The NSA Releases Guidance on Achieving Zero Trust Security Maturity

The new guidance focuses on the Application and Workload Pillar of its Zero Trust Security Model.


The National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI) on May 22, Advancing Zero Trust Maturity Throughout the Application and Workload Pillar. The NSA explains that the CSI gives organizations recommendations on application and workload capabilities following the principle of “never trust, always verify.”

In a press statement, Dave Luber, NSA director of cybersecurity, said, “This guidance helps organizations disrupt malicious cyber activity by applying granular access control and visibility to applications and workloads in modern network environments. Implementing a zero trust framework places cybersecurity practitioners in a better position to secure sensitive data, applications, assets, and services.”

The Pillars of Zero Trust Security

Zero Trust PillarsThe new guidance focuses on the Application and Workload Pillar in the zero trust architecture. It’s one of seven pillars in the zero trust security model, working together with:

      • User: Governing user access and privilege while security all interactions
      • Device: Monitoring device health, updating patches, and evaluating access requests
      • Data: Ensuring data transparency and visibility and protecting data with encryption and data tagging
      • Network and Environment: Segmenting the network, both physically and logically, with policies and access control
      • Automation and Orchestration: Automating security response and facilitating remediation
      • Visibility and Analytics: Analyze events and use artificial intelligence (AI) to improve detection and reaction time

The NSA is in the process of releasing guidance on each pillar.

Recommendations on the Application and Workload Pillar

The Application and Workload Pillar takes organizations through the path to maturity in five areas:

Application inventory

The NSA points out that this is the first step in effectively applying zero trust. You need to know what you’re using before you can protect it. When organizations begin to implement zero trust, they will simply inventory applications. However, as they mature, they’ll require software bills of materials (SBOMs) and then implement automation to maintain their applications. Mature organizations will have identified dependencies and components lacking documentation, identify vulnerabilities, and automate remediation.

Secure software development and integration

NSA identifies the steps to maturity in this area. Organizations at the basic level implement DevSecOps, deliver software with an SBOM, and monitor software continuously. At the intermediate level, the organization’s DevSecOps teams integrate static and dynamic testing into the development process and analyze each component in the SBOM. Mature organizations use isolation, microsegmentation, and automated identification and documentation of all software dependencies.

Software risk management

Organizations making progress toward zero trust security maturity in this area begin with developing an active cyber supply chain risk management (C-SCRM) program. They’ll implement tools or partnerships to assess risk before purchasing solutions. The next step is a validation process of all the software they use and adding threat intelligence to their C-SCRM tools. Mature organizations will automate monitoring with integrated threat intelligence to detect supply chain compromise.

Resource authorization

Steps to maturity in this area begin with implementing static access control rules and configurations. As organizations mature their zero trust security policies, they’ll automate access decisions and then advance to real-time, automated risk and behavioral analysis.

Continuous monitoring and authorizations

Organizations with basic continuous monitoring and authorizations collect log data on applications, device health, status, and operability and make authorization decisions manually from a dashboard. As their zero trust initiative matures, they’ll automate those decisions and eventually move to fully automated continuous authorizations and monitoring, basing access decisions on behaviors and threat intelligence.

Perspective on the Zero Trust Security Model and Recommendations to Achieve Maturity

The guidance from the NSA gives organizations practical steps for implementing zero trust security policies, and the Application and Workloads Pillar is a crucial part of a successful plan.

Brian Soby, CTO and co-founder of AppOmni, says, “NSA’s guidance on the Application and Workload Pillar is essentially calling out a major gap in zero trust implementations in many organizations A zero trust architecture that does not encompass and secure the organization’s applications and workloads does not achieve the goals of zero trust.”

“It’s clear that the NSA is responding to the near-continuous stream of reported data breaches targeting SaaS and other applications that contain the crown jewels of organizations’ data,” comments. “The NSA correctly calls out the need for granular access controls and continuous authorization applied within these applications and workloads in order to stop this trend of breaches.”

To learn more, download Advancing Zero Trust Maturity Throughout the Application and Workload Pillar and visit the National Security Agency website for more information on zero trust.

Bernadette Wilson

Bernadette Wilson, a DevPro Journal contributor, has 19 years of experience as a journalist, writer, editor, and B2B marketer.

Datacap - We Solve Payment Problems
Bernadette Wilson

Bernadette Wilson, a DevPro Journal contributor, has 19 years of experience as a journalist, writer, editor, and B2B marketer.