The CISA Zero Trust Maturity Model (ZTMM) is a comprehensive framework designed to guide organizations, particularly federal agencies, in transitioning from traditional perimeter-based security to a zero trust architecture, which assumes no implicit trust and requires continuous verification of every user and device. The model is structured around five key pillars—Identity, Devices, Networks, Applications and Workloads, and Data—each representing a critical aspect of enterprise security. It also highlights three cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance, which support and enhance the effectiveness of the pillars. For each pillar, the ZTMM defines four stages of maturity: Traditional (manual, siloed controls), Initial (beginning automation and integration), Advanced (coordinated, automated controls and centralized visibility), and Optimal (fully automated, dynamic, and enterprise-wide enforcement of least privilege and security policies). By following the ZTMM, organizations can assess their current security posture, develop actionable plans, and incrementally implement zero trust principles to achieve granular, adaptive, and resilient cybersecurity
Home / Function (NIST CSF 2.0) / PR - Protect / AC - Access Control / Authorization
CISA Zero Trust Maturity Model
This document focuses on:Zero Trust