No Trust? No Problem: Maturing Towards Zero Trust Architectures


By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Trust is an essential part of human connection. However, for network connections, trust can cause more harm than good. Executive Order (EO) 14208, “Improving the Nation’s Cybersecurity” is pushing agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly. To help this effort, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model to assist agencies as they implement zero trust architectures. The maturity model complements the Office of Management and Budget’s (OMB) Zero Trust Strategy, designed to provide agencies with a roadmap and resources to achieve an optimal zero trust environment.

What is Zero Trust?

Zero trust is a security philosophy based on the premise that everyone and everything inside a network is suspect. Zero trust shifts the security focus from being location-centric to data-centric. In other words, instead of focusing on the network perimeter, zero trust directs security measures towards the identity of users, assets, and resources within a given network environment. Not only does the security focus shift with zero trust, but the principles and practices of cybersecurity shift as well. The old process of validating a user within a network was linear: users would provide their credentials, the system would verify the user, and then the user was granted access and considered a trusted entity within the network. The zero trust process is based on a continuous cycle of credentialing, verifying, and authorizing a user’s identity. This shift is incredibly important in a world where network perimeters are constantly changing with the increased use of remote and cloud services.

What is the Zero Trust Maturity Model?

CISA’s Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The maturity model, which include five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture. It also presents ways in which various CISA services can support zero trust solutions across agencies. The framework within the CISA Zero Trust Maturity Model allows agencies to ensure they are progressing towards a comprehensive zero trust architecture. 

What’s Next?

CISA is holding a public comment period on the Zero Trust Maturity Model from Tuesday, September 7th until Friday, October 1st. During that time, reviewers can submit their comments and feedback to CISA hopes that agencies, industry, and academia will participate in the comment period to ensure the maturity model fully addresses all considerations for zero trust.


Editor’s Note: On April 11, 2023, CISA published Zero Trust Maturity Model version 2 along with a Response to Comments that summarizes the comments and modifications in response to version 1.0 feedback.