<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

CISA Zero Trust Maturity Model (TL;DR Version)

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.

What Is the CISA Zero Trust Maturity Model?

The CISA Zero Trust Maturity Model, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was drafted in June 2021 to help government agencies comply with Executive Order 14028, “Improving the Nation’s Cybersecurity.” EO 14028 specifically recommends Zero Trust Architecture to protect government infrastructure.

Right on the heels of EO 14028, CISA began working on the CISA Zero Trust Maturity Model. It provides a framework as agencies transition to Zero Trust Architecture, strengthening their cybersecurity posture and preventing unauthorized access to infrastructure and resources by requiring constant authentication. The CISA Zero Trust Maturity Model is meant to serve as guidelines but is not meant to be a complete plan.

CISA built the Zero Trust Maturity Model on the seven Zero Trust tenets outlined by the National Institute of Standards and Technology (NIST). They are:

  • All data sources and computing services are infrastructure.
  • All communication is secured, regardless of location.
  • Access to individual enterprise resources is granted per session.
  • Access to resources is determined by dynamic policy.
  • The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  • All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  • The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Importance of the Zero Trust Maturity Model

The federal government recognizes the importance of Zero Trust in its efforts to secure infrastructure and resources. In addition to the seven tenets outlined by NIST in Special Publication 800-207, which describes Zero Trust for enterprise security architects, federal agencies have released other publications to explain the concept and provide guidance.

The Department of Defense (DoD) released the DoD Zero Trust Reference Architecture specifically for the DoD Information Network, and the National Security Agency has embraced a Zero Trust security model.

But the challenges lie in legacy systems that may conflict with Zero Trust principles and the lack of consensus on what a Zero Trust Maturity Model looks like. The CISA Zero Trust Maturity Model aims to address these challenges and operationalize protections through its programs, including Continuous Diagnostics and Mitigation (CDM) and National Cybersecurity Protection System (NCPS).

Zero Trust Maturity Model Implementation

The Zero Trust Maturity Model relies on the Foundation of Zero Trust. This is represented by five pillars: identity, device, network/environment, application workload, and data. The five pillars sit on top of visibility and analytics, automation and orchestration, and governance.

Zero Trust maturity stages

The Zero Trust maturity stages are used to identify maturity for each zero trust technology pillar and provide consistency across the maturity model. Briefly, the stages are:

  • Traditional: Manual configurations are still widely used for attributes, along with static security policies and coarse dependencies on external systems.
  • Advanced: Some cross-pillar coordination and centralized visibility and identity control are complete.
  • Optimal: Attributes are automatically assigned to assets and resources, and dynamic policies based on automated or observed triggers are in place.

The pillars of Zero Trust are:

Pillar 1: Identity

This refers to a set of attributes or an attribute that describes a user or identity. In an optimal maturity model, the identity is continuously authenticated.

Pillar 2: Device

A device is any hardware asset that can connect to a network. An optimal model includes constant device security monitoring and validation, and data access depends on real-time risk analytics.

Pillar 3: Network/Environment

The CISA Zero Trust Maturity Model defines network/environment as any open communications medium, including agency internal networks, wireless networks, and the Internet. In an optimal model, it uses fully distributed ingress/egress micro-parameters, machine learning-based threat detection, and encryption for all traffic.

Pillar 4: Application Workload

Applications and workloads include agency systems, computer programs, and services that execute on-premise and in the cloud. Optimal models continuously authorize access and are strongly integrated into the application workflow.

Pillar 5: Data

Data needs to be protected on all devices, in applications, and on networks, according to the CISA Zero Trust Maturity Model. An optimal model uses dynamic support and encrypts all data.

How StrongDM Simplifies Zero Trust Implementation

Zero Trust implementation can seem daunting, particularly for organizations that are taking a reactive approach to data loss prevention. StrongDM simplifies Zero Trust at optimal levels for network/environment, application workload, and data by detecting suspicious behavior in real-time and providing a full audit trail that logs every permission change and employee query.

This checks the boxes for optimal threat protection, visibility and analytics, automation and orchestration, governance, access authorization, and access determination, all key components of Zero Trust.

IT administrators already have enough to do without manually configuring access and implementing Zero Trust from scratch. StrongDM makes it easy with a Zero Trust PAM Platform that provides access to resources based on what’s actually needed and enforces a Zero Trust model that keeps infrastructure and resources safe.

Want to see how StrongDM can help your organization move toward Zero Trust? Book a demo today.


About the Author

, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Securing Network Devices with StrongDM's Zero Trust PAM Platform
Securing Network Devices with StrongDM's Zero Trust PAM Platform
Let’s talk about the unsung heroes of your on-premises infrastructure: network devices. These are the routers, switches, and firewalls that everyone forgets about…and takes for granted—until something breaks. And when one of those somethings breaks, it leads to some pretty bad stuff. If your network goes down, that’s bad, bad, bad for business. But if those devices lack the necessary security, well, that can leave you exposed in an incredibly dangerous way.
What Is Zero Trust for the Cloud? (And Why It's Important)
What Is Zero Trust for the Cloud? (And Why It's Important)
Zero Trust cloud security is a cybersecurity model that operates on the principle that no user, device, system, or action should be trusted by default — even if it's inside your organization’s own network. This approach minimizes the risk of breaches and other cyber threats by limiting access to sensitive information and resources based on user roles, device security posture, and contextual factors.
What Is Zero Trust Data Protection?
What Is Zero Trust Data Protection?
Zero Trust Data Protection isn't just the best way to safeguard your data — given today's advanced threat landscape, it's the only way. Assuming inherent trust just because an access request is inside your network is just asking for a breach. By implementing the latest tactics in authentication, network segmentation, encryption, access controls, and continuous monitoring, ZT data security takes the opposite approach.
Simplify Database Authorization with Policy-Based Action Control
Simplify Database Authorization with Policy-Based Action Control
As enterprises continue to modernize their IT environments, the need for a more advanced and adaptable approach to database authorization becomes increasingly apparent. Traditional models, with their reliance on static roles and broad permissions, are no longer sufficient to meet the demands of decentralized, dynamic infrastructures. StrongDM addresses this gap by offering a solution that emphasizes fine-grained, policy-based action control, enabling organizations to manage database access with the precision and flexibility required in today’s complex business environments.
StrongDM Now Delivers Continuous Authorization for Databases Through Fine-Grained Policy-based Action Control
Access is no longer the primary challenge in enterprise security; it's the actions of users that are most aligned with managing risk. By focusing on how actions are authorized, StrongDM is giving customers a more effective approach to enterprise security. Our policy-based action control ensures that, in addition to access, every user action is scrutinized, delivering a higher level of security tailored to meet the complex demands of modern enterprises.