CISA Zero Trust Maturity Model v2 Released

Last week, the United States’s Cybersecurity and Infrastructure Security Agency released the long-anticipated version 2 of their Zero Trust Maturity Model. The original version, which was classified as a Pre-Decisional Draft, was published in June 2021, and the organization accepted public commentary on it throughout that fall. 

This new version reflects over 370 public comments, as well as learnings and discussions from multiple sources, including the NSTAC report. The authors also updated the document to reflect the Federal Zero Trust Mandate (from OMB -M-22-09 ). You can see their summary of the updates (and the update process) here.

The five pillars are conceptually unchanged, although with two slight renamings:  “Network / Environment” is now “Networks”, and “Application Workload” changed to “Applications & Workloads”. 

The most important change is the addition of a new maturity level, Initial, to better reflect the first step taken between Traditional and Advanced. The levels are also expanded and refined with more detail, and rebalanced across the four levels. 

Overall, this is a welcome and necessary step update, given how much progress the public and private sector has made in the past two years. This document is well worth investing your time to read and understand, and to think about how to map this to your organization’s status and plans for its Zero Trust strategy. 

I’ll be posting more in-depth discussions about this revised model in the not-too-distant future, and the Cloud Security Alliance Zero Trust working group is also planning for an update.