In this document we will explore in detail the relationship between Shadow Access and AI. Shadow Access, arising from unmanaged or unmonitored access permissions, poses significant risks to enterprise security. This risk intensifies as AI technologies become increasingly integrated into organizational infrastructures, potentially creating unauthorized pathways to sensitive data.Shadow Access poses significant risks to enterprise security, especially as  AI technologies become increasingly integr

The objective of this document is to provide foundational guidance for Small and Medium-sized Businesses (SMBs) in their journey to evaluate approaches to manage identified risks through the implementation of a Zero Trust strategy to protect their organization.  This guidance is aligned with the five step Zero Trust implementation process described in the NSTAC Report to the President of the United States on Zero Trust and Trusted Identity Management (pg. 7), originally formulated and socialized

The objective of this document is to provide guidance for iteratively executing the first step in the five step Zero Trust implementation process described in the NSTAC Report to the President on Zero Trust and Trusted Identity Management, originally formulated and socialized by John Kindervag. Separate CSA research documents are being developed to elaborate guidance for each of the other five steps in more detail. The first step in implementing Zero trust is defining the protect surface, during

Aggregated CSA Feedback on the draft new version of SP 800-63 (IAM/ICAM) standards. (Focus group is being formed with senior SMEs from the ZT Identity workstream and the CSA IAM working group.) Being leveraged as a foundational standard for Identity Pillar.

Identity, and the ability to consume identity  signals is one of the key pillars of zero trust architecture. ZT aims to reduce cyber attacks and data breaches through risk based access requirements, that is, by requiring authentication and authorization prior to granting access to resources. In order to meet this requirement, it is important to look at existing / new identity and access management solutions from ZT lenses. ZT is a technology agnostic guidance framework  to bring controls closer

Subtitle: Organizational and Architectural Guidance for Achieving Operational Resiliency Resiliency is an increasingly important global business and compliance priority across different jurisdictions and business sectors, particularly those considered to be critical infrastructure, which includes financial services, power and energy, food and water supply, transportation, defense, etc. This document will provide practical organizational and architectural guidance for leveraging Zero Trust securi

Provide an evolving set of guiding principles for other workstreams and ZT stakeholders to remember when planning, implementing and operating ZT. Leverage foundational references and John Kindervag's advice, e.g. "keep it simple," "implement incrementally" (eating the elephant), etc. The purpose of this document is to memorialize the principles underlying Zero Trust implementation and operations across all the pillars and inclusive of cross-pillar foundational capabilities and disciplines (Visib

Guidance for Initiating and Executing an Enterprise Zero Trust Strategy This document will take a holistic view of an organization’s Zero Trust journey and provide recommendations for organizational aspects such as generating executive support, program initiation, oversight and governance, organizational change management, and staffing/cyber workforce development.

This paper recommends an approach for adapting zero-trust (ZT) principles to the Internet of Things (IoT) devices. This includes a recommended device security profile and a recommended set of network services that can be used to enable ZT at the edge. Suggested requirements are identified within this document to support the tailoring of the recommended approach within organizations.

Subtitle: Defining and Implementing the Cross-Cutting Capabilities needed for Zero Trust Abstract: This Zero Trust foundational capabilities overview document identifies the key components, functionality, architecture and operational practices for Automation & Orchestration and Visibility & Analytics - integral sets of cross-cutting Zero Trust capabilities. In Zero Trust architectures, visibility provides the necessary insights, analytics interpret these insights to identify threats and incident

Broad and General; based on the document

This document provides guidance for completing the fourth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

Traditional access decision-making is agnostic of both Zero Trust and context. Historically, access to assets and resources is based on trust. Digital identities are entrusted to a particular entity, entitlements are assigned to that identity or group containing identities, and every access request to a resource is checked only against those entitlements. Later, Role-Based Access Controls (RBAC) enhanced this model by assigning entitlements to roles. This helped because as entities changed profi

Guidance for safe enterprise enablement of AI/ML apps while protecting sensitive organizational information (IP, PII, etc.) using Zero Trust principles Defining policy and guidelines that limit information sharing to only authorized data User security awareness training and formal usage agreements Monitoring and enforcing (DLP)

Focus is on leveraging ZT for securing OT/ICS SCOPE: From a business scope perspective analysis would start with a reference to DHS's 16 CI domains (an any other authoritative references), then indicate a focus on specific types of critical services, including financial services. utilities, oil, gas, power, critical manufacturing, food and water supply, and other CI environments with cyber-physical assets and heightened security requirements. Technology scope would include IoT, OT and SCADA syst

The objective of this document is to provide background, an overview and general guidance for executing the 5 step Zero Trust implementation approach described in the NSTAC Report to the President on Zero Trust and Trusted Identity Management, formulated and socialized by John Kindervag. Separate CSA research documents are being developed for each of the five steps to elaborate the guidance in more detail and supporting SME panel discussions are or will be recorded and made available.

With CISA’s recent release of the second version of the Zero Trust Maturity Model V2, and the publication of the US Department of Defense's Zero Trust Strategy and roadmap, public and private sector organizations on a Zero Trust journey are curious about the similarities, differences, implications, and future plans for both and the impact on implementations. The CSA has assembled a panel of CISA and DoD experts to review their recent publications and provide a summary analysis of the fundamental

CISA recently released version 2 of their Zero Trust Maturity Model. There is a lot of interest across the public and private sectors to understand the differences and motivations behind V2. The CSA has assembled a small panel of CISA and industry experts to provide an assessment of the new version of the document, including a summary and analysis of the changes and a discussion about potential implications thereof for both public and private sector implementers of Zero Trust.

Today’s medical devices often connect to the cloud, which increases the risk by expanding the attack surface. This presents the Healthcare Delivery Organizations (HDOs) with threats and vulnerabilities, technology issues, software risks, and human factors. As a result, security architects are forced to re-examine the concept of identity. Essentially, every connected medical device has an identity and must be under consideration within the Zero Trust Framework.

With increasing digitisation data, including personal data, is stored on networked devices in the form of web applications, shared drives, cloud systems and so on. Whilst digitisation reduces paper footprint, it increases the risk of data exposure when unauthorized entities access the networked devices. Unauthorized access is not limited to external entities. Internal entities may acquire access to such data either via mistakes in access controls or via malicious action. Irrespective of the mann

CISA recently released version 2 of their Zero Trust Maturity Model. There is a lot of interest across the public and private sectors to understand the differences and similarities between the CISA Maturity Model and earlier frameworks published by Forrester as developed by John Kindervag and Chase Cunningham. The CSA is convening the authors to join a panel discussion moderated by Jason Garbis to elaborate the background thinking, illuminate the similarities and distinctions between them.

This document provides guidance for completing the third step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

This document provides guidance for completing the fifth step defined in the 5-step Zero Trust implementation process, as described in the NSTAC Report to the (US) President on Zero Trust and Trusted Identity Management.

Zero Trust is a major industry trend that is being adopted and promoted by security teams within many organizations around the globe, and for good reasons; it delivers improved security and can also reduce cost and improve business efficiency and agility. However, Zero Trust is also an industry buzzword that can be confusing and is often misunderstood. Business leaders and non-security professionals are key stakeholders, budget holders, and gatekeepers in any enterprise’s journey to Zero Trust t

Update SDP Arch & Spec docs w/latest ZT

This document will provide detailed guidance for Step 2 of the ZT Implementation Methodology