CISA Releases Zero Trust Maturity Model Version 2.0


The Cybersecurity & Infrastructure Security Agency (CISA) has released its Zero Trust Maturity Model Version 2.0 to assist agencies in developing zero trust strategies and implementation plans. The model presents ways in which CISA services can support zero trust solutions across agencies.

Zero Trust: A Data-Centric Approach

Zero trust is a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. This shift from a location-centric model to a data-centric approach provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies.

CISA’s Zero Trust Maturity Model Version 2.0

CISA’s Zero Trust Maturity Model (ZTMM) is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures.

Version 1.0 of the ZTMM opened for public comment in September 2021. The Response to Comments for Zero Trust Maturity Model summarizes the comments and modifications in response to version 1.0 feedback. Version 2.0 incorporates alignment to OMB M-22-09, published in January 2022.

Federal Zero Trust Resource Hub

The Office of Management and Budget (OMB) and CISA maintain a central repository on federal zero trust guidance for the Federal Civilian Executive Branch (FCEB) agencies. This website includes the latest information and additional resources on zero trust, including the Federal Zero Trust Strategy. Visit for more information.

Applying Zero Trust Principles to Enterprise Mobility

CISA has published Applying Zero Trust Principles to Enterprise Mobility to support federal agencies and other organizations on their journey toward zero trust. This new publication highlights the need for special consideration for mobile devices and associated enterprise security management capabilities due to their technological evolution and ubiquitous use. The guidance is meant to be a complimentary effort to the recently released OMB Zero Trust Implementation Template and CISA Zero Trust Maturity Model.

CISA released the document for public comment from March 7, 2022, through April 20, 2022, and is currently working to adjudicate the comments and produce an updated version of the document.

Useful Links

Related Articles: