CISA releases Zero Trust Maturity Model v2.0

On 11 April 2023 the Cybersecurity and Infrastructure Security Agency released Zero Trust Maturity Model v2.0, refining maturity stages (traditional, advanced, optimal) across identity, devices, networks, applications/workloads, and data. The update adds an automation and orchestration theme and maps capabilities to Executive Order 14028 and OMB Memorandum M-22-09 requirements.

Five pillars of zero trust

• Identity: Continuous validation of users and entities through MFA, risk-based authentication, and identity governance. Progress from traditional password-based to phishing-resistant authentication.
• Devices: Real-time compliance verification, endpoint detection and response, and asset inventory management. Move toward continuous device health assessment.
• Networks: Micro-segmentation, encrypted traffic inspection, and dynamic policy enforcement. Shift from perimeter-based to identity-aware network controls.
• Applications and Workloads: Application-level segmentation, continuous integration/deployment security, and workload isolation. Implement least-privilege access controls.
• Data: Data classification, loss prevention, and encryption at rest and in transit. Enable data-centric security policies.

Automation and orchestration

Version 2.0 introduces automation as a cross-cutting theme, emphasizing policy automation, security orchestration, and AI/ML-driven threat response. If you are affected, assess automation maturity and incorporate orchestration objectives into setup roadmaps.

Guidance for teams

Federal agencies and vendors supporting them should realign zero trust roadmaps, assess gaps against the revised capability sets (for example, continuous authorization, dynamic segmentation), and incorporate automation objectives into FY2024 budget and acquisition plans. The model provides a roadmap for progressive setup from traditional to optimal maturity levels.

Cited sources

• CISA Zero Trust Maturity Model v2.0
• CISA release notice

Framework Overview

The CISA Zero Trust Maturity Model Version 2.0 provides federal agencies and organizations with a full roadmap for implementing zero trust architecture. The updated model expands upon the original 2021 release by incorporating lessons learned from early adopters and aligning with OMB Memorandum M-22-09 requirements for federal zero trust strategy setup.

The model defines five pillars of zero trust: Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar progresses through four maturity stages—Traditional, Initial, Advanced, and Optimal—enabling organizations to assess their current state and plan incremental improvements toward full zero trust setup.

Identity Pillar Requirements

Identity management forms the foundation of zero trust architecture. The model requires organizations to implement phishing-resistant multi-factor authentication, continuous identity verification, and risk-based access decisions. At the Advanced and Optimal maturity levels, organizations must integrate identity signals with device health and behavioral analytics to inform real-time access decisions.

Federal agencies must focus on identity consolidation, eliminating disparate identity stores and establishing enterprise-wide identity governance. Integration with existing PIV/CAC credentials for federal users while extending zero trust principles to contractors and partners requires careful architectural planning.

Device and Network Security

Device security requirements mandate full asset inventory, continuous compliance monitoring, and automated response capabilities for non-compliant devices. Organizations must implement endpoint detection and response (EDR) solutions and integrate device health signals into access control decisions.

Network security shifts from perimeter-based controls to micro-segmentation and encrypted communications. The model emphasizes software-defined networking capabilities enabling dynamic policy enforcement and east-west traffic inspection. Organizations must reduce implicit trust zones and implement network access based on authenticated identity and device posture.

Application and Data Protection

Application security requires organizations to implement secure development practices, continuous security testing, and runtime protection mechanisms. Applications must authenticate and authorize all requests, implementing the principle of least privilege for service accounts and API access.

Data protection includes classification, encryption, data loss prevention, and access logging. Organizations must implement attribute-based access control for sensitive data and maintain full audit trails supporting forensic investigation and compliance requirements.

Guidance for teams

Successful zero trust setup requires cross-functional coordination between security, IT operations, and business units. If you are affected, focus on high-value assets and critical business processes in initial setup phases, expanding coverage based on risk assessment and resource availability.

Technology investments should focus on integration capabilities enabling security orchestration across pillars. Vendor selection should consider interoperability with existing infrastructure and alignment with federal government procurement requirements. Regular assessment against the maturity model helps track progress and identify gaps requiring additional investment.

Wrapping up

CISA's Zero Trust Maturity Model Version 2.0 provides essential guidance for organizations modernizing their security architecture. Federal agencies face mandatory setup timelines under OMB M-22-09, while private sector organizations can use the model as a best practice framework for reducing cyber risk and improving security posture.

Maturity Assessment Process

If you are affected, conduct formal maturity assessments against each pillar using CISA's self-assessment tools and guidance documents. Assessment results should inform strategic roadmaps with clear milestones, resource requirements, and success metrics. Executive sponsorship and governance structures ensure sustained commitment to zero trust transformation.

Regular reassessment enables organizations to track progress, identify emerging gaps, and adjust priorities based on evolving threat landscapes and business requirements. Integration with existing risk management frameworks helps contextualize zero trust investments within broader enterprise risk management programs.

Documentation of architectural decisions, setup progress, and lessons learned supports knowledge transfer and continuous improvement. Engagement with industry peers and government working groups provides insight into common challenges and effective setup approaches.

Federal Implementation Timeline

OMB Memorandum M-22-09 establishes specific deadlines for federal agencies to achieve zero trust milestones. Agencies must complete enterprise-wide identity management capabilities, including phishing-resistant MFA deployment, by fiscal year 2024. Network segmentation, encrypted DNS, and application security requirements follow in subsequent phases.

Agency Chief Information Officers bear responsibility for zero trust setup progress, with quarterly reporting requirements to OMB and CISA. Budget submissions must align with zero trust architecture requirements, and procurement decisions should focus on solutions supporting zero trust principles. Coordination with CISA provides technical assistance and validates setup approaches against the maturity model framework.

Private sector organizations, while not subject to federal mandates, can use the maturity model as a voluntary framework for security modernization. Insurance providers and business partners now recognize zero trust maturity as an indicator of security posture, creating market incentives for adoption beyond regulatory requirements. Consistent application of the model's principles across public and private sectors strengthens overall cybersecurity resilience and reduces systemic risk from interconnected technology dependencies.

Ongoing engagement with CISA resources, working groups, and setup communities helps organizations stay current with evolving guidance and share lessons learned. Investment in staff training and skill development supports sustainable zero trust operations and continuous improvement over time.

preventive planning ensures successful transformation.

Documentation supports audit requirements.

Security Operations Integration

Zero trust implementation requires fundamental changes to security operations center (SOC) processes. Alert triage must account for identity-centric signals rather than relying solely on network perimeter alerts. Security analysts need training on evaluating access decisions across the five pillars and correlating events across identity, endpoint, and network data sources to identify sophisticated attacks.

Incident response playbooks need updates to reflect zero trust architecture assumptions. Response procedures should assume breach of individual systems or credentials rather than perimeter compromise, focusing on containment through identity revocation, device isolation, and microsegmentation enforcement. Integration with security orchestration platforms enables automated response actions based on predefined policies.

Continuous Improvement Framework

Zero trust is not a destination but a continuous journey requiring ongoing assessment and refinement. Organizations should establish regular review cycles to evaluate maturity progression, identify emerging gaps, and adjust priorities based on evolving threats and business requirements. Metrics and key performance indicators help quantify progress and demonstrate value to executive stakeholders.

See also

Selected articles on related subjects.

Governance · Credibility 89/100 · September 30, 2025

IPv6 and Federal IT

Federal agencies must meet OMB’s FY 2025 milestone of enabling IPv6-only operations for at least 80 percent of IP-enabled assets, pressuring contractors and integrators to prove dual-stack retirement plans and telemetry…

Governance · Credibility 71/100 · November 10, 2022

U.S. DoD releases Zero Trust Strategy and Roadmap

The Pentagon is serious about zero trust. DoD's new strategy sets a 2027 deadline for achieving 'target-level' zero trust across seven pillars: identity, devices, applications, data, networks, visibility, and automation.…

Governance · Credibility 91/100 · January 26, 2022

OMB issues Federal Zero Trust Strategy (M-22-09)

Zero trust is not just a buzzword anymore—it is federal policy. OMB's M-22-09 gives agencies concrete deadlines to adopt zero trust architecture: identity-centric access, encrypted traffic everywhere, continuous…

Governance · Credibility 71/100 · September 29, 2020

NIST publishes SP 800-207 Zero Trust Architecture guidance

NIST released Special Publication 800-207 on 29 September 2020, formalizing zero trust architecture tenets and deployment patterns for federal and enterprise networks.

Governance · Credibility 91/100 · April 13, 2023

CISA Secure-by-Design and Default Guidance Released

CISA's Secure by Design guidance pushed vendors to ship secure products. Eliminating default passwords, memory-safe languages, and MFA by default. Security burden shifting to developers.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

April 11, 2023

Coverage pillar

Governance

Source credibility

92/100 — high confidence

Topics

Zero Trust · Federal IT · Automation

Sources cited

3 sources (cisa.gov, hitehouse.gov, csrc.nist.gov)

Reading time

6 min

Cited sources

1. CISA Zero Trust Maturity Model v2.0 — cisa.gov
2. OMB Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — whitehouse.gov
3. NIST SP 800-207: Zero Trust Architecture — csrc.nist.gov