The Department of Defense's (DoD) approach to Zero Trust leverages automation and analytics using tailored controls to address risk. In part two of our series on the DoD's Zero Trust security model, we continue to explore the crucial framework for defending against modern cyber threats.
Zero Trust Pillars
The DoD Zero Trust implementation is structured around seven foundational pillars, each supported by specific enablers and capabilities to ensure a comprehensive security model.
These Pillars are:
- User: Continuous authentication and activity monitoring to govern access and privileges.
- Device: Real-time inspection, assessment, and patching of devices to inform risk decisions.
- Applications & Workload: Security from applications to hypervisors, containers, and virtual machines.
- Data: Transparency and visibility secured by infrastructure, applications, standards, encryption, and data tagging.
- Network & Environment: Segmentation and control of the network environment with dynamic policy and access controls.
- Automation & Orchestration: Automated security responses based on AI and defined processes.
- Visibility & Analytics: Analyzing events and behaviors to enhance detection and access decisions using AI/ML.
Capabilities within these Pillars provide the means to achieve specified outcomes under the Zero Trust model, with flexibility for future technological changes. Overarching governance is essential for proper integration across pillars and capabilities.
.png?width=730&height=426&name=Cimcor%20Blog%20Images%20(12).png)
CNSSI No. 1253 defines Baselines and Overlay Controls, categorizing systems and selecting appropriate security controls. These controls are tailored through overlays specific to Zero Trust, addressing unique risks and operational environments.
Controls are distributed across Pillars and enablers, often serving multiple purposes. Each Pillar has an overlay detailing the controls needed to achieve its capabilities, supported by implementation plans, control tables, and high-level expectations. Tailoring considerations include common controls that provide a standardized, stable, and inheritable security solution across multiple systems and programs.
Zero Trust Controls
The DoD has created a table that identifies the controls allocated to zero trust, organizing the controls by Family and corresponding Pillars/Enablers. They are further grouped by the NIST SP 800-53 control family (e.g., Access Control, Configuration Management, Identification, and Authentication). Each Pillar Overlay includes a specified list of controls allocated to the capabilities within the pillar. In total, there are 17 control families and 152 capabilities, which then map to an overlay of 364 total discrete controls.
IT Controls
IT controls ensure the integrity, confidentiality, and availability of information systems. They are typically categorized into three broad areas: people, processes, and technology. By addressing all three areas, organizations can create a robust security posture that mitigates risks and protects their IT assets.
People
IT controls related to people focus on the behaviors and actions of individuals within the organization. These controls aim to ensure that employees, contractors, and third parties adhere to policies and practices that secure the IT environment.
- Access Control: Ensuring that only authorized personnel have access to specific systems and data (e.e., User Authentication and Role-Based Access Control (RBAC)).
- Training and Awareness: Educating employees about security policies, potential threats, and safe practices (e.g., Security Awareness Programs and Policy Acknowledgement).
- Segregation of Duties: Distributing tasks and privileges among different people to reduce the risk of error or inappropriate actions (i.e., Dual Control and Audit Trails).
Process
Process controls involve the procedures and policies that govern IT operations. They ensure a structured approach to managing and protecting IT systems.
- Change Management: Formal process for making changes to IT systems (i.e., Change Requests and Change Reviews).
- Incident Management: Procedures for identifying, managing, and responding to security incidents (i.e., Incident Response Plans and Incident Reporting).
- Data Management: Controls data creation, storage, and handling (Data Classification and Backup and Recovery)
- Compliance and Audit: Ensuring adherence to relevant laws, regulatioms, and internal policies (i.e., Regular Audits and Policy Enforcement).
Technology
Technology controls are the technical measures and solutions implemented to protect IT systems and data.
- Network Security: Protecting the organization's network from unauthorized access and threats (Firewalls and Intrustion Detection/Prevention Systems (IDS/IPS)).
- Endpoint Security: Securing end-user devices such as computers, smartphones, and tablets (i.e., Antivirus/Anti-Malware Software and Endpoing Detection and Response (EDR)).
- Application Security: Ensuring that software applications are secure from threats (e.g., Secure Development Practices and Application Firewalls).
- Encryption: Protecting data at rest and in transit through encryption (i.e., Data Encryption and Transport Layer Security (TLS)).
- Identity and Access Management (IAM): Managing digital identities and controlling access to resources (e.g., Single Sign-On (SSO) and Privileged Access Management (PAM)).
CimTrak and DoD's Zero Trust Overlay
Integrity is one of three principles that is essential for ensuring the security and reliability of information systems and can be described as:
- Ensuring that data is accurate, complete, and unaltered.
- Protecting information from being modified by unauthorized users or systems.
So, what type of IT Controls are required to accomplish these two objectives? The answer isn't as simple as one may think. Integrity controls aren't described in one domain, safeguard, or category. They span horizontally and vertically across all compliance mandates and best practice frameworks like DoD's Zero Trust Overlays.
These controls include:
- Baseline Management
- Change Detection and Control
- Configuration Management
- System Hardening using STIGs and Benchmarks
- Change Reconciliation
- Roll-back and Remediation
- Side-by-side Comparison
- File Allowlisting
- Digestion of File Reputation Services
- Digestion of STIX & TAXII Feeds
- Workflow and Ticketing System
To best illustrate where CimTrak can provide a control, automated scan, or enable a process, procedure, or policy to assist with evidence collection to meet the objective of a defined domain, category, control, safeguard, or assessment, the following diagram depicts a crosswalk of functionality to DoD's Zero Trust Capabilities Execution Roadmap (COA1) and Zero Trust Overlays functionality.
CimTrak and DoD's Capabilities Execution Roadmap (COA 1)
Of the 152 capabilities, CimTrak provides the following crosswalk statistics:
- 41/152 (27%) - CimTrak meets the capability > 80%
- 23/152 (15%) - CimTrak enables capability or activity 50% > 80%
- 26/152 (17%) - CimTrak provides ancillary capability or activity < 50%
CimTrak and DoD's Zero Trust Overlays
| NIST 800-53 r5 | 1,189 Controls |
| DoD Zero Trust Overlays Controls | 364 Controls |
| Cimcor Crosswalk to DoD Controls | 130 Controls (36%) |
CimTrak aligns closely with DoD's Zero Trust Overlay requirements, providing comprehensive support for information security controls throughout the lifecycle of information assets. Its robust features and functionalities ensure that those needing to meet DoD control requirements can effectively implement, monitor, and maintain security controls, thereby protecting critical information assets from emerging threats and vulnerabilities.
Incorporating CimTrak into your information security strategy will align and support DoD's Zero Trust Strategy to achieve a higher level of security compliance and resilience against cyber threats.
.png?width=50&height=50&name=Mark%20%20(3).png)
