Taking the CISA Zero Trust Maturity Model to the Next Level: Introducing ZTMM+

The CISA Zero Trust Maturity Model (ZTMM) is a valuable resource for organizations looking to implement Zero Trust principles. It provides a clear framework for assessing maturity levels across its five key pillars: Identity, Devices, Networks, Applications and Workloads, and Data. However, while the CISA ZTMM provides a solid foundation, it does have limitations, particularly when applied to the private sector.

Drawing on our extensive experience applying the ZTMM across both the private and public sectors, we recognized the need for a clearer, more comprehensive, more objective, and more broadly applicable model. Our goal is to share the lessons we learned and the improvements we developed through numerous conversations, written reports, and both formal and informal maturity assessments. 

We are excited to introduce ZTMM+, our enhanced and extended version of the CISA ZTMM. ZTMM+ provides a more robust and practical framework for private sector organizations to assess and enhance their Zero Trust maturity.

We’ve undertaken the following key improvements:

• Defined Pillar Functions: While the core of the CISA model is its 40 functions across the pillars, surprisingly the baseline CISA does not actually define these functions. We filled this gap, providing clear definitions so that this framework becomes more broadly understood and approachable
• Clarified Maturity Levels: We disagreed with the CISA maturity progressions for several of the functions. To address this, we clarified and redefined fifteen of the attributes across their maturity levels. This improves their usefulness and relevance for enterprises.
• Added New Functions: Recognizing the holistic nature of Zero Trust, as well as enterprises’ evolving needs, we introduced eight entirely new functions across the pillars. These additions address critical areas not fully covered in the original ZTMM.
• Developed a Structured Methodology for Maturity Assessments: ZTMM+ includes a detailed methodology for conducting maturity assessments, providing organizations with a repeatable and consistent approach to evaluate their Zero Trust progress.

For specific examples, see the ZTMM+ webpage here.

ZTMM+ represents just one element of our larger reimagining of the Zero Trust approach, stemming from our practical experience. Over the coming months, we’ll be revealing more about our evolving Zero Trust methodology and framework, and the resources we are developing to support organizations in their journey to a more secure future.

Interested in learning more about ZTMM+? Sign up for a complementary ZTMM+ briefing here.

In this free, 30-minute session, we’ll walk you through our enhancements and changes to the maturity model, and also explain our recommended methodology for applying this maturity model to your organization.

Learn more on our ZTMM+ web page here , and sign up for your free briefing here.

Update: The ZTMM+ Self-Service Assessment kit is now live in our digital store!