Zero Trust Architecture (ZTA) Expert Group

Zero Trust Maturity Model initiative - August 25 meeting notes

  • 1.  Zero Trust Maturity Model initiative - August 25 meeting notes

    Posted Aug 30, 2022 01:29:00 PM

    Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on August 25. We continued our discussion and debate about what we believe we can and should create as part of this Zero Trust Maturity Model initiative, and reached a proposed decision summarized below.

    Due to technical challenges and vacation schedules, the meeting recording is not currently available - but we should have it next week, and we'll post it here.

     Meeting Notes
    August 25 - Working Session

    • Recap of state of the ZTMM initiative
    • Deliverables and approach - what can and should we do?
    • How to make the work product actionable and useful?
      • Especially for smaller / medium - less sophisticated / less mature organizations? 
    • Note that even for less mature organizations, any improvement is worthwhile - as long as it's directionally towards zero trust, and aligned with a ZT program (even if loosely defined)
    • Audience for this ZTMM work - need to define
      • Practitioners - who like details and steps
      • Business leaders - who need concepts and business value
    • Need to decide on the audience - business "versus" a technical audience
    • Tie the value to the higher-level message / content, to make it more approachable?
    • NSTAC recommendation is to create an interagency working group to flesh out the ZTMM defined in the NSTAC report
      • we applaud this, but recognize it will take considerable time, and we don't want to wait
    • potential approach : We could create a ZTMM structure and template, and then have a community working area within the CSA?
      • would this be chaos?
      • could we have a reasonable and effective debate?
      • this approach hasn't been done before at CSA

    • For ZTMM and initiative roadmaps - in practice, these end being very specific and custom for each organization. In order to have a deep level of technical or security details – that is, in order to make it concrete - it ends up being very specific to a single organization. 
    • idea: A Zero Trust Maturity Model that ties technical improvements to business value
      • Rather than going into detail on the technical or security steps required, instead create a document that builds on an existing ZTMM, but adds the context and exploration of the business value that is associated with each level, and each pillar. 
    • The group liked this idea, and will be drafting a proposal and abstract as a next step so that we have something to evaluate


    Next meeting - Thursday, September 8 at 8pm EDT - which is Friday August 12 at 00:00 UTC / GMT, and Friday September 9 at 8am China Standard Time, 9am Japan Standard Time 

    We will post the meeting Zoom link within 36 hours of the next meeting

    Topic: Recap of the ZTMM approach proposed, and working session to debate the goals, and  abstract.