ZTMM+
Numberline’s enhanced, extended, and more effective version of the CISA Zero Trust Maturity Model
The United States Cybersecurity and Infrastructure Security Agency (CISA) has generously provided a free, public domain Zero Trust Maturity Model (ZTMM), which has been widely adopted across both public and private sector organizations worldwide. The CISA ZTMM has proven itself useful and is a valuable resource for organizations looking to implement Zero Trust principles. It provides a clear framework for assessing maturity levels across its five key pillars: Identity, Devices, Networks, Applications and Workloads, and Data.
While the ZTMM provides a solid foundation, it does have a number of flaws and limitations, particularly when applied to the private sector. Drawing on Numberline’s extensive experience applying the ZTMM across both the private and public sectors, we developed an enhanced, extended, more comprehensive, and more broadly applicable model: ZTMM+.
ZTMM+ is a more robust and practical framework, with the following key improvements:
- Defined CISA’s Pillar Functions: While the core of the CISA model is its 40 functions across the pillars, surprisingly the baseline CISA does not actually define these functions. ZTMM+ fills this gap, providing clear definitions and making this framework more broadly understood and approachable
For example, within ZTMM+ we define the Identity Risk Assessment function as: Evaluation and detection of risk based on factors such as stolen credentials, password reset abuse, impossible travel, geolocation, anomalous activity, behavioral analytics, spearphishing, and Identity Threat Detection and Response (ITDR), as indications of identity compromise.
This definition provides proper scope and context, with which enterprises can more easily and objectively assess their maturity.
- Clarified Maturity Levels: Several of the functions’ maturity progressions were off-target for private-sector enterprise environments. ZTMM+ clarifies and redefines fifteen of the functions’ maturity levels, improving their usefulness and relevance for enterprises.
For example, let’s look at the Access Management function within the Identity Pillar. The original maturity progression from CISA is as follows:
| Traditional | Initial | Advanced | Optimal |
| Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts. | Agency authorizes access, including for privileged access requests, that expires with automated review. | Agency authorizes need- based and session-based access, including for privileged access requests, that is tailored to actions and resources. | Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. |
This progression doesn’t call out the access review process clearly enough, and isn’t clear enough about how access policies should make use of session and identity context.
Our enhanced and clarified version of the Access Management function is as follows:
| Traditional | Initial | Advanced | Optimal |
| Enterprise authorizes permanent access for both privileged and unprivileged accounts. Basic and periodic access reviews, which are manual in nature | Enterprise authorizes access, including for privileged access, via access request and approval processes. Access reviews can result in access removal. Privileged access may be temporarily granted. | Enterprise authorizes request based and session-based access, including for privileged access, that is tailored to actions and resources. Access policies use session and identity attributes (including roles) to make access decisions | Enterprise uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. Access policies use session and identity attributes to make access decisions, with minimal access granted |
- Added New Functions: ZTMM+ introduces several entirely new functions across the pillars, addressing critical areas not fully covered in the original ZTMM. These new functions better support the holistic nature of Zero Trust, as well as enterprises’ evolving needs.
For example, our model adds Device Lifecycle Management within the Devices pillar, and Secure Internet Access within the Networks pillar, among other new functions.
- Created Function Attributes – in order to properly and objectively evaluate an enterprise, each of CISA’s functions must be further decomposed into its specific attributes. Within ZTMM+, we’ve defined over 80 characteristics across functions, which are captured in specific prompt questions to be evaluated during a maturity assessment.
For example, the Network Segmentation function within the Networks pillar has four associated questions:
- What network segmentation capabilities does the enterprise have?
- How is User-to-Service (North-South) network traffic segmented?
- How is Service-to-Service (East-West) network traffic segmented?
- How dynamic or static are the network access control policies?
And, each question has four pre-written answers that map directly to maturity levels. This structure enables enterprises to obtain a clearer and more objective assessment of their Zero Trust maturity, and how to improve it. To give one example, the question How is User-to-Service (North-South) network traffic segmented? Has the following four levels defined:
| Traditional | Initial | Advanced | Optimal |
| Traditional flat and wide open enterprise network for user access to resources. | Basic coarse-grained network segmentation of user access by production state, business function, department, etc. (e.g. by VLAN). May have some initial pockets or pilot projects for fine-grained segmentation by resource or service. | Some areas of the network have fine-grained user access controls, with a plan and roadmap for enforcing this more broadly across the network. | All (or nearly all) network resources have fine-grained user access controls in place protecting them. |
- Developed a Structured Methodology for Maturity Assessments: ZTMM+ includes a detailed methodology for conducting maturity assessments, providing organizations with a repeatable and consistent approach to evaluate their Zero Trust progress.
Service Offerings
Numberline offers multiple options for how your enterprise can apply ZTMM+, based on your team’s experience, breadth, availability, and familiarity with Zero Trust concepts.
| Feature / Service | Self-Service ZTMM+ Assessment | Guided ZTMM+ Assessment | Full-Service ZTMM+ Assessment |
| Full ZTMM+ maturity model | ✅ | ✅ | ✅ |
| Interactive spreadsheet for documenting and scoring your enterprise | ✅ | ✅ | ✅ |
| Video training guide to ensure readiness to perform an effective assessment | ✅ | ✅ | ✅ |
| Numberline security expert consultation | ✅ | ✅ | |
| Expert-led kick-off session and deep-dive on one pillar of your choosing | ✅ | ✅ | |
| Expert progress review in a checkpoint session, and feedback on draft self-assessment | ✅ | ✅ | |
| ZTMM+ Assessment led by Numberline’s Zero Trust experts | ✅ | ||
| Numberline experts to lead, write, and deliver a complete assessment of your enterprise’ maturity | ✅ | ||
| Numberline to provide detailed documentation and a presentation for stakeholders | ✅ |
Interested in learning more about ZTMM+? Sign up for a complementary ZTMM+ briefing here. In this free, 30-minute session, we’ll walk you through our enhancements and changes to the maturity model, and also explain our recommended methodology for applying this maturity model to your organization.
For additional information, download the ZTMM+ datasheet here.
Update: The ZTMM+ Self-Service Assessment kit is now live in our digital store!