Zero Trust Maturity Applications & Workloads
Introduction
This section covers the capabilities needed for the Zero Trust Maturity Applications and Workloads Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
Applications and workloads include systems, computer programs, and services that execute in on-premises and cloud environments. In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Zero Trust Maturity for AWS for CMS Cloud. This includes:
- Application-specific threat protections
- Application security testing at all stages of development and deployment
- Enabling access to applications based on additional user attributes beyond mere presence on specific networks
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency authorizes access to applications primarily based on local authorization and static attributes. | Agency begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration. | Agency automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles. | Agency continuously authorizes application access, incorporating real-time risk analytics and factors such as behavior or usage patterns. |
- BR-P-5: Each Portlet Must Control Access to Content / Functionality Based on User and Role Information via the Portal
- BR-BI-5: Role-Based Authorization Must Be Used to Manage Access to BI Applications, Queries, Reports, Analytic Functions, Tables, Views, and Stored Procedures
- BR-ACID-1: Valid Purpose Required to Access CMS Information Systems
- BR-WAN-S-2: CMS Business Partners Only Access the Presentation Zone
- BR-WAN-S-4: Business Partner Access Restrictions
- BR-F-12: Role-Based Security AAA Must Be Used for Management and User Roles
- BR-URL-3: Logs Must Identify the Users Who Access a CMS File Referenced by a URL from the External Networks or CMSNet
- BR-URL-4: Logs Must Identify the Users Who Upload a File to a CMS Location Referenced by a URL from the External Networks or CMSNet
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency threat protections have minimal integration with application workflows, applying general purpose protections for known threats | Agency integrates threat protections into mission critical application workflows, applying protections against known threats and some application-specific threats. | Agency integrates threat protections into all application workflows, protecting against some application-specific and targeted threats. | Agency integrates advanced threat protections into all application workflows, offering real-time visibility and content-aware protections against sophisticated attacks tailored to applications. |
- BR-SEC-Gen-21: Malware and Malicious Code Scanning Results Must Be Sent to the Security Zone
- BR-SEC-Gen-15: Logs Must Be Securely Collected, Aggregated, and Analyzed
- BR-SCM-2: All Code Must Be Baselined Prior to Release into Implementation, Validation, and ATO(ed) Production Environments
- BR-SBI-1: All Builds Must Occur in Controlled Environments
- BR-SBI-2: All Production-Deployed Custom Code Must Be Built and Installed from Version-Controlled Source Code
- BR-OSS-5: Use OSS Built from a Controlled Source
- BR-OSS-6: Binary Package Management Is Mandatory
- BR-OSS-10: CMS OSS Code Released as CMS-Managed Code Requires a Governance and Support Model
- RP-CA-10: Validate All Third-Party Containerized Applications before Implementation
- BR-OR-5: Libraries of Containers Must Be Maintained in CMS-Only Stores
- BR-SEC-Gen-17: Software Assurance Measures
- BR-SEC-Gen-18: Malicious Code Protection in CMS Processing Environments
- BR-SAAS-1: SaaS Clouds Are Defined by NIST SP-800-145
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency makes some mission critical applications available only over private networks and protected public network connections (e.g., VPN) with monitoring. | Agency makes some of their applicable mission critical applications available over open public networks to authorized users with need via brokered connections. | Agency makes most of their applicable mission critical applications available over open public network connections to authorized users as needed. | Agency makes all applicable applications available over open public networks to authorized users and devices, where appropriate, as needed. |
- BR-SQ-4: All CMS User Interfaces Must Meet Section 508 Accessibility Requirements
- BR-UX-1: Ensure Usability and Accessibility
- BR-UI-7: No Frames
- BR-UI-8: Keyboard and Mouse
- BR-UI-19: Color Contrast Ratio
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency has ad hoc development, testing, and production environments with non-robust code deployment mechanisms. | Agency provides infrastructure for development, testing, and production environments (including automation) with formal code deployment mechanisms through CI/CD pipelines and requisite access controls in support of least privilege principles. | Agency uses distinct and coordinated teams for development, security, and operations while removing developer access to production environment for code deployment. | Agency leverages immutable workloads where feasible, only allowing changes to take effect through redeployment, and removes administrator access to deployment environments in favor of automated processes for code deployment. |
- BR-SBI-1: All Builds Must Occur in Controlled Environments
- BR-SBI-2: All Production-Deployed Custom Code Must Be Built and Installed from Version-Controlled Source Code
- BR-SBI-3: Production Builds Must Have Zero Compile Errors
- RP-SBI-4: Use Explicit Library and Build Dependency Management
- RP-SBI-5: Consider Instituting Continuous Integration
- BR-PD-1: Software Must Be Packaged for Deployment
- BR-PD-2: Software Target Packaging Must Be in Either the Operating System or Language Platform Native Form
- BR-OR-3: The Deployment Infrastructure for Containers Must Be Hardened and Monitored
- BR-OR-4: Containers Use Must Respect the Multi-Zone Architecture
- BR-OR-5: Libraries of Containers Must Be Maintained in CMS-Only Stores
- BR-OR-6: Required Orchestration Capabilities
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency performs application security testing prior to deployment, primarily via manual testing methods. | Agency begins to use static and dynamic (i.e., application is executing) testing methods to perform security testing, including manual expert analysis, prior to application deployment. | Agency integrates application security testing into the application development and deployment process, including the use of periodic dynamic testing methods. | Agency integrates application security testing throughout the software development lifecycle across the enterprise with routine automated testing of deployed applications. |
- BR-SS-4: Check for Common Security Vulnerabilities
- BR-SS-5: Use Static Analysis Tools to Catch Common Security Weaknesses
- RP-SS-6: Use Profiling to Perform Dynamic Code Analysis
- BR-SS-7: Error Handling Must Not Reveal Information That Could Lead to an Exploit
- BR-SEC-Gen-21: Malware and Malicious Code Scanning Results Must Be Sent to the Security Zone
TRA 2025 Release 1 • General Distribution / Unclassified Information