Zero Trust Maturity Data Pillar
Introduction
This section covers the capabilities needed for the Zero Trust Maturity Data Pillar. It illustrates how existing TRA Business Rules and Recommended Practices align with these capabilities.
CMS Guidance
Data includes all structured and unstructured files and fragments that reside or have resided in federal systems, devices, networks, applications, databases, infrastructure, and backups (including on-premises and virtual environments) as well as the associated metadata.
The CMS Zero Trust Workgroup is developing guidelines for CMS ADOs. Specific guidance can be found in CMS Cloud documentation: Data Pillar. This includes:
- How data should be protected on devices, in applications, and on networks
- How data should be inventoried, categorized, and labeled, as well as protected at rest and in transit
- The advantage of cloud security services for monitor access to sensitive data and the preferred practice of implementing enterprise-wide logging and information sharing
Capabilities
The business rules shown beneath each capability aren’t comprehensive — Other requirements are defined in the ARS and RMH.
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency manually identifies and inventories some agency data (e.g., mission critical data). | Agency begins to automate data inventory processes for both on-premises and in cloud environments, covering most agency data, and begins to incorporate protections against data loss. | Agency automates data inventory and tracking enterprise-wide, covering all applicable agency data, with data loss prevention strategies based upon static attributes and/or labels. | Agency continuously inventories all applicable agency data and employs robust data loss prevention strategies that dynamically block suspected data exfiltration. |
- BR-DBM-1: Systems Must Meet Federal Record Management Requirements
- BR-DBM-3: Systems Must Meet CMS Data and Database Management Standards
- BR-DM-5: The EDL does not store raw data or unstructured data. All data in the EDL is fully structured and immediately consumable
- BR-DM-4: Shared data assets are registered in the Hive Metastore and a user-facing data catalog
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency employs limited and ad hoc data categorization capabilities. | Agency begins to implement a data categorization strategy with defined labels and manual enforcement mechanisms. | Agency automates some data categorization and labeling processes in a consistent, tiered, targeted manner with simple, structured formats and regular review. | Agency automates data categorization and labeling enterprise-wide with robust techniques; granular, structured formats; and mechanisms to address all data types. |
- BR-DM-4: Shared data assets are registered in the Hive Metastore and a user-facing data catalog
- BR-DM-5: The EDL does not store raw data or unstructured data. All data in the EDL is fully structured and immediately consumable
- BR-DM-6: Data sets remain within the data owner’s security boundary
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency primarily makes data available from on-premises data stores with some off-site backups. | Agency makes some data available from redundant, highly available data stores (e.g., cloud) and maintains off-site backups for on-premises data. | Agency primarily makes data available from redundant, highly available data stores and ensures access to historical data. | Agency uses dynamic methods to optimize data availability, including historical data, according to user and entity need. |
- BR-F-8: Backup CMS Data
- BR-F-9: Test CMS Backups on a Documented Schedule
- BR-DR-1: Annual Review of Disaster Recovery Plans
- BR-DR-2: Disaster Recovery Tier Selection
- BR-DR-3: All CMS FISMA systems must have a plan for DR
- BR-DR-4: Required Risk Analysis, System BIA, and ISCP
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency governs user and entity access (e.g., permissions to read, write, copy, grant others access, etc.) to data through static access controls. | Agency begins to deploy automated data access controls that incorporate elements of least privilege across the enterprise. | Agency automates data access controls that consider various attributes such as identity, device risk, application, data category, etc., and are time limited where applicable. | Agency automates dynamic just-in-time and just-enough data access controls enterprise-wide with continuous review of permissions. |
- BR-DM-6: Data sets remain within the data owner’s security boundary
- BR-DM-9: The data owner determines the users, groups, roles, and policies that govern data access
- BR-AWS-5: Users Must Be Authenticated by AWS S3 Using a CMS-Managed IAM UserID When Accessing Data in CMS S3 Buckets
- RP-AWS-1: Use Amazon AWS Security / Access Features for S3
| Traditional | Initial | Advanced | Optimal |
|---|---|---|---|
| Agency encrypts minimal agency data at rest and in transit and relies on manual or ad hoc processes to manage and secure encryption keys. | Agency encrypts all data in transit and, where feasible, data at rest (e.g., mission critical data and data stored in external environments) and begins to formalize key management policies and secure encryption keys. | Agency encrypts all data at rest and in transit across the enterprise to the maximum extent possible, begins to incorporate cryptographic agility, and protects encryption keys (i.e., secrets are not hard coded and are rotated on a regular basis). | Agency encrypts data in use where appropriate, enforces least privilege principles for secure key management enterprise-wide, and applies encryption using up-to-date standards and cryptographic agility to the extent possible. |
- BR-EFT-6: File Encryption Is an Application Responsibility
- BR-EFT-7: Secured Transmission Is Required
- BR-EFT-10: Encrypt Files Residing in EFT Mailboxes
- BR-AWS-1: Encrypt Amazon S3 Data at Rest
- BR-SA-6: Network Communications Must Meet the TRA Rules for Encryption
- BR-SS-2: Use NIST SP 800-132-Specified Salted Hashes to Store Passwords
- BR-WS-7: Web Services Must Follow CMS Encryption Policy
- BR-P-7: Each Portlet Must Securely Transport Sensitive Content
- BR-BI-4: All Traffic Must Be Encrypted between a BI User’s Browser, Web Services, or Device and the BI Server
TRA 2025 Release 1 • General Distribution / Unclassified Information