The Zero Trust Maturity Model Resource Center

Because Zero Trust is a journey, organizations need a map to tell them where they’re starting from, and where they’re going. A Zero Trust Maturity Model (ZTMM) provides them with such a map, and performing a maturity self-assessment is an excellent way for organizations to begin their journey,

While there are numerous Zero Trust Maturity Models that have been published, the most prominent such model is from the United States Cybersecurity and Infrastructure Security Agency (CISA). They first published a draft version for public commentary in June 2021, and recently updated this with a revised version in April 2023 (the full CISA Zero Trust Maturity Model site is here).

The CISA model has been widely accepted throughout the industry, and serves as a baseline vocabulary and framework. Of course, security leaders naturally want to know how to best apply this model to their organization. This site, created and maintained by Numberline Security, is intended to provide this guidance.

This page currently contains:

• Overview of the CISA Maturity Model
• Free interactive spreadsheet for modeling your organization’s Zero Trust maturity

Quick Link: Current version of the Zero Trust Maturity Model spreadsheet: v1.0.0: Google Sheets Link and Excel version

To receive updates from Numberline Security about this site, subscribe here, or follow us on LinkedIn and Mastodon.

The CISA Maturity Model

Note: We highly recommend that you thoroughly read the CISA Zero Trust Maturity Model in order to get the most value from this site.

The CISA Zero Trust Maturity Model introduces five pillars, three cross-cutting capabilities, and four maturity levels, shown in the image below.

Source: CISA Zero Trust Maturity Model, Figure 3

CISA defines each of the terms as follows (all quoted verbatim from the CISA Maturity Model):

The pillars are defined as:

Identity: An identity refers to an attribute or set of attributes that uniquely describes an agency user or entity, including non-person entities

Devices: A device refers to any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more

Networks: A network refers to an open communications medium including typical channels such as agency internal networks, wireless networks, and the Internet as well as other potential channels such as cellular and application-level channels used to transport messages.

Applications & Workloads: Applications and workloads include agency systems, computer programs, and services that execute on-premises, on mobile devices, and in cloud environments.

Data: Data includes all structured and unstructured files and fragments that reside or have resided in federal systems, devices, networks, applications, databases, infrastructure, and backups (including on-premises and virtual environments) as well as the associated metadata.

The three cross-cutting capabilities are defined as follows:

Visibility and Analytics: Visibility refers to the observable artifacts that result from the characteristics of and events within enterprise-wide environments.11 The focus on cyber-related data analysis can help inform policy decisions, facilitate response activities, and build a risk profile to develop proactive security measures before an incident occurs

Automation and Orchestration: Zero trust makes full use of automated tools and workflows that support security response functions across products and services while maintaining oversight, security, and interaction of the development process for such functions, products, and services.

Governance: Governance refers to the definition and associated enforcement of agency cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of zero trust principles and fulfillment of federal requirements

And the maturity levels are defined as:

Traditional: Manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.

Initial: Starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.

Advanced: Wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).

Optimal: Fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.

Assessing Your Maturity

CISA provides two ways for organizations to assess their maturity.

At the highest level, they included a table showing attributes of each maturity level, for each of the five pillars. this is shown below, directly from the CISA Zero Trust Maturity Model report

While useful as a high-level set of goals, we believe that CISA’s detailed view is more actionable and more valuable for organizations. This view relies on the 40 functions that they’ve defined across the five pillars, and for each of these they’ve provided a description of at each level of maturity.

For example, the Network Segmentation function maturity levels are defined as follows:

As such, this detailed view represents the best starting point by which organizations can perform a Zero Trust self-assessment, and is the model for which we’ve created an interactive spreadsheet, described below.

Is This Applicable to Enterprises (Non-Federal Agencies)?

Yes, absolutely. While the CISA maturity model is written for a Federal agency audience, and includes language such as “Agencies should…”, the document states in its introduction that “While the ZTMM is specifically tailored for federal agencies…all organizations should review and consider adoption of the approaches outlined in this document.” (emphasis ours).

So enterprises and other organization types can (and should) use this model, by simply replacing the term “agency” with “enterprise” or “organization”.

In future updates to this resource center, we will create enterprise-friendly versions of the assets.

Zero Trust Maturity Model Spreadsheet

We have created a free and open spreadsheet version of the CISA Zero Trust Maturity Model here as a Google Sheets file.

The Microsoft Excel version is here (downloading the Google Sheets file as Microsoft Excel introduces some minor errors).

This Google Sheets version is read-only to preserve its integrity, but freely available to be copied and used by your organization.

This spreadsheet has 4 worksheet tabs:

Introduction:

This worksheet contains an overview, instructions, and details of the formulas used.

CISA Zero Trust Maturity Model:

This worksheet contains the CISA Zero Trust Maturity Model values for each of the 40 functions, in a tabular, plain text format. This worksheet is intended for you to copy, edit, and modify as needed.

interactive:

This worksheet is designed to let you to easily self-assess your organization’s maturity level, for each of the functions within the pillars.

For each row, select one of the following maturity levels using the dropdown menu in Column F, My Organization’s Maturity:

Note that in addition to the four levels defined in the CISA ZTMM, we’ve added Unknown for those areas where you don’t have sufficient information to make a reasonable assessment.

The shading in columns G-J will automatically adjust to reflect your selection:

Maturity Model Assessment

We’ve also created a separate Maturity Model Assessment worksheet on which you can easily and compactly view the results. of your self-assessment, formatted for simple viewing and sharing. This worksheet automatically adjusts based on your selections on the interactive worksheet.

Each row shows shaded blocks corresponding to the selected level of maturity for that function. Any rows for which Unknown is selected will be shown as unshaded, like in the Visibility and Analytics Capability row within the Identity section in the image above.

Other Zero Trust Maturity models

While the CISA maturity model has taken root as the most visible, vendor-neutral model, there are of course others worth considering, including:

• United States Department of Defense

The DoD’s Zero Trust documents include the Zero Trust Reference Architecture (with a maturity model), and the DoD Zero Trust Strategy document, which includes the DoD’s pillars.

Several vendors have also published their Zero Trust maturity models, which while useful, have not achieved widespread adoption in the industry.

Questions, Feedback, or Commentary?

We’d like to see how you’re using this document, and hear suggestions for changes and improvements. Contact us via email at info@NumberlineSecurity.com.