Check out the DoD's ZT Strategy and Roadmap, along with their assessment methodology for testing whether the target maturity levels have been achieved.
There's also the CISA ZT Maturity Model and other CISA and OMB guidance for civilian agencies.
Regarding DoD supply chain requirements, check out the latest version of CMMC. The DoD also has a ZT overlay for NIST 800-53 controls that might be of interest.
But keep in mind that Zero Trust is not an information security policy or a control framework, but rather a security strategy that can be implemented in different ways, as the differences between the CISA and DoD approaches demonstrates and as their respective documentation acknowledges.
------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
[email protected]------------------------------
Original Message:
Sent: Nov 27, 2024 06:18:59 AM
From: Peter HJ van Eijk
Subject: Metrics and compliance for ZT
Hi
Partly based on students inquiries, I have the following topics for discussion.
The Executive Order on Zero Trust: Executive Order on Improving the Nation's Cybersecurity | The White House sets forth a bunch of policies to be established. How is compliance with these policies measured or demonstrated? As policies extend to suppliers, how are these supposed to demonstrate their adherence to these policies?
Related to that is the question of metrics for ZT adoption. What kind of examples can we find there?
All pointers and ideas are welcomed!
------------------------------
Peter HJ van Eijk
CCSK, CCAK. CCZT instructor
https://www.clubcloudcomputing.com/
------------------------------