts data in use where appropriate, enforces least privilege principles for secure key management enterprise-wide, and applies encryption using up-to-date standards and cryptographic agility to the extent possible.

TRA 2024 Revision 3.0 • General Distribution / Unclassified Information