NSA’s Advancing Zero Trust Maturity Throughout the Data Pillar: A Comprehensive Guide
Federal agencies, including the Department of Defense (DoD), and the DoD’s supply chain (Defense Industrial Base, or DIB) can no longer rely on traditional perimeter-based security models to protect their most valuable asset: data. Recognizing this paradigm shift, the U.S. National Security Agency (NSA) championed the adoption of a zero trust security model in its new “Advancing Zero Trust Maturity Throughout the Data Pillar.” This guidance is primarily intended for National Security System (NSS), DoD, and DIB networks, but may also be useful for owners and operators of other systems that might be targeted by sophisticated malicious actors. The NSA’s zero trust model assumes that breaches are inevitable and that threats exist both inside and outside traditional network boundaries. The zero trust approach requires continuous verification and granular access controls to secure data in this perilous environment, aligning with Kiteworks’ content-defined zero trust embodied in the Kiteworks Private Content Network.
Central to the NSA’s zero trust framework is the data pillar, which focuses on protecting data at rest and in transit through a progression of seven maturity levels. These levels encompass data catalog risk alignment, enterprise data governance, data labeling and tagging, data monitoring and sensing, data encryption and rights management, DLP, and data access controls. By incrementally advancing through these stages, federal agencies like DoD and its DIB contractors can implement increasingly stringent data protection measures to keep pace with evolving threats.
This blog post delves into each of the seven data pillar maturity levels, as defined in NSA’s report. We will explore the key concepts, best practices, and technologies that enable federal agencies, DoD, and DIB organizations to safeguard their data in accordance with zero trust principles. Finally, we will examine how the Kiteworks Private Content Network provides a framework for content-defined zero trust, empowering these organizations to achieve the highest levels of data security and control.
| NSA Data Pillar Area | How Kiteworks Addresses |
|---|---|
| Data Catalog Risk Alignment | Kiteworks provides comprehensive visibility into data transactions and interactions, facilitating informed risk assessment and continuous catalog updates. |
| Enterprise Data Governance | Kiteworks’ policy engine automates workflows and enforces data governance policies across the enterprise, aligning with Zero Trust principles. |
| Data Labeling and Tagging | The platform integrates with data classification tools to apply labels and tags consistently, ensuring data is treated according to its sensitivity. |
| Data Monitoring and Sensing | Kiteworks offers extensive monitoring features, enabling real-time tracking of data movements and user activities, crucial for proactive threat detection. |
| Data Encryption and Rights Management | With Kiteworks, data encryption is applied seamlessly, and DRM controls are enforced to protect against unauthorized access and distribution. |
| Data Loss Prevention | The platform’s DLP capabilities are designed to detect and prevent potential breaches, securing data against unauthorized transmission. |
| Data Access Control | Kiteworks enables granular, attribute-based access controls, dynamically adjusting permissions in response to evolving threats and user contexts. |
NSA Data Pillar Pairings with Kiteworks Capabilities
NSA Data Pillar Level #1: Data Catalog Risk Alignment
Data catalog risk alignment is the foundational step in the zero trust journey within the data pillar for federal agencies, DoD, and DIB organizations. It involves identifying and assessing the risks associated with an organization’s data assets, including the potential impact of data breaches, unauthorized access, and data loss. By aligning data catalogs with risk levels, these organizations can prioritize their data protection efforts and allocate resources effectively.
The NSA defines four maturity levels for data catalog risk alignment and the other levels: preparation, basic, intermediate, and advanced.
NSA Data Catalog Risk Alignment: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations review their data landscape to identify potential risks related to data loss, breach, or unauthorized alteration. This stage also involves identifying data ownership and cataloging data based on its criticality to the organization.
NSA Data Catalog Risk Alignment: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they begin manually identifying and inventorying their critical data assets. This process establishes a current state baseline and sets the stage for more advanced risk alignment practices.
NSA Data Catalog Risk Alignment: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations implement automated processes to identify and monitor their data landscape within the catalog. These processes ensure that data is automatically detected and included within the catalog, enabling a more comprehensive and up-to-date view of the organization’s data assets. In addition, data usage patterns are established, providing valuable insights into how data is accessed and utilized across the organization.
NSA Data Catalog Risk Alignment: Advanced Maturity
At the advanced maturity level, federal agencies, DoD, and DIB organizations continuously analyze their data to evaluate risk. Data is collected, tagged, and protected according to risk levels and in alignment with a prioritization framework. Advanced tools are employed to discover improperly tagged sensitive data and alert or quarantine the data as necessary. Encryption is also applied to protect data in accordance with its risk profile.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust data catalog risk alignment process that forms the bedrock of their zero trust data protection strategy. This alignment enables these organizations to identify their most critical data assets, assess the risks associated with those assets, and implement appropriate safeguards to mitigate potential threats. Continuously analyzing and refining this process ensures that data protection remains a top priority and that the organization can adapt to evolving risks in real time.
NSA Data Pillar Level #2: Enterprise Data Governance
Enterprise data governance is a critical component of zero-trust data protection, ensuring that data is consistently managed, accessed, and secured across federal agencies, DoD, and DIB organizations. In the context of zero trust, data governance involves establishing and enforcing policies for data labeling, tagging, encryption, access control, and sharing. By implementing robust data governance practices, these organizations can maintain visibility and control over their data assets, even as they move beyond traditional network perimeters.
NSA Enterprise Data Governance: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations develop enterprise-wide data labeling, tagging, and access control policies that are enforceable across their systems. This stage also involves defining data tagging and interoperability standards to ensure consistent policy application.
NSA Enterprise Data Governance: Basic Maturity
As federal agencies, DoD, and DIB organizations advance to the basic maturity level, they begin tagging and labeling their data in compliance with the established enterprise policies. Data is also encrypted using published enterprise frameworks, further enhancing its protection.
NSA Enterprise Data Governance: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations assess and refine their data protection policies for interoperability across networks and partner organizations. This stage also involves establishing just–in–time and just–enough access control policies, which grant users the minimum necessary permissions to perform their tasks. Rules and access controls are automated through central policy management, streamlining the enforcement of data governance practices.
NSA Enterprise Data Governance: Advanced Maturity
At the advanced maturity level, federal agencies, DoD, and DIB organizations regularly review their policies and update their solutions to ensure ongoing compliance. Automated policy management systems are fully integrated, allowing for seamless updates and adaptations to changing business requirements and threat landscapes.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust enterprise data governance framework that underpins their zero trust data protection strategy. Enforceable labeling and tagging policies ensure that data is consistently classified and secured, while encryption and granular access controls protect data from unauthorized access. Automated policy management streamlines the enforcement of these practices, allowing these organizations to maintain a strong security posture even as their data environments grow and evolve.
Effective enterprise data governance is essential for achieving the visibility and control required by the zero trust model. By aligning data governance practices with zero trust principles, federal agencies, DoD, and DIB organizations can safeguard their data assets, maintain compliance with regulatory requirements, and build a strong foundation for secure data sharing and collaboration.
KEY TAKEAWAYS
- The NSA Recommends a Zero Trust Security Model:
The NSA recommends organizations adopt a zero trust security model to protect their data, acknowledging breaches are inevitable and threats exist inside and outside network boundaries. - NSA’s Zero Trust Framework Protects Data Through Seven Maturity Levels:
The NSA Zero Trust Framework’s seven maturity levels include data catalog risk alignment, data governance, data labeling and tagging, data access control, and more. - Visibility and Control Are the Goals:
Effective data catalog risk alignment, governance, labeling, monitoring, encryption, DLP, and access control are critical to achieving the visibility and control required by the zero trust model. - Kiteworks Provides Zero Trust Security:
The Kiteworks Private Content Network enables organizations to implement data-centric zero trust security in alignment with the NSA framework, embedding security at the content level. - A Zero Trust Mindset Is Critical for Data Protection:
As the threat landscape evolves, organizations must adopt a zero trust mindset and data-centric security approach, leveraging platforms like Kiteworks.
NSA Data Pillar Level #3: Data Labeling and Tagging
Data labeling and tagging are essential practices within the zero trust framework, enabling federal agencies, DoD, and DIB organizations to classify and protect their data assets based on sensitivity, criticality, and risk. By applying granular labels and tags to data, these organizations can enforce access controls, monitor data usage, and ensure that data is secured in accordance with its value and sensitivity.
In the zero trust model, data labeling and tagging serve as the foundation for machine–enforceable access controls. By associating data with specific attributes and categories, federal agencies, DoD, and DIB organizations can define and enforce granular access policies that govern who can access, modify, and share data. This approach ensures that data is only accessible to authorized users and systems, reducing the risk of data breaches and unauthorized access.
NSA Data Labeling and Tagging: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations define their data tagging standards and configure their tools to support enterprise policies. This stage involves establishing a consistent taxonomy for data classification and ensuring that tagging tools align with the organization’s security requirements.
NSA Data Labeling and Tagging: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they implement data tagging and classification tools and begin manually labeling and tagging their data. Data owners play a critical role at this stage, ensuring that data is tagged in compliance with enterprise governance policies.
NSA Data Labeling and Tagging: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations implement machine–enforceable data access controls based on the labels and tags applied to their data. Automated tooling is introduced to meet scaling demands and provide better accuracy, reducing the reliance on manual tagging processes.
NSA Data Labeling and Tagging: Advanced Maturity
At the advanced maturity level, data tagging and labeling are fully automated for federal agencies, DoD, and DIB organizations. Continuous analysis is employed to ensure that data is properly tagged and labeled, with automation procedures remediating any inconsistencies or errors. Advanced machine learning techniques may be employed to intelligently categorize and tag data based on content and context.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust data labeling and tagging framework that enables zero trust data protection. Consistent data tagging standards ensure that data is classified uniformly across the organization, while manual and automated tagging processes help to scale the classification effort. Machine–enforceable access controls, driven by data labels and tags, provide granular security policies that adapt to the sensitivity and risk associated with each data asset.
Effective data labeling and tagging are critical for achieving the visibility and control required by the zero trust model. By embedding data classification into their security practices, federal agencies, DoD, and DIB organizations can ensure that their data assets are protected in accordance with their value and sensitivity, reducing the risk of data breaches and enabling secure data sharing and collaboration.
NSA Data Pillar Level #4: Data Monitoring and Sensing
Data monitoring and sensing are crucial aspects of zero trust, providing federal agencies, DoD, and DIB organizations with the visibility and insights needed to detect and respond to potential data breaches, unauthorized access, and anomalous activity. By continuously monitoring data access, usage, and movement, these organizations can identify suspicious behavior and take proactive measures to mitigate risks.
In the zero trust model, data monitoring and sensing involve capturing and analyzing metadata associated with data assets. This metadata includes information about who is accessing the data, how it is being used, and where it is being transmitted. By correlating this metadata with other security events and logs, federal agencies, DoD, and DIB organizations can gain a comprehensive view of their data security posture and detect potential threats in real time.
NSA Data Monitoring and Sensing: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations identify and capture active metadata that provides insights into data access, sharing, transformation, and usage. This stage also involves conducting an analysis to determine where monitoring and logging tools should be deployed.
NSA Data Monitoring and Sensing: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they procure and implement database monitoring solutions across all databases containing regulated data types, such as controlled unclassified information (CUI), personally identifiable and protected health information (PII/PHI), and protected health information (PHI). Data file monitoring tools are also utilized to monitor critical data in applications, services, and repositories. At this stage, analytics from monitoring solutions are fed into security information and event management (SIEM) systems with basic data attributes.
NSA Data Monitoring and Sensing: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations extend their monitoring capabilities to cover all regulatory protected data in applications, services, and repositories. Advanced integration techniques are used to feed monitoring data into DLP, digital rights management (DRM), and user and entity behavior analytics (UEBA) solutions. Data outside the scope of DLP and DRM, such as file shares and databases, is actively monitored for anomalous and malicious activity using alternative tooling.
NSA Data Monitoring and Sensing: Advanced Maturity
At the advanced maturity level, logs and analytics from all data monitoring solutions are fed into SIEM for comprehensive monitoring and response. Analytics are also integrated into cross–pillar activities to inform decision–making and risk assessment. Additional data attributes are incorporated into monitoring solutions to support advanced zero trust functionalities, such as risk–adaptive access controls and automated threat response.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust data monitoring and sensing framework that enables zero trust data protection. Identifying and capturing relevant metadata, deploying database and file monitoring tools, and integrating analytics into SIEM and other security solutions provide these organizations with the visibility and insights needed to detect and respond to data–related threats in real time. As organizations mature their data monitoring capabilities, they can achieve a more comprehensive and proactive approach to data security, ensuring that their sensitive assets are protected against evolving threats.
NSA Data Pillar Level #5: Data Encryption and Rights Management
Data encryption and digital rights management (DRM) are essential components of a zero trust data protection strategy, ensuring that sensitive information remains secure even if it falls into the wrong hands. Encryption protects data by encoding it into an unreadable format, while DRM technologies control access to and usage of data, preventing unauthorized sharing, printing, or modification.
In the zero trust model, data encryption and DRM are applied based on the sensitivity and risk associated with each data asset. By encrypting data at rest and in transit, and by enforcing granular access controls through DRM, federal agencies, DoD, and DIB organizations can ensure that their sensitive information is protected throughout its life cycle, regardless of where it resides or how it is accessed.
NSA Data Encryption and Rights Management: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations establish a strategy for encrypting data at rest and in transit, following enterprise standards and requirements. This stage involves identifying the types of data that require encryption and selecting appropriate encryption algorithms and key management solutions.
NSA Data Encryption and Rights Management: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they identify encryption gaps and implement enterprise–managed devices and centralized key management. Encryption tools are procured to support the organization’s data at rest and in transit encryption strategy. Initial DRM implementations are also introduced at this stage, focusing on protecting critical data in high–risk repositories.
NSA Data Encryption and Rights Management: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations expand their encryption and DRM capabilities to cover all sensitive data across the enterprise. Encryption keys are automatically managed, and all data is encrypted across the entire environment. DRM is expanded to all in–scope data repositories, ensuring that sensitive information is protected with granular access controls.
NSA Data Encryption and Rights Management: Advanced Maturity
At the advanced maturity level, data tags are integrated with DRM for federal agencies, DoD, and DIB organizations, enabling automated encryption and access control based on data classification. Additional tags are created to protect extended data repositories, and DRM solutions are enhanced to track and protect data throughout its life cycle. Machine learning models are also employed to detect anomalous data usage and alert security teams to potential threats.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust data encryption and rights management framework that enables zero trust data protection. Implementing comprehensive encryption strategies, centralized key management, and granular DRM controls ensures that sensitive data remains secure, even if it is accessed by unauthorized parties. Integrating data tags and machine learning technologies further enhances the automation and effectiveness of these controls, enabling these organizations to adapt to evolving threats and maintain a strong security posture.
NSA Data Pillar Level #6: Data Loss Prevention
Data loss prevention (DLP) is a critical component of a zero trust data protection strategy, designed to prevent sensitive information from being accidentally or maliciously exfiltrated from federal agencies, DoD, and DIB organizations. DLP solutions monitor, detect, and block the unauthorized transmission of sensitive data, whether through email, web forms, file sharing, managed file transfer, or other channels.
In the zero trust model, DLP plays a crucial role in ensuring that sensitive data remains within the control of federal agencies, DoD, and DIB organizations, even as users and devices access information from various locations and platforms. By enforcing granular policies based on data classification, user roles, and device attributes, DLP solutions can prevent data breaches and maintain the confidentiality of sensitive assets.
NSA Data Loss Prevention: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations scope their DLP requirements and identify the enforcement points where DLP solutions will be deployed. This stage also involves establishing techniques for identifying sensitive data, such as keywords, regular expressions, and machine learning algorithms.
NSA Data Loss Prevention: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they deploy DLP solutions to the identified enforcement points and configure them in monitoring or learning mode. This approach allows these organizations to validate their DLP policies and minimize false positives before enforcing data blocking. DLP solution results are analyzed, and policies are fine–tuned to manage risk to an acceptable level.
NSA Data Loss Prevention: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations transition their DLP solutions from monitoring mode to active prevention, blocking the unauthorized transmission of sensitive data. Basic data tags are integrated with the DLP solution, enabling more granular policy enforcement based on data classification. A logging schema is also implemented to track DLP events and support incident response.
NSA Data Loss Prevention: Advanced Maturity
At the advanced maturity level, DLP solutions are fully integrated with automated data tagging capabilities for federal agencies, DoD, and DIB organizations. As data is tagged and classified based on its sensitivity and risk, DLP policies are automatically updated to enforce appropriate controls. DLP monitoring scope is extended to cover a wider range of data repositories and transmission channels. Automated data monitoring also identifies gaps in DLP coverage, prompting the deployment of additional enforcement points.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust DLP framework that supports zero trust data protection. Identifying sensitive data, deploying DLP solutions at key enforcement points, and tuning policies based on risk and data classification help prevent unauthorized data exfiltration. Integrating DLP with automated data tagging capabilities further enhances the precision and effectiveness of data protection controls, ensuring that sensitive information remains secure throughout its life cycle.
NSA Data Pillar Level #7: Data Access Control
Data access control is the cornerstone of zero trust data protection for federal agencies, DoD, and DIB organizations, ensuring that only authorized users and devices can access sensitive information based on granular policies and real–time risk assessment. By enforcing least–privilege access and continuously validating user and device attributes, data access control prevents unauthorized access and minimizes the potential impact of breaches.
In the zero trust model, data access control is the ultimate goal, bringing together all the other data protection capabilities to enforce fine–grained, context–aware access policies. By leveraging data classification, user roles, device attributes, and environmental factors, data access control ensures that sensitive information is only accessible under the right circumstances, by the right people, and for the right purposes within federal agencies, DoD, and DIB organizations.
NSA Data Access Control: Preparation Maturity
At the preparation level, federal agencies, DoD, and DIB organizations develop access control policies with enterprise–wide central management solutions in mind. This stage involves defining the attributes and conditions that will govern data access, such as user roles, device health, and network location.
NSA Data Access Control: Basic Maturity
As federal agencies, DoD, and DIB organizations progress to the basic maturity level, they implement central management solutions, such as software–defined storage (SDS) and identity and access management (IAM) tools. These solutions are integrated with existing policies and data protection technologies, such as encryption and DRM, to enforce access controls across the enterprise.
NSA Data Access Control: Intermediate Maturity
At the intermediate level, federal agencies, DoD, and DIB organizations implement attribute–based access control (ABAC), which grants or denies access based on the attributes of users, devices, and data itself. ABAC policies are defined and enforced, ensuring that access decisions are made based on the full context of each request. Role–based access control (RBAC) is also implemented, restricting access based on user roles and responsibilities.
NSA Data Access Control: Advanced Maturity
At the advanced maturity level, federal agencies, DoD, and DIB organizations fully integrate their access control solutions with automated policy management and decision–making tools. Access policies are dynamically updated based on real–time risk assessments, user behavior analytics, and threat intelligence feeds. Fine–grained access controls are enforced across all data repositories, applications, and services, ensuring that sensitive information is only accessible under the right circumstances.
By progressing through these maturity levels, federal agencies, DoD, and DIB organizations can establish a robust data access control framework that supports zero trust data protection. Defining granular access policies, implementing ABAC and RBAC, and integrating with automated policy management tools enables these organizations to enforce least–privilege access and maintain tight control over sensitive data. As access control capabilities mature, federal agencies, DoD, and DIB organizations can adapt to changing risks and user behavior, ensuring that data remains secure in the face of evolving threats.
How Kiteworks Enables Zero Trust Data Protection
Kiteworks is a leading provider of zero trust data protection, offering a comprehensive platform for securing sensitive content across its entire life cycle. The Kiteworks Private Content Network is designed to align with zero trust principles, providing granular access controls, continuous risk assessment, and adaptive security policies to safeguard data in today’s complex, distributed environments.
At the heart of the Kiteworks platform is the concept of content–defined zero trust, which extends the zero trust model to the data level. By embedding security policies and access controls directly into the content itself, Kiteworks ensures that data remains protected no matter where it goes, whether inside or outside the organization’s perimeter.
Kiteworks enables and facilitates each of the seven data pillar maturity levels outlined in the NSA’s zero trust framework, making it an ideal solution for federal agencies, DoD, and DIB organizations looking to implement a mature, robust zero trust framework:
For data catalog risk alignment, Kiteworks provides tools for discovering, classifying, and tagging sensitive content, enabling federal agencies, DoD, and DIB organizations to identify and prioritize their most critical data assets.
The platform also supports enterprise data governance by enforcing granular access policies and ensuring that data is managed in accordance with regulatory requirements and industry standards.
For data labeling and tagging, Kiteworks offers automated classification capabilities that can identify sensitive content based on keywords, patterns, and machine learning algorithms. These labels and tags are then used to enforce granular access controls and data protection policies, ensuring that sensitive information is only accessible by authorized users and devices within federal agencies, DoD, and DIB organizations.
Kiteworks also provides robust data monitoring and sensing capabilities, enabling these organizations to track data access, usage, and sharing in real time. The platform integrates with leading SIEM and data analytics tools, providing a comprehensive view of data security and enabling rapid detection and response to potential threats.
For data encryption and rights management, Kiteworks offers built–in encryption for data at rest and in transit, as well as granular digital rights management (DRM) controls. These capabilities ensure that sensitive content remains protected even if it is accessed by unauthorized parties, and that access can be revoked or modified in real time based on changing risk factors.
Kiteworks also provides advanced DLP capabilities, enabling federal agencies, DoD, and DIB organizations to monitor and block the unauthorized exfiltration of sensitive data. The platform’s DLP engine can identify sensitive content based on predefined policies and data tags, and can automatically enforce protective actions such as blocking, quarantining, or encrypting data.
For data access control, Kiteworks offers a range of authentication and authorization options, including multi-factor authentication (MFA), single sign–on (SSO), and attribute–based access control (ABAC). These capabilities enable federal agencies, DoD, and DIB organizations to enforce granular, context–aware access policies based on user roles, device attributes, and environmental factors, ensuring that sensitive data is only accessible under the right circumstances.
By providing a comprehensive, content–defined approach to zero trust data protection, Kiteworks enables federal agencies, DoD, and DIB organizations to achieve the highest levels of data security and compliance. The platform’s advanced capabilities, integration with existing security tools, and granular access controls make it an ideal solution for these organizations looking to implement a mature, robust zero trust framework that aligns with the NSA’s guidance.
Elevating Data Security With Kiteworks
Protecting sensitive data is more challenging and critical than ever before for federal agencies, DoD, and DIB organizations. NSA’s zero trust data pillar maturity model provides a comprehensive framework for these organizations to secure their data assets, from initial risk assessment and classification to granular access controls and continuous monitoring.
| Preparation | Basic | Intermediate | Advanced | |
|---|---|---|---|---|
| Data Catalog Risk Alignment | Acknowledgment of data catalog necessity, team assignment, and scope definition. | Identification and documentation of data assets, establishing baseline for risk assessment. | Detailed risk analysis and linking of data assets to business context. | Dynamic data catalog with real-time risk analysis and automated tools. |
| Enterprise Data Governance | Setting up governance committee and initial governance framework. | Implementing fundamental data governance policies. | Refinement and consistent enforcement of data governance policies. | Dynamic and adaptive governance framework integrated with Zero Trust architecture. |
| Data Labeling and Tagging | Developing initial data labeling and tagging standards. | Enforcement of standardized manual tagging and simple labeling policies. | Introduction of automated labeling tools. | Fully automated labeling and tagging with machine learning. |
| Data Monitoring and Sensing | Defining what needs to be monitored and establishing basic monitoring tools. | Deployment of more defined strategies for data tracking and alerting. | Integration with SIEM tools for proactive threat detection. | Comprehensive monitoring with real-time analytics and advanced sensing technologies. |
| Data Encryption and Rights Management | Encrypting particularly sensitive data and basic key management. | Standardization of encryption and introduction of DRM solutions. | More sophisticated key management systems and nuanced DRM policies. | Dynamic encryption and DRM integrated with real-time data and machine learning. |
| Data Loss Prevention | Identifying sensitive data and developing initial DLP policies. | Deployment of DLP solutions for obvious data loss scenarios. | Refinement of DLP systems with advanced strategies. | Dynamic DLP systems making real-time policy adjustments. |
| Data Access Control | Defining roles and requirements for data access. | Implementation of role-based access control policies. | Introduction of automated labeling tools. | Fully automated labeling and tagging with machine learning. |
NSA Data Pillar Maturity Levels and Definitions
By progressing through the seven maturity levels—data catalog risk alignment, enterprise data governance, data labeling and tagging, data monitoring and sensing, data encryption and rights management, data loss prevention, and data access control—federal agencies, DoD, and DIB organizations can incrementally improve their data security posture and keep pace with evolving threats.
Central to the zero trust model is the concept of data–centric security, which emphasizes the need to protect data throughout its entire life cycle, regardless of where it resides or how it is accessed. By implementing a content–defined zero trust approach, federal agencies, DoD, and DIB organizations can ensure that their sensitive data remains secure even in the face of sophisticated, persistent threats.
Kiteworks provides a powerful, comprehensive platform for achieving zero trust data protection, enabling federal agencies, DoD, and DIB organizations to enforce granular access controls, monitor data usage in real time, and prevent unauthorized exfiltration. By aligning with the NSA’s zero trust framework for data pillars and providing advanced capabilities across all seven data pillar maturity levels, Kiteworks empowers these organizations to safeguard their most critical assets and maintain the highest levels of security and compliance.
As the threat landscape continues to evolve, it is imperative that federal agencies, DoD, and DIB organizations adopt a zero trust mindset and implement robust, data–centric security strategies. By leveraging platforms like Kiteworks and following the NSA’s zero trust data pillar maturity model, these organizations can build a strong foundation for protecting their sensitive data and ensuring the continuity of their mission–critical operations. The guidance provided by the NSA is compatible with the DoD Zero Trust guidance, making Kiteworks an ideal choice for organizations looking to align with both frameworks and enhance their overall data security posture.
Cybersecurity Risk Management FAQs
Zero trust is a comprehensive cybersecurity model that eliminates implicit trust in any element, node, or service within or outside traditional network boundaries. It necessitates continuous verification of all operational activities via real-time information to determine access and system responses. This approach is vital for securing data because it addresses the limitations of traditional perimeter-based defenses, which have been proven inadequate against sophisticated cyberattacks. By enforcing granular access controls and continuous monitoring, zero trust helps prevent unauthorized access and reduces the impact of potential breaches, making it essential for federal agencies, DoD, and DIB organizations.
Secure email and secure email services usually employ encryption, authentication, and access control measures. Encryption makes it difficult for hackers to access the communication by scrambling messages and making them unreadable to unauthorized parties. Authentication verifies the identity of the message sender and access control limits who can view the message.
You can ensure the security of your emails by using a secure email service. This will encrypt your messages and protect them from being intercepted by unauthorized third parties. Additionally, you can use two-factor authentication for added security.
Using a secure email service lets you keep your email communications private and confidential. It also helps you comply with data privacy regulations like HIPAA and GDPR.
You can verify that secure email has been properly implemented by confirming whether or not the email program you are using is compliant with the security industry’s best practices and standards such as the S/MIME or PGP protocols.
Kiteworks enables users to create secure emails by applying secure encryption protocols to content before it is sent. Users can also secure emails sent through Kiteworks by setting expiration rules and controlling who can access the emails. Additionally, emails sent from Kiteworks are automatically scanned for malicious content to ensure that only secure emails are sent.
Additional Resources