b'ViewpointsCISA Zero Trust Maturity Model does not prescript aThe Bottom Linestarting point, and indeed every agency will be developingZero trust has at its center the concepts of data architecture a roadmap based on its legacy environment and a risk- and identity and access management. The incorporation based assessment of opportunities to rapidly improve cyberof the principle of least privilege access requires that posture. In addition, the maturity model does not implyagencies understand their data and data flows, and how that these pillars should be addressed in a stove-pipedemployees, external partners and customers interact with manner. Agencies should take advantage of ongoing cyberthat data. This fundamental foundation must be established initiatives where investments have already been made whileto correctly classify the protection level required for data and augmenting that activity with complementary projects thatto develop appropriate fine-grained permissions for access. could enhance outcomes. Agencies can integrate cyberThis foundation is also necessary to take full advantage of improvement initiatives across all the pillars by borrowingthe tools and analytics that can accelerate and augment the from the agile methodology and driving implementationimplementation of zero trust.across the domains through the application of use cases or user stories. Most importantly, establishing an effective data architecture and identity and access management ruleset is work within When you study the graphic representation of the CISAthe purview of the agency personnel who best understand Zero Trust Maturity Model, you notice that the two pillarsthe mission and data within their portfolios. My observation that bookend the model are identity and data. Inis that most agencies have not completed this work in its discussions with my government and industry colleagues,entirety, but must do so to move forward with speed. The a common theme emerges of identity, data, and thegood news is that the Foundations for Evidenced-Based Policy intersection of the two elements being key.Act has already established the imperative for CIOs, CDOs, Source: This illustration was inspired by Figure 1 of the American Council for Technology (ACT) and Industry Advisory Council (IAC) Zero Trust Cybersecurity Current Trends, (2019). https://www.actiac.org/system/files/ACT-IAC%20Zero%20Trust%20Project%20Report%2004182019.pdf.72 www.businessofgovernment.org The Business of Government'