Zero Trust Maturity Cross-Cutting Capabilities
Introduction
This section covers the cross-cutting capabilities needed for the Zero Trust Maturity Foundation. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
Each pillar also implements three cross-cutting capabilities. Visibility and Analytics refers to how we monitor systems. Automation and Orchestration is the process of creating reusable processes that can be automated within our systems. And Governance is the policies we set for the systems as well as how we track how we enforce those policies.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Zero Trust Maturity for AWS for CMS Cloud. This includes:
- Using existing logging, monitoring, and alerting infrastructure where possible
- Centralizing the implementation of the cross-cutting capabilities over all five of the other pillars
- Documenting policies and procedures so they can be automated
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
- BR-SA-8: Logging Must Be Configurable and Use Common Platform Standards
- BR-SA-9: Systems Must Define Metrics for IT Health Monitoring
- BR-SA-11: Servers Should Include Instrumentation for Application Performance Monitoring
- RP-SD-8: Consider Non-Blocking Service Implementations to Improve Performance and Scalability
- RP-SC-8: Consider Synthetic Transactions
- RP-SS-6: Use Profiling to Perform Dynamic Code Analysis
- RP-D-5: Deployment Should Integrate with Monitoring to Coordinate Outages
- BR-UX-2: Collect Feedback
- BR-P-3: Each Portlet Must Log Events via Portlet Container Logging Functions
- BR-OR-2: Use Security Monitoring on Containers
- RP-SV-11: Collect Virtualization Performance Metrics
- BR-CI-7: Cloud Resource Capacity Planning
- BR-PMM-3: Monitor Production Environments
- RP-PMM-3: Provide Performance Data to CMS NOC
- RP-PMM-4: Conduct Performance Management Planning
- RP-PMM-5: Use a Trouble Ticketing System to Track Performance Problems
- BR-OR-6: Required Orchestration Capabilities
- RP-OR-7: Prefer Container Orchestration Tools That Allow for Container Motion
- RP-D-7: Support Automated Startup, Shutdown, and Maintenance Mode Entry / Exit
- BR-F-10: Annual Review and Exercise of Data Center Disaster Recovery Plans
- BR-F-11: Annual Review and Exercise of Contingency Plans
- BR-CI-4: Obtain TRB Approval for CMS-Owned Equipment
- BR-CI-5: Acquisition of New IaaS or PaaS Cloud Service Providers
- BR-SAAS-3: Ensure CMS Security May Perform Periodic Security Assessments
- BR-SEC-Gen-22: All Information Systems Must Have a System Risk Assessment in CFACTS
- BR-CCIC-01: Security Authorization of Systems
- BR-CCIC-02: Assessment of Information Security and Privacy Risks
- BR-WAN-CM-2: CMSNet Services Must Be Certified Annually
- BR-ACID-11: CMS Business Owners Provide Privilege Administration
- BR-ACID-13: OIT Is Responsible for Identity Management of Users with Credentials Provisioned in the CMS Enterprise Directory
- BR-DNS-13: All DNS Changes Must Be Subject to CMS’s Change Management Procedures
- BR-ADM-1: Use of the CMS Life Cycle Is Mandatory
- BR-SA-7: Substantive Changes to the Architecture, Products, or Technology of an Existing Application Must Be Documented and Reviewed by the CMS TRB
- BR-SQ-5: Manual Code and Design Reviews Are Mandatory
- BR-CM-3: Significant Changes to Configuration Items of a System or Component Managed by a CCB Requires the Approval of That CCB
- BR-CM-5: Projects Must Conduct Periodic Audits of CM Activities and Products