Zero Trust Maturity Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons. This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity.

CISA's Zero Trust Maturity Model

CISA’s Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The goal of the maturity model is to assist agencies in the development of their zero trust strategies and implementation plans and present ways in which various CISA services can support zero trust solutions across agencies.

The maturity model, which include five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture.

CISA drafted the Zero Trust Maturity Model in June to assist agencies in complying with the Executive Order. While the distribution was originally limited to agencies, CISA was excited to release the maturity model for public comment from Tuesday, September 7, 2021 to Friday, October 1, 2021. CISA is working to adjudicate the comments and produce an updated version of the guidance.

Federal Zero Trust Resource Hub

The Office of Management and Budget (OMB) and CISA maintain a central repository on federal zero trust guidance for the Federal Civilian Executive Branch (FCEB) agencies. This website includes the latest information and additional resources on zero trust, including the Federal Zero Trust Strategy.

Applying Zero Trust Principles to Enterprise Mobility

To support federal agencies and other organizations on their journey toward zero trust, CISA has published Applying Zero Trust Principles to Enterprise Mobility. This new publication highlights the need for special consideration for mobile devices and associated enterprise security management capabilities due to their technological evolution and ubiquitous use.  

This guidance is meant to be a complimentary effort to the recently released OMB Zero Trust Implementation Template and CISA Zero Trust Maturity Model.  

CISA drafted the Applying Zero Trust Principles to Enterprise Mobility to inform agencies about how ZT principles can be applied to currently available mobile security technologies that are likely already part of a Federal Enterprise’s Mobility Program. CISA released the document for public comment from March 7, 2022 through April 20, 2022. CISA thanks all respondents for their comments and is working to adjudicate the comments and produce an updated version of the document.


For questions concerning the Zero Trust Maturity Model, please email us at

Was this webpage helpful?  Yes  |  Somewhat  |  No