When Congress passed the Federal Information Security Management Act in 2002, most agencies treated it as a paperwork exercise. Policy documents were written. Controls were documented. Certification and accreditation packages were assembled. Then the Office of Inspector General reviews started arriving, and agencies discovered the gap between documented compliance and operational security was wider than anyone had admitted. It took more than a decade of enforcement, audits, and high-profile breaches before FISMA compliance became a genuine operating discipline rather than an annual report.
The federal zero trust mandate is following the same arc, compressed into a shorter timeline. Executive Order 14028 arrived in May 2021. Office of Management and Budget (OMB) Memorandum M-22-09 set specific milestones by the end of FY2024. The Cybersecurity and Infrastructure Security Agency (CISA) released the Zero Trust Maturity Model (ZTMM) version 2.0 in April 2023 as the implementation reference. The FY2024 deadline passed. Most agencies met some milestones. None met all of them. The agencies that treated zero trust as a checkbox exercise are now in the same position their FISMA predecessors occupied in 2008: technically compliant on paper, operationally exposed in practice.
The CISA ZTMM v2.0 framework gives federal agencies a structured path from where most currently sit, in the Initial maturity tier, toward Optimal. The five pillars and four maturity levels are not abstract aspirations. They are a self-assessment instrument that reveals exactly where an agency’s security architecture holds and where it does not. The maturation path is not linear, and the Identity pillar is not where most agencies need to focus next.
Assess your agency’s zero trust posture by scoring each of the five CISA ZTMM pillars (Identity, Devices, Networks, Applications and Workloads, Data) against four maturity levels: Traditional, Initial, Advanced, and Optimal. Identity is the most mature pillar across federal agencies. Data is the least mature and requires the most investment. Three cross-cutting capabilities span all pillars: Visibility and Analytics, Automation and Orchestration, and Governance.
Understanding the CISA Zero Trust Maturity Model Framework
The CISA Zero Trust Maturity Model v2.0 organizes federal zero trust implementation across two dimensions: five technology pillars and four maturity levels. Three cross-cutting capabilities run through all five pillars: Visibility and Analytics, Automation and Orchestration, and Governance. Understanding how these dimensions interact is the starting point for any honest agency self-assessment.
The Four Maturity Levels
The ZTMM defines maturity through four progressive levels, each representing a distinct operating posture rather than a score on a checklist.
Traditional describes the baseline: static security policies, limited integration between security tools, manual processes, and implicit trust extended to internal network traffic. Most pre-mandate agency environments fell here. Some still do.
Initial represents the first meaningful move toward zero trust principles. Agencies at Initial have deployed enterprise identity providers with multi-factor authentication (MFA), begun segmenting network traffic, and started applying policy-based access controls to some systems. M-22-09 milestones were designed to move agencies from Traditional to Initial.
Advanced describes integration maturity. Security decisions across pillars inform each other. Identity signals feed network policy decisions. Device health status affects application access permissions. Automation handles routine policy enforcement. This is where most agencies should be targeting in the 2025-2027 window.
Optimal represents fully dynamic, attribute-based policy enforcement across all pillars, with automated responses to anomalies and continuous validation of every access request. No federal agency has achieved Optimal across all five pillars.
The Three Cross-Cutting Capabilities
Visibility and Analytics, Automation and Orchestration, and Governance operate horizontally across all five pillars. An agency can advance Identity to Advanced maturity while Visibility and Analytics remain at Traditional, which means the Identity controls are not producing the telemetry needed to detect anomalous access patterns. The cross-cutting capabilities are not separate workstreams. They are the connective tissue that makes pillar-level investments operational.
The audit fix. Map your agency’s current state against each of the 25 intersections in the ZTMM grid (5 pillars multiplied by 4 maturity levels, plus cross-cutting capability assessments). Score each cell as Traditional, Initial, Advanced, or Optimal. Identify the three lowest-scored intersections. Those are your next three investments. Do not attempt to advance all pillars simultaneously. Concentrated investment in one pillar to Advanced produces more measurable security value than marginal progress across five pillars simultaneously.
The Five Zero Trust Pillars: Where Federal Agencies Stand
The five ZTMM pillars are not equal in implementation difficulty, agency maturity, or security impact. Understanding the current distribution of federal progress across pillars shapes a realistic implementation roadmap.
Identity: The Most Mature Pillar
Identity is the most mature pillar across the federal enterprise, and the reason is straightforward: M-22-09 required enterprise identity with phishing-resistant MFA for all federal staff and contractors. The mandate created accountability. Agencies with compliance offices and Inspector General oversight moved. By the FY2024 deadline, most civilian agencies had deployed enterprise identity providers and met the baseline MFA requirement.
Being the most mature pillar does not mean the Identity pillar is complete. Most agencies remain at Initial: MFA is deployed, but identity governance, privileged access management, and cross-agency federation are inconsistent. The gap between Initial and Advanced in Identity involves implementing continuous validation of identity claims throughout a session, not just at authentication. An employee who authenticates with phishing-resistant MFA at 8 AM and then accesses a sensitive system at 11 PM from a new IP should trigger a re-validation challenge. Most agencies do not have the orchestration in place to enforce this.
Devices: Endpoint Visibility Gaps
The Devices pillar requires agencies to verify device health as a condition of access, integrate device signals into policy decisions, and maintain an accurate inventory of all endpoints including unmanaged devices. Most agencies have deployed endpoint detection and response tools on managed devices. The inventory and health-signal integration work is substantially incomplete.
The gap that matters most: agency systems that accept connections from contractor-owned, personally owned, and partner-managed devices without any device posture verification. NIST SP 800-207 identifies device trustworthiness as a core input to zero trust policy decisions. An agency that enforces phishing-resistant MFA for user identity but allows connections from unverified devices has addressed half the authentication equation.
Networks: Encryption Progress, Micro-Segmentation Lag
M-22-09 required agencies to encrypt all DNS requests and HTTP traffic and deploy application-layer protections consistent with zero trust architecture. The encryption mandate was achievable and most agencies met it. Micro-segmentation is a different story.
Network micro-segmentation means dividing the network into isolated segments so that a compromised system cannot reach other systems without explicit policy authorization. Moving from a flat network with perimeter controls to a segmented network with granular east-west traffic policies requires touching every network segment, every application dependency map, and every firewall ruleset. This is multi-year work in large agency environments, and it requires a level of network documentation that most agencies do not have at the start of the project.
Applications and Workloads: API Security and Access Controls
M-22-09 required agencies to treat all internet-accessible applications as if they were on an untrusted network, applying zero trust access controls regardless of user location. The Applications and Workloads pillar extends this to all applications, including internal systems, cloud workloads, and legacy applications.
The implementation challenge in this pillar is legacy application inventory. Agencies operate applications developed over decades, many without API layers that would allow integration with modern access control systems. Applying zero trust controls to a 20-year-old database application requires either a gateway proxy approach or a modernization investment. Both are technically feasible. Neither is fast.
The Applications and Workloads pillar is where the ZTMM intersects most directly with agency modernization strategy. Agencies that have invested in cloud migration have a structural advantage: cloud-native applications are far more compatible with zero trust access controls than on-premises legacy systems. The ZTMM implementation roadmap and the modernization roadmap are not separate plans. They should be the same document.
Data: The Least Mature Pillar
The Data pillar is the least mature across the federal enterprise, and the gap is significant. Zero trust data security requires agencies to classify all data assets, apply protections based on classification, enforce data access policies that follow the data rather than the perimeter, and monitor data access for anomalies.
The foundational requirement is data discovery and classification. Agencies with unclassified data stores distributed across on-premises systems, cloud environments, and shared services cannot apply consistent data protection policies without first knowing what data exists and where. Most federal agencies do not have a current, complete data asset inventory. Starting the Data pillar means starting with discovery, not policy enforcement.
The audit fix. Begin Data pillar work with a bounded discovery exercise rather than an enterprise-wide effort. Select one high-value data environment: a financial system, a personnel records database, or a cloud storage account that holds sensitive data. Run automated data classification tools against it. Document what you find. Apply protection policies to that environment first. Use the first environment as a template for the second. Agencies that wait until they have a complete enterprise inventory before starting never start.
CISA Zero Trust Maturity Model Self-Assessment Methodology
The ZTMM v2.0 includes a self-assessment methodology that agencies use to establish current state and define a maturation roadmap. The methodology works when agencies apply it honestly. It produces misleading results when scoring reflects aspiration rather than operational reality.
Conducting an Honest Current-State Assessment
Score each pillar at the maturity level that describes your operating state, not your documented policy. A policy stating that all access requires MFA does not earn Initial maturity in the Identity pillar if the MFA deployment has exceptions for legacy systems, service accounts, or contractor access paths. Auditors verify operating state. The documentation follows from operating state, not the reverse.
For each pillar, test the control rather than reviewing the policy. For Identity: attempt to access a sensitive application from a new device without MFA. For Devices: verify whether device health status is actually evaluated before access is granted, or whether the device inventory system and the access control system operate independently. For Networks: run a port scan from inside the network to verify that east-west traffic is actually restricted. The gap between documented policy and operational reality is the gap the ZTMM assessment is designed to find.
Aligning ZTMM Assessment to OMB Reporting
Agencies report zero trust progress to OMB under the Federal Information Technology Acquisition Reform Act reporting process. The ZTMM self-assessment provides the underlying evidence for those reports. Agencies that conduct rigorous self-assessments produce OMB reports that reflect reality. Agencies that inflate self-assessment scores produce OMB reports that overstate progress, which creates a different kind of audit finding when the actual operating state becomes visible during a security review.
CISA provides facilitated assessments for agencies that request them. For agencies with limited zero trust expertise in-house, a CISA facilitated assessment provides an independent baseline before the agency builds its maturation roadmap.
The audit fix. Structure the self-assessment as a three-step process. First, score current state for each pillar based on operational testing, not policy documentation. Second, define a target state for each pillar 18 months out, anchored to specific technical implementations rather than maturity level labels. Third, identify the three highest-priority gaps where maturation investment produces the greatest risk reduction. Document the assessment in a format that directly maps to OMB M-22-09 reporting categories. The output is a living document, not a one-time report.
Post-FY2024 Roadmap: Continuous Maturation Under M-24-14
The FY2024 deadline defined in M-22-09 passed in September 2024. Agencies that met all milestones advanced their baseline. Agencies that partially met milestones carry forward open items. OMB Memorandum M-24-14 establishes the continuing framework for zero trust maturation, moving from deadline-driven compliance toward sustained architectural improvement.
What M-22-09 Required by FY2024
The specific FY2024 milestones in M-22-09 covered four areas:
Enterprise identity with phishing-resistant MFA for all federal employees and contractors. Encrypted DNS and HTTP traffic for all agency systems. Internet-accessible applications protected with application-layer security controls consistent with CISA BOD compliance requirements. Automated security access rules replacing manually maintained access control lists.
Agencies that met these four requirements achieved Initial maturity in Identity, partial Initial in Networks, and the foundation for Applications and Workloads maturation. They did not achieve Initial maturity in Devices or Data through M-22-09 milestones alone.
The 2025-2027 Maturation Priorities
Post-FY2024, the maturation sequence that produces the highest security return follows a specific logic rooted in the NIST SP 800-207 zero trust architecture model.
Identity to Advanced is achievable in 12-18 months for agencies that completed the Initial milestones. The primary work involves deploying privileged access management, implementing continuous session validation, and integrating identity signals into cross-pillar policy decisions.
Devices to Initial requires completing endpoint inventory for all device categories, deploying device health verification for managed endpoints, and beginning posture assessment for unmanaged devices. Agencies should complete this concurrently with Identity Advanced work rather than sequentially.
Networks micro-segmentation is a 24-36 month effort for most large agencies. Starting with a bounded environment, a single data center or a specific cloud environment, produces demonstrable results while the broader segmentation work proceeds.
Data pillar maturation requires a data discovery and classification foundation. Agencies without a current data inventory should begin discovery work in FY2025 regardless of other pillar priorities. The Data pillar will remain at Traditional until discovery work produces a classified inventory to build policy on.
The audit fix. Build a zero trust maturation roadmap with three horizons. Horizon 1 (0-12 months): complete any open M-22-09 milestones, advance Identity to Advanced, begin Device inventory and health verification. Horizon 2 (12-24 months): achieve Devices Initial, begin network micro-segmentation in a bounded environment, complete data discovery for top three high-value data assets. Horizon 3 (24-36 months): advance Networks toward Advanced, apply data protection policies to classified assets, begin Applications and Workloads Advanced integration. Report progress against this roadmap in every OMB FITARA submission.
| Pillar | Traditional | Initial | Advanced | Optimal |
|---|---|---|---|---|
| Identity | Password-only auth, shared accounts | Enterprise Identity Provider (IdP), phishing-resistant MFA | Continuous session validation, PAM integrated | Risk-adaptive, real-time attribute evaluation |
| Devices | No device inventory, no health checks | Managed device inventory, basic health signals | Health verification gates access, unmanaged devices assessed | Real-time posture drives dynamic policy |
| Networks | Flat network, perimeter trust | Encrypted DNS/HTTP, application-layer controls | Micro-segmentation in bounded environments | Software-defined perimeter, all traffic validated |
| Applications & Workloads | Implicit internal trust, static access | Internet apps treated as untrusted, ICAM integration begins | All apps policy-gated, API security enforced | Automated threat response, workload identity enforced |
| Data | No classification, perimeter-dependent protection | Discovery initiated, classification policy defined | Classification applied, access policies follow data | Automated classification, real-time data access governance |
NIST SP 800-207 Technical Architecture Reference
The CISA ZTMM defines maturity levels and pillar structure. NIST SP 800-207 defines the underlying technical architecture that makes zero trust operationally real. Understanding the relationship between these two documents prevents implementation errors that satisfy ZTMM scoring criteria while missing the security intent.
The Policy Decision Point and Policy Enforcement Point Model
NIST SP 800-207 organizes zero trust architecture around two logical components: the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP). The PDP evaluates access requests against policy, using signals from identity, device, network, and data sources. The PEP enforces the PDP’s decision, allowing or denying the access attempt.
This architecture is what separates operational zero trust from perimeter security with better logging. In a perimeter model, traffic that passes the firewall is trusted. In a zero trust architecture, every access request goes through a PDP evaluation regardless of where the request originates. An employee on the agency network requesting access to a sensitive application goes through the same PDP as a contractor working remotely. Network location does not grant trust.
Deployment Models and Agency Architecture Choices
SP 800-207 identifies three deployment models that agencies use based on their existing infrastructure. Device-agent and gateway-based approaches work for agencies with predominantly managed endpoints. Enclave-based models apply where network segmentation is the primary access control mechanism. Cloud-access security broker models suit agencies with significant SaaS footprints.
Most large federal agencies deploy a hybrid model because their application and infrastructure footprint does not fit a single deployment pattern. The ZTMM assessment should identify which deployment model applies to each major system environment rather than treating the entire agency as a single zero trust implementation.
The audit fix. Map every major system environment in your agency to one of the SP 800-207 deployment models. For each environment, identify the current PDP and PEP components in place, even if they are partial implementations. Document the integration gaps: where device health signals do not reach the PDP, where identity signals are not evaluated at the PEP, where access decisions rely on network location rather than policy evaluation. This mapping exercise produces the technical requirements for your ZTMM maturation roadmap.
Federal agencies that treat the CISA ZTMM as a compliance checklist will replicate the FISMA adoption pattern: documented controls, incomplete operations, and findings that accumulate until a visible incident forces genuine remediation. The agencies that will reach Advanced maturity across the five pillars by 2028 are the ones that began their self-assessment with operational testing rather than policy review, prioritized the Data pillar despite its difficulty, and built the ZTMM roadmap into their capital planning process rather than treating it as a cybersecurity initiative separate from IT modernization. The framework is sound. The implementation discipline determines whether it produces security or just reports.
Frequently Asked Questions
What is the CISA Zero Trust Maturity Model implementation framework?
The CISA Zero Trust Maturity Model is a federal implementation guide that organizes zero trust architecture across five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Four maturity levels progress from Traditional through Initial, Advanced, and Optimal. Agencies use the ZTMM v2.0, released April 2023, to assess current state, define target states, and build maturation roadmaps aligned to OMB M-22-09 requirements.
What did OMB M-22-09 require by the FY2024 deadline?
M-22-09 required agencies to deploy enterprise identity systems with phishing-resistant MFA for all federal employees and contractors, encrypt all DNS and HTTP traffic, apply zero trust access controls to all internet-accessible applications, and replace manually maintained access control lists with automated security access rules by the end of FY2024. The deadline passed in September 2024. Agencies that did not complete all milestones continue maturation under M-24-14.
Which zero trust pillar is most mature across federal agencies?
Identity is the most mature pillar across the federal enterprise. The M-22-09 mandate for phishing-resistant MFA and enterprise identity providers created specific, enforceable milestones that most civilian agencies met by the FY2024 deadline. The Data pillar is the least mature, as it requires data discovery and classification work that most agencies have not completed.
How does NIST SP 800-207 relate to the CISA ZTMM?
NIST SP 800-207 provides the technical architecture reference for federal zero trust implementation, defining the Policy Decision Point and Policy Enforcement Point model that underpins zero trust access control. The CISA ZTMM provides the maturity framework that agencies use to assess progress and plan investments. The ZTMM describes what maturity looks like; SP 800-207 describes how to build the architecture that achieves it.
What are the three cross-cutting capabilities in the CISA ZTMM?
The three cross-cutting capabilities are Visibility and Analytics, Automation and Orchestration, and Governance. These capabilities run horizontally across all five pillars and represent the integration layer that makes pillar-level investments operationally effective. An agency can advance Identity to Advanced maturity while Visibility and Analytics remain at Traditional, which means Identity controls produce insufficient telemetry to detect anomalous access patterns.
How should agencies prioritize zero trust pillar investments after the FY2024 deadline?
Post-FY2024 maturation should follow a sequenced approach: advance Identity to Advanced maturity first, as it is the most mature starting point and produces the most direct risk reduction. Concurrently begin Device pillar work to complete endpoint inventory and health verification. Start Data pillar discovery in parallel, as it requires the longest lead time before protective controls apply. Network micro-segmentation should begin in bounded environments while broader architectural work proceeds.
Does the CISA ZTMM apply to defense agencies and DoD components?
The CISA ZTMM applies to civilian federal agencies. The Department of Defense operates under a separate zero trust strategy and reference architecture aligned to DoD policy. However, defense contractors and government contractors supporting both civilian and defense agencies benefit from understanding the CISA ZTMM because its five-pillar structure reflects the same underlying NIST SP 800-207 architecture that DoD zero trust programs reference.
What is the difference between Initial and Advanced maturity in the CISA ZTMM?
Initial maturity means an agency has deployed the foundational components of zero trust in a pillar: enterprise identity with MFA, device inventory, encrypted traffic, or application access controls. Advanced maturity means those components are integrated with each other and produce cross-pillar signals that inform automated policy decisions. The distinction is integration and automation, not just deployment. An Advanced agency uses device health signals to dynamically adjust network access policy. An Initial agency manages device inventory and network access policy independently.
Subscribe to The Authority Brief for next week’s analysis.
