Press Release

CISA Releases updated Zero Trust Maturity Model


Second version incorporates key feedback received during 2021 public comment period

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) published Zero Trust Maturity Model version 2, incorporating recommendations from a public comment period, and furthering the federal government’s continued progress toward a zero trust approach to cybersecurity in support of the National Cybersecurity Strategy. While the Zero Trust Maturity Model is specifically intended for federal agencies, all organizations should review this guidance and take steps to advance their progress toward a zero trust model.

Zero trust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. Recognizing that organizations begin their journey toward zero trust architectures from different starting points, the update to the Zero Trust Maturity Model includes a new maturity stage called “Initial” that can be used as a guide to identify maturity for each pillar. In all four stages of maturity (Traditional, Initial, Advanced, and Optimal), CISA has also added several new functions and updated existing functions to consider when organizations plan and make decisions for zero trust architecture implementation. 

“CISA has been acutely focused on guiding agencies, who are at various points in their journey, as they implement zero trust architecture,” said Chris Butera, Technical Director for Cybersecurity, CISA. “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity. While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.”   

The updated maturity model provides a gradient of implementation across the five distinct pillars to facilitate implementation, allowing agencies to make minor advancements over time toward optimization of zero trust architecture. The five pillars of the Zero Trust Maturity Model are: Identity; Devices; Network, Data, and Applications and Workloads. 

CISA also published the Response to Comments for Zero Trust Maturity Model that summarizes the comments and modifications in response to version 1.0 feedback, during the 2021 public comment period. For more information about CISA’s Zero Trust work, visit Zero Trust Maturity Model.


About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit for more information and follow us on TwitterFacebookLinkedIn, Instagram