CISA Zero Trust Maturity Model for the data pillar
This section has Microsoft guidance and recommendations for the CISA Zero Trust Maturity Model in the data pillar. See Secure data with Zero Trust for more information. The Cybersecurity & Infrastructure Security Agency (CISA) definition of data includes all structured and unstructured files and fragments that reside, or resided in, federal systems, devices, networks, applications, databases, infrastructure, and backups. The definition includes on-premises and virtual environments, also the associated metadata.
5 Data
Protect enterprise data on devices, in applications, and on networks in accordance with federal requirements. Maintain an inventory of, categorize, and label data. Protect data at rest, in transit, and in use. Deploy mechanisms to detect and stop data exfiltration. Craft and review data governance policies to ensure data lifecycles are enforced across the enterprise.
Use the following links to go to sections of the guide.
5.1 Function: Data inventory management
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to automate data inventory processes for both on-premises and in cloud environments, covering most Enterprise data, and begins to incorporate protections against data loss. |
Microsoft Purview Information Protection Classify data based on sensitive information types. - Sensitive data and Purview - Label policies Define and apply container sensitivity labels: Microsoft Teams sites, Microsoft 365 groups, and Microsoft SharePoint sites. Sensitivity labels Microsoft Purview data governance Use Purview governance solutions for automated scans of on-premises, multicloud, and Software as a Service (SaaS) data sources. Microsoft Purview Microsoft Purview Data Estate Insights Governance stakeholders use this feature for data management, compliance, and for data use roles, such as Chief Data Officer. Use insights about data estate, catalog usage, adoption, and processes. Insights reports, inventory, and ownership Microsoft Purview Endpoint data loss prevention Monitor actions taken on sensitive items and help prevent unintentional sharing. Device list, device status |
| Advanced Maturity Status Enterprise automates data inventory and tracking enterprise-wide, covering all applicable Enterprise data, with data loss prevention strategies based upon static attributes and/or labels. |
Microsoft Purview sensitive information types In the Purview compliance portal, review and define custom, sensitive information types. Use classifiers trained by machine learning (ML). - Custom sensitive info types - Trainable classifiers Microsoft Purview content explorer In content explorer and\or activity explorer, view identified Microsoft 365 content and associated user activities. - Content explorer - Activity explorer Microsoft Purview sensitivity labels Create and publish sensitivity labels according to your data label standards. - Sensitivity labels and policy - Labels in Microsoft 365 Microsoft Purview Data Loss Prevention Create and publish DLP policies based on labels. For instance, prevent external sharing with content labeled Internal Only or Confidential. Include context and other sensitive information types. Data loss prevention Microsoft Purview Endpoint data loss prevention Monitor actions taken on sensitive items and help prevent unintentional sharing. Device list, device status |
| Optimal Maturity Status Enterprise continuously inventories all applicable Enterprise data and employs robust data loss prevention strategies that dynamically block suspected data exfiltration. |
Microsoft Purview content explorer Use content explorer PowerShell to export inventory information about your sensitive content. Use a security information and event management (SIEM) app, or other analysis tools to create reports on data types to protect. Content explorer PowerShell Microsoft Purview Information Protection Configure client-side labels for files and emails created in Microsoft Office applications. Autolabeling for Office apps Configure service-side labels for content stored in Microsoft 365. Autolabeling in SharePoint, OneDrive, and Exchange To find documents and emails in your environment with sensitive data, such as employee personally identifying information (PII), scan it for data that matches known data sources. Exact data match Use document fingerprinting to find and label content that matches highly sensitive documents, templates, and forms. Document fingerprinting Microsoft Purview data governance Register data sources, scan, ingest, and classify data in the Purview governance portal. - Data sources - Scans and ingestion - Data classification - Supported sources - Apply classification - Protection policy for Azure - Protection policies in Microsoft Fabric Microsoft Purview Data Loss Prevention Control how data is shared, and enable actions that prevent misuse. Collect evidence from devices and simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence in devices - Simulate before deployment Microsoft Purview Endpoint data loss prevention Monitor actions taken on sensitive items and help prevent unintentional sharing. Device list, device status Microsoft Purview Insider Risk Management Create data loss prevention (DLP) policies with Insider Risk Management Risky User detection for Adaptive Protection. - Adaptive protection - Microsoft Entra Conditional Access Microsoft Defender for Cloud Apps Enable app governance in Defender for Cloud Apps to monitor app connectivity and access to enterprise data. App governance Conditional Access app control Use app control’s reverse proxy architecture to enforce app access, based on defined conditions such as user groups, cloud apps, and network locations. Defined users are routed to Microsoft Defender for Cloud Apps to apply access and session controls. - Session controls - App control |
5.2 Function: Data categorization
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to implement a data categorization strategy with defined labels and manual enforcement mechanisms. |
Microsoft Purview Information Protection Categorize data based on sensitive information types. - Sensitive data - Label policy - Know your data Microsoft Purview data governance Register data sources, scan, ingest, and classify data in the Purview governance portal. Explore and understand your data. - Data catalog - Data sources - Scans and ingestion - Data classification - Supported data sources - Apply data classification |
| Advanced Maturity Status Enterprise automates some data categorization and labeling processes in a consistent, tiered, targeted manner with simple, structured formats and regular review. |
Microsoft Purview Information Protection Automate data categorization, based on sensitive information types and classifiers trained by machine learning (ML). - Sensitive data - Label policy Configure client-side labels for files and emails created in Microsoft Office applications. Autolabeling for Office apps Configure service-side labels for content stored in Microsoft 365. Autolabeling in SharePoint, OneDrive, and Exchange Create and publish sensitivity labels in Purview, according to enterprise data label standards. Configure policy that requires users to apply needed sensitivity labels to emails and documents. Apply labels Microsoft Purview data governance Register data sources, scan, ingest, and classify data in the Purview governance portal. Explore and understand your data. - Data catalog - Data sources - Scans and ingestion - Data classification - Supported data sources - Apply data classification |
| Optimal Maturity Status Enterprise automates data categorization and labeling enterprise-wide with robust techniques; granular, structured formats; and mechanisms to address all data types. |
Microsoft Purview Information Protection Review sensitive information types in the Purview compliance portal. Define custom sensitive information types. To detect data matching in known data sources, create exact-match sensitive information types. - Sensitive information types - Exact Data Match Use trainable classifiers in Purview to recognize content with machine learning (ML). Create and train classifiers with human-picked and positively matched samples. Trainable classifiers Microsoft Purview content explorer Use content explorer PowerShell commandlets to export a list of sensitive assets. Use a security information and event management (SIEM) app, or other reporting tools, for analysis. Determine whether protection levels and location access align with the detected sensitive data. Review sensitive information-type matches in content explorer for relevant classifiers. Identify false positives and negatives. To minimize misclassification, regularly adjust custom classifiers and trainable classifier definitions. Content explorer PowerShell Microsoft Purview data governance Register data sources, scan, ingest, and classify data in the Purview governance portal. Explore and understand your data. - Data catalog - Data sources - Scans and ingestion - Data classification - Supported data sources - Apply data classification |
5.3 Function: Data availability
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise makes some data available from redundant, highly available data stores (e.g., cloud) and maintains off-site backups for on-premises data. |
Microsoft cloud services Microsoft Azure ensures high availability and redundancy with features like geo-zone-redundant storage (GZRS), zone redundant storage (ZRS), and Azure Site Recovery. These features replicate data across zones and regions. Microsoft 365 enhances data security and compliance with data residency policies, data retention programs, and vulnerability remediation processes. Enable reliable and secure data storage solutions, and help ensure business continuity and regulatory compliance. - Resiliency and continuity - Data resiliency in Microsoft 365 Microsoft Purview Data Lifecycle Management Use Data Lifecycle Management and Purview records management to govern data compliance or regulatory requirements. Data Lifecycle Management Microsoft OneDrive, Microsoft SharePoint Use the platforms for off-site backup and data sharing. Set up OneDrive Azure Backup Use Azure Blob Storage for redundant and highly available data storage. Back up on-premises resources to the cloud. Geo-redundancy options ensure data replicates across regions. Azure Backup Microsoft Purview data governance Register data sources, scan, ingest, and classify data in the Purview governance portal. Explore and understand your data. - Data catalog - Data sources - Supported data sources Microsoft Purview Information Protection Use content explorer and\or activity explorer to view identified Microsoft 365 content and associated user activities. - Content explorer - Activity explorer |
| Advanced Maturity Status Enterprise primarily makes data available from redundant, highly available data stores and ensures access to historical data. |
Microsoft Purview data governance Manage data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. - Data Lifecycle Management - Data catalog - Data sources - Scans and ingestion - Supported data sources Microsoft Purview Information Protection Use content explorer and\or activity explorer to view identified Microsoft 365 content and associated user activities. - Content explorer - Activity explorer Microsoft SharePoint Online Data was migrated to SharePoint Online, and it’s the default data location, including historical data shared across the enterprise. Retention policies extend to SharePoint Online data. SharePoint and OneDrive in Microsoft 365 Microsoft Purview Data Catalog Use Purview data governance and Data Catalog to inventory sensitive structured data assets and define data governance controls. Data governance experience |
| Optimal Maturity Status Enterprise uses dynamic methods to optimize data availability, including historical data, according to user and entity need. |
Microsoft Purview data governance Manage data with an AI-powered, and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources Microsoft Purview Information Protection Use content explorer and\or activity explorer to view identified Microsoft 365 content and associated user activities. - Content explorer - Activity explorer Azure Files The default is cloud hosted locations for enterprise data; it includes file shares, SQL, and data analytics with the Power BI service, and other data tools. - Azure Files - Azure SQL - Azure and Power BI |
5.4 Function: Data access
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to deploy automated data access controls that incorporate elements of least privilege across the enterprise. |
Microsoft Purview Information Protection Define data classification standards and a labeling taxonomy that align with policies. Deploy sensitivity labels and enable users to apply them to documents. - Sensitive data - Label policy Microsoft Purview Data Loss Prevention Run policy in simulation mode and see the effects before enforcement. Simulate before deployment |
| Advanced Maturity Status Enterprise automates data access controls that consider various attributes such as identity, device risk, application, data category, etc., and are time limited where applicable. |
Microsoft Purview Information Protection Implement access controls for sensitive files. At a minimum, implement differentiation between materials shared and not shared with nongovernment workers or foreign individuals. Define categories for content shared outside the enterprise. Consider more granularity for data classification, based on your current confidentiality standards. Sensitivity labels and access Configure sensitivity label policies to apply labels to files and emails created in Microsoft Office applications. Autolabeling for Office apps Configure service-side labels for content stored in Microsoft 365. Autolabeling for SharePoint, OneDrive, and Exchange Microsoft Purview Data Loss Prevention Monitor user activity, protect on-premises repositories, and collect evidence from devices. Simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence from devices - Simulate before deployment |
| Optimal Maturity Status Enterprise automates dynamic just-in-time and just-enough data access controls enterprise-wide with continuous review of permissions. |
Microsoft Purview Information Protection Labels restrict access to groups that require access. For example, files with sensitive HR data are labeled and have resulting access controls. Sensitivity labels and access Microsoft Purview Data Loss Prevention Monitor user activity, protect on-premises repositories, and collect evidence from devices. Simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence from devices - Simulate before deployment Microsoft Defender for Cloud Apps Access policies use Conditional Access app control for real-time monitoring and cloud app access controls. Access policy Use session policies for granular visibility into cloud apps with real-time, session-level monitoring. Session policy Microsoft Entra ID Governance Use entitlement management to bundle resources in access packages. Facilitate user assignments to resources with just-in-time (JIT) access. Automate just-enough-access (JEA) controls with access reviews. - Entitlement management scenarios - Privileged Identity Management - Access reviews |
5.5 Function: Data encryption
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise encrypts all data in transit and, where feasible, data at rest and data in use (e.g., mission critical data and data stored in external environments) and begins to formalize key management policies and secure encryption keys. |
Microsoft 365 encryption Use baseline, volume-level encryption with the Windows security feature BitLocker and Distributed Key Manager (DKM). Microsoft 365 assets use encrypted storage. Encryption in Microsoft 365 Microsoft Purview sensitivity labels Use sensitivity label policies to apply persistent encryption at the document, or email, level for high-risk data in Microsoft 365. - Encrypt documents - Email encryption Microsoft Purview Data Loss Prevention Monitor user activity, protect on-premises repositories, and collect evidence from devices. Simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence from devices - Simulate before deployment Microsoft Defender for Cloud Apps Use session policies for granular visibility into cloud apps with real-time, session-level monitoring. Session policy |
| Advanced Maturity Status Enterprise encrypts all data at rest and in transit across the enterprise to the maximum extent possible, begins to incorporate cryptographic agility, and protects encryption keys (i.e., secrets aren't hard coded and are rotated on a regular basis). |
Microsoft Purview sensitivity labels The enterprise uses label policies with access controls, based on Microsoft Entra groups. Access control covers users, partners, vendors, and external users in the environment. Sensitivity labels and access Microsoft Purview Data Loss Prevention Monitor user activity, protect on-premises repositories, and collect evidence from devices. Simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence from devices - Simulate before deployment Microsoft Defender for Cloud Apps Use session policies for granular visibility into cloud apps with real-time, session-level monitoring. Session policy |
| Optimal Maturity Status Enterprise encrypts data in use where appropriate, enforces least privilege principles for secure key management enterprise-wide, and applies encryption using up-to-date standards and cryptographic agility to the extent possible. |
Microsoft Purview sensitivity labels Label policies are deployed with access control mechanisms for sensitive data. Access is restricted with least privilege principles. Enforce use of labels and access controls with content detection in Microsoft Exchange, Microsoft OneDrive, and Microsoft SharePoint. - Sensitivity labels and access - Sensitivity labels in Microsoft 365 Microsoft Purview Data Loss Prevention Monitor user activity, protect on-premises repositories, and collect evidence from devices. Simulate policy before deployment. - Protective actions - On-premises repositories - Collect evidence from devices - Simulate before deployment Microsoft Defender for Cloud Apps Use session policies for granular visibility into cloud apps with real-time, session-level monitoring. Session policy |
5.6 Function: Visibility and analytics
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise obtains visibility based on data inventory management, categorization, encryption, and access attempts, with some automated analysis and correlation. |
For more information, see section 5.1 Function: Data inventory management. Microsoft Purview Data Catalog For visibility into your structured data assets, manage, and categorize inventories. Data Catalog Microsoft Entra ID Monitor Microsoft Entra ID sign-in logs for visibility based on initial access attempts. - Monitoring and health - Sign-in logs Microsoft Graph activity logs Microsoft Graph logs in Microsoft Entra enable visibility into access attempts with information about user sign-in and resource access. Use logging to monitor authentication events, identify potential security threats, and ensure compliance with access policies. Access activity logs Microsoft Purview content explorer To understand sharing and access patterns, also to identify reporting needs, use content explorer and activity explorer. Investigate access and sensitive data sharing cases. - Activity explorer - Content explorer Microsoft Purview Data Loss Prevention Implement DLP policies to monitor and manage sensitive data sharing. Data Loss Prevention |
| Advanced Maturity Status Enterprise maintains data visibility in a more comprehensive, enterprise-wide manner with automated analysis and correlation and begins to employ predictive analytics. |
Microsoft Purview Data Map Enhance enterprise-wide structured data visibility with a data map. Integrate metadata and classification. Data Map Microsoft Purview insights Use advanced analytics for correlation of, and predictive insights about, data security. - Data Estate Insights - Asset insights Microsoft Purview Insider Risk Management Create data loss prevention (DLP) policies with Insider Risk Management Risky User detection for Adaptive Protection. - Adaptive protection - Conditional Access and adaptive protection Microsoft Purview content explorer Use content explorer PowerShell to export inventory information about your sensitive unstructured content, such as Office files. To create reports about data types to protect, use a security information and event management (SIEM) app, or other analysis tools. - Content explorer PowerShell - Advanced monitoring |
| Optimal Maturity Status Enterprise has visibility across the full data lifecycle with robust analytics, including predictive analytics, that support comprehensive views of Enterprise data and continuous security posture assessment. |
Microsoft Purview Data Catalog, data classification Achieve lifecycle visibility and data management with continuous classification and cataloging. Data classification with Purview Microsoft Entra Conditional Access Integrate with Purview to manage and assess access controls. Ensure continuous alignment with security policies. Elevated insider risk Microsoft Purview Insider Risk Management analytics Conduct an evaluation of predictive insider risks without configuring insider risk policies. Identify potential higher user risk. Determine insider risk management policy types and scope. Enable analytics Microsoft Sentinel Continuously assess data security. Integrate insights from Purview for a view of your security posture. Data security with Sentinel Microsoft SharePoint, unified audit log, Sentinel Monitor sensitive information sharing and access. To analyze access and sharing patterns, integrate the Microsoft 365 unified audit log with a security information and event management (SIEM) app. - SharePoint sharing schema - Data loss prevention schema - Microsoft Sentinel - SharePoint Advanced Management Microsoft Purview Information Protection To understand sharing and access patterns, also to identify reporting needs, use content explorer and activity explorer to review access and sensitive data sharing cases. - Content explorer - Activity explorer |
5.7 Function: Automation and orchestration
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise uses some automated processes to implement data lifecycle and security policies. |
Microsoft Purview Data Catalog To implement lifecycle and security policies, use automated data classification and cataloging. Data Catalog Microsoft Defender for Cloud Implement automated security policies and monitor data resources. Defender for Cloud Microsoft Purview Information Protection To understand sharing and access patterns, also to identify reporting needs, use content explorer and activity explorer to review access and sensitive data sharing cases. - Content explorer - Activity explorer Microsoft Purview data governance Manage data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. Explore and understand your data. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources |
| Advanced Maturity Status Enterprise implements data lifecycle and security policies primarily through automated methods for most Enterprise data in a consistent, tiered, targeted manner across the enterprise. |
Microsoft Purview Data Map, insights Implement advanced automation for data classification, retention, and security policies across data tiers and classifications. Data Map Microsoft Entra ID Governance Use identity governance and automated policy enforcement for a range of data resources. Microsoft Entra ID Governance Microsoft Defender for Cloud Enable automated security policy enforcement across data resources. Data security in Defender for Cloud Microsoft Purview data governance Manage data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. Explore and understand your data. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources |
| Optimal Maturity Status Enterprise automates, to the maximum extent possible, data lifecycles and security policies for all Enterprise data across the enterprise. |
Microsoft Purview Automate data lifecycle management, classification, and security policies using integrated features across data assets. Data management with Purview Microsoft Defender for Cloud Achieve automated data security policies, threat detection, and response across enterprise data. Automation with Defender for Cloud Microsoft Sentinel Automate monitoring, respond to, and manage data security policies. Advanced monitoring Microsoft 365 connector for Microsoft Sentinel To analyze access and sharing patterns, integrate the Microsoft 365 unified audit log with a security information and event management (SIEM) app. - SharePoint sharing schema - Data loss prevention schema - Microsoft Sentinel - Microsoft 365 connector for Sentinel Microsoft Purview Information Protection To understand sharing and access patterns, also to identify reporting needs, use content explorer and activity explorer to review access and sensitive data sharing cases. - Content explorer - Activity explorer Microsoft Purview data governance Manage your data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. Explore and understand your data. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources |
5.8 Function: Governance
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise defines high-level data governance policies and relies primarily on manual, segmented implementation. |
Microsoft Purview data governance Manage data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources Microsoft Purview Data Lifecycle Management Implement retention and deletion policies on documents with retention labels. Data Lifecycle Management |
| Advanced Maturity Status Enterprise begins integration of data lifecycle policy enforcement across the enterprise, enabling more unified definitions for data governance policies. |
Microsoft Purview data governance Manage data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. Explore and understand your data. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources Microsoft Purview Data owner policy Use data owner policies to manage access to user data in sources registered for data policy enforcement in Purview. Data owner policy Microsoft Defender for Cloud For an automated and integrated enforcement, implement enterprise-wide data security and lifecycle management policies. Data security with Defender for Cloud Microsoft Sentinel Unify monitoring and data governance policy enforcement. Advanced monitoring |
| Optimal Maturity Status Enterprise data lifecycle policies are unified to the maximum extent possible and dynamically enforced across the enterprise. |
Microsoft Purview data governance Manage your data with an AI-powered and unified approach. Use data cataloging, lineage, and classification to ensure data, including historical data, is organized and accessible. - Data Lifecycle Management - Data catalog - Data sources - Supported data sources Microsoft Purview Insider Risk Management adaptive protection Adaptive protection uses machine learning to identify critical risks and apply protection controls. - Mitigate risks Microsoft Purview Insider Risk Management Create data loss prevention (DLP) policies with Insider Risk Management Risky User detection for Adaptive Protection. - Adaptive protection in data loss prevention - Conditional Access and adaptive protection - Mitigate risks Microsoft Defender for Cloud Achieve automated and dynamic data security policy enforcement for your enterprise data. Automation with Defender for Cloud |
Next steps
Configure Microsoft Cloud Services for the CISA Zero Trust Maturity Model.