Zero Trust Matutity Model by CISA

Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) leads the nation’s effort to understand, manage, and reduce cybersecurity risk, including by supporting Federal Civilian Executive Branch agencies in evolving and operationalizing cybersecurity programs and capabilities. CISA’s Zero Trust Maturity Model (ZTMM) provides an approach to achieve continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This ZTMM is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” § (3)(b)(ii),1 which requires that agencies develop a plan to implement a Zero Trust Architecture (ZTA). While the ZTMM is specifically tailored for federal agencies as required by EO 14028, all organizations should review and consider adoption of the approaches outlined in this document.
Current Environment
Recent cyber incidents2,3 have highlighted the broad challenges of ensuring effective cybersecurity across the federal government, as with many large enterprises, and demonstrate that “business as usual” approaches are no longer sufficient to defend the nation from cyber threats. In leading the national effort to understand, manage, and reduce cyber risks, CISA must meet new challenges to safeguard the federal civilian executive branch using a clear, actionable, and risk-informed approach. Adequate cyber defense against emerging threats requires increased speed and agility to outpace adversaries by substantially increasing costs to threat actors and improving durability and resiliency to quickly recover to full operational capability.
CISA’s cybersecurity mission is to defend and secure cyberspace by leading national efforts to drive and enable effective national cyber defense, enhance resilience of national critical functions, and advance a robust technology ecosystem. CISA plays a critical role in maintaining cyber situational awareness across FCEB agencies; securing the .gov domain; and aiding federal civilian agencies, critical infrastructure owners and operators, as well as industry partners in managing major cyber incidents. While CISA maintains capabilities to defend against and mitigate known or suspected cyber threats, an evolving threat landscape and the adoption of new and emerging technologies pose challenges.
EO 14028 marked a renewed commitment to and prioritization of federal cybersecurity modernization. Among other policy mandates, EO 14028 embraced zero trust as the desired security model for the federal government and called for FCEB agencies to develop plans to implement ZTAs. A typical plan will assess an agency’s current cybersecurity state and plan for a fully implemented ZTA. As the lead agency on federal cybersecurity and risk reduction, CISA’s ZTMM assists agencies in development of their zero trust strategies and continued evolution of their implementation plans and presents ways in which various CISA services can support zero trust solutions across agencies.