Zero Trust Maturity Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons. This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity.

CISA's Zero Trust Maturity Model Version 2.0

CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. The maturity model aims to assist agencies in the development of zero trust strategies and implementation plans and to present ways in which various CISA services can support zero trust solutions across agencies.

The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures.

Version 1.0 of the ZTMM opened for public comment in September 2021. The Response to Comments for Zero Trust Maturity Model summarizes the comments and modifications in response to version 1.0 feedback.

Version 2.0 incorporates alignment to OMB M-22-09, published in January 2022.

Click here for a downloadable version of the Zero Trust Maturity Model V2.0.

Federal Zero Trust Resource Hub

The Office of Management and Budget (OMB) and CISA maintain a central repository on federal zero trust guidance for the Federal Civilian Executive Branch (FCEB) agencies. This website includes the latest information and additional resources on zero trust, including the Federal Zero Trust Strategy.

Click here to check out

Applying Zero Trust Principles to Enterprise Mobility

To support federal agencies and other organizations on their journey toward zero trust, CISA has published Applying Zero Trust Principles to Enterprise Mobility. This new publication highlights the need for special consideration for mobile devices and associated enterprise security management capabilities due to their technological evolution and ubiquitous use.  

This guidance is meant to be a complementary effort to the recently released OMB Zero Trust Implementation Template and CISA Zero Trust Maturity Model.  

CISA drafted the Applying Zero Trust Principles to Enterprise Mobility to inform agencies about how ZT principles can be applied to currently available mobile security technologies that are likely already part of a Federal Enterprise’s Mobility Program. CISA released the document for public comment from March 7, 2022, through April 20, 2022. CISA thanks all respondents for their comments and is working to adjudicate the comments and produce an updated version of the document.

Click here for a downloadable version of the Applying Zero Trust Principles to Enterprise Mobility (pdf, 1.11MB).