CISA’s Zero Trust Maturity Model: An Important Step Forward in Implementing Zero Trust Security Principles

Written by Sean Connelly, Senior Cybersecurity Architect and John Simms, Security Architect, CISA.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an updated Zero Trust Maturity Model (ZTMM) to help organizations assess and improve their Zero Trust security posture. Zero Trust is built off the assumption that all users, devices, and network traffic are potentially malicious and requires continuous verification and authentication. CISA’s ZTMM provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape.

The updated Maturity Model builds upon the original ZTMM draft that federal agencies used to develop their Zero Trust architectural plans, as mandated by the White House's Executive Order 14028 and the Office of Management & Budget's (OMB) "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" M-22-09. This updated ZTMM reflects discussions and in-depth analysis with numerous federal agencies' chief information officer (CIO) and chief information security officer (CISO) offices as they developed their Zero Trust strategy and objectives, as well as a public request for comments in the fall of 2021, and engaged with the broader information technology (IT) community, including academia and international partners.

At the core of the ZTMM are the five pillars:

• Identity
• Device
• Network
• Application & Workloads
• Data

These pillars are knit together by three cross-cutting capabilities: visibility & analytics, automation & orchestration, and governance. The ZTMM provides guidance for organizations to incrementally advance across these five pillars, progressing from a traditional architecture to an optimized one. To assist organizations as they modernize their architectures, we have introduced a new "initial" stage, as organizations desired more guidance as they move away from traditional IT environments. The updated capabilities include detailed scoping descriptions, pillar-independent paths to maturity, and updated recommendations across each of the five pillars and three cross-cutting capabilities.

Future enhancements to the ZTMM will focus on addressing cybersecurity challenges for organizations as they mature their Zero Trust architecture. This includes additional content in the Application & Workload Pillar on modern approaches to maturing application platforms in the cloud, on-premise, or in a hybrid hosting environment. Additionally, the ZTMM will explore emerging technical areas that can benefit interests within the industrial control system sectors.

While one of many roadmaps, this ZTMM represents an important step forward in implementing Zero Trust security principles. It offers a structured framework to help organizations identify and mitigate security risks and build a more resilient and secure IT environment. By providing guidance on best practices for Zero Trust implementation, this model will help organizations continuously improve their security posture and better protect against modern cyber threats.

CISA provides this content for solely for informational purposes. CISA does not endorse CSA nor should CISA’s participation in this CSA publication imply the endorsement of CSA over similar entities.