The Office of Management and Budget Memorandum M-22-09 deadlines closed at the end of fiscal year 2024. The work after the deadline is harder than the work before it. Inspectors General, Government Accountability Office reviewers, and Congressional staff are no longer asking whether agencies implemented zero trust. They are asking what stage the agency reached on the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM), and what evidence supports that claim.
Most agency self-assessments still answer the wrong question. They list five pillars. They list tools deployed. They claim Advanced or Optimal at the pillar level. An auditor reads the document in 90 seconds, asks for the artifact behind a single function-level claim, and the score collapses. The Federal Chief Information Officer reported in fall 2024 that federal agencies moved from 81 percent to 87 percent overall completion of M-22-09 actions. That figure measures action completion, not maturity stage. The two are different measurements, and only one is what the IG is actually grading.
A defensible self-assessment scores every function inside every pillar, attaches a specific artifact to every claim, and accepts the lowest cross-cutting capability score as the honest answer. The rest is marketing.
A defensible zero trust maturity self-assessment scores against CISA Zero Trust Maturity Model version 2.0 at the function level, not the pillar level. Five pillars, three cross-cutting capabilities, four maturity stages, and roughly 35 distinct functions produce the actual scoring grid. Each claimed maturity stage requires a specific evidence artifact: configuration exports, telemetry samples, policy-as-code repositories, and exception registers. Inspector General audits under the Federal Information Security Modernization Act now map findings to these functions.
The Architecture of CISA ZTMM Version 2.0
The CISA Zero Trust Maturity Model version 2.0, published April 11, 2023, remains the current version as of April 2026. No version 3.0 has been released. The structure is a three-dimensional grid: five pillars, multiple functions inside each pillar, and four maturity stages.
The five pillars in CISA’s order are Identity, Devices, Networks, Applications and Workloads, and Data. Identity holds seven functions. Devices holds seven. Networks holds seven. Applications and Workloads holds eight. Data holds eight. The total is roughly 37 functions across the model, each with its own four-stage maturity description. Five pillars times four stages produces a 20-cell summary. The actual scoring grid is closer to 150 cells. An assessment that has one row per pillar has been built against the wrong document.
The Three Cross-Cutting Capabilities
The three cross-cutting capabilities are Visibility and Analytics, Automation and Orchestration, and Governance. The structural change from version 1.0 to version 2.0 was that these three capabilities are no longer standalone columns. Each one appears as a function inside each pillar. Visibility and Analytics shows up five times across the model, once per pillar. Same for Automation and Orchestration. Same for Governance. The honest cross-cutting score is the lowest of the five pillar-level scores for that capability, not the average and certainly not the highest.
The Four Maturity Stages
Traditional means manual, static, and siloed. Initial means starting automation with aggregated visibility. Advanced means cross-pillar coordination and centralized policy. Optimal means just-in-time, dynamic, continuous, and behavior-based. The criteria language matters. “Optimal” requires “continuous” and “automated” and “behavior-based” simultaneously. Most federal agencies are not Optimal on any pillar today, and that is the correct answer.
Why the Self-Assessment Matters in Fiscal Year 2026
Four developments make a defensible score load-bearing right now.
The M-22-09 deadlines have passed. The end-of-fiscal-year-2024 due dates for centralized identity, encrypted Domain Name System (DNS) and Hypertext Transfer Protocol Secure (HTTPS) traffic, Endpoint Detection and Response (EDR) deployment, and application inventory closed September 30, 2024. The audience after the deadline is different. The program manager wrote the strategy. The Inspector General writes the finding.
The fiscal year 2026 budget cycle is using zero trust maturity as a justification anchor. The President’s request includes approximately $11.7 billion for civilian cybersecurity and $9.1 billion for Defense cybersecurity, with zero trust as a named priority. Treasury’s Cybersecurity Enhancement Account increased from $36.5 million in fiscal year 2025 to $99 million in fiscal year 2026, explicitly tagged for zero trust architecture. An agency that cannot defensibly state its current ZTMM stage cannot defensibly justify next year’s increment.
FISMA reporting now references CISA ZTMM. OMB Memorandum M-25-04 directs reporting against zero trust progress. Inspector General audits under FISMA increasingly map findings to ZTMM functions. An IG who finds the agency’s claimed maturity stage is unsupported by artifacts will write a finding with the function reference attached.
The Federal Risk and Authorization Management Program (FedRAMP) is integrating zero trust principles into authorization baselines and continuous monitoring expectations. An agency operating a FedRAMP High system that scores itself Advanced on Identity but issues passwords without phishing-resistant multi-factor authentication has a defensibility problem with both its IG and its authorizing official.
Identity: The Pillar Where Federal Has Moved Furthest
Identity is the pillar where the federal civilian executive branch has actually moved, where most agencies will claim their best score, and where Inspector General scrutiny is heaviest. The seven Identity functions in CISA ZTMM v2.0 are Authentication, Identity Stores, Risk Assessments, Access Management, Visibility and Analytics, Automation and Orchestration, and Governance.
| Identity Function | Initial | Advanced | Optimal | Evidence That Justifies the Claim |
|---|---|---|---|---|
| 1.1 Authentication | Multi-factor authentication, may include password as one factor | Phishing-resistant multi-factor authentication begins | Continuous validation with phishing-resistant multi-factor authentication | Conditional access export, MFA enrollment by user population, FIDO2 and PIV inventory, sign-in logs showing MFA strength |
| 1.2 Identity Stores | Mix of self-managed and hosted, minimal integration | Beginning consolidation | Integrated across all partners and environments | Identity provider inventory, application-to-IdP mapping, federation trust list |
| 1.3 Risk Assessments | Manual review, static rules | Some automated analysis, dynamic rules | Real-time, continuous, behavior-based | Identity protection policy, risk-based conditional access logs |
| 1.4 Access Management | Authorization expires with automated review | Need-based, session-based, tailored to actions | Automated just-in-time and just-enough access | Privileged Identity Management configuration, access review records, JIT activation logs |
| 1.5 Visibility and Analytics | Manual plus some automated, limited correlation | Automated across some log types | Comprehensive enterprise visibility, behavior-based analytics | SIEM ingestion list, retention policy, User and Entity Behavior Analytics rules |
| 1.6 Automation and Orchestration | Manual for privileged and external | Manual privileged, automated for non-privileged | Fully automated, integrated, behavior-driven | Provisioning workflows, joiner-mover-leaver runbook, lifecycle automation logs |
| 1.7 Governance | Defined and beginning enforcement | Implemented enterprise-wide with automation | Continuous enforcement and dynamic updates | Policy library, version control, exception register, change log |
The trap is overclaiming Advanced because phishing-resistant multi-factor authentication is in production. Advanced requires it across all identities, including non-person entities. Service accounts and workload identities are where the score collapses. The auditor will ask for an inventory of service accounts authenticated by anything other than phishing-resistant multi-factor authentication. The honest answer for most agencies is that the inventory is incomplete and the population is non-trivial. That answer scores Initial, not Advanced. Build the phishing-resistant multi-factor authentication implementation before claiming the stage.
The audit fix. Build the Identity evidence archive before any other pillar. Export conditional access policies as configuration files. Run a privileged access review against the last 90 days. Inventory all service accounts and document their authentication mechanism. Map every application to its identity provider via Security Assertion Markup Language or OpenID Connect. The single most-asked-for Identity artifact is the privileged access review record dated within the last fiscal year.
Devices, Networks, Applications, and Data: The Rubric Continues
The remaining four pillars use the same scoring discipline. Functions, not pillars. Artifacts, not assertions.
Devices
Seven functions covering Policy Enforcement, Asset and Supply Chain Risk Management, Resource Access, Device Threat Detection, Visibility and Analytics, Automation and Orchestration, and Governance. The single most-requested artifact in IG reviews is Endpoint Detection and Response coverage by operating system, expressed as a percentage of managed devices. Device inventory completeness, compliance posture telemetry, patch service-level agreement performance for critical vulnerabilities within 30 days, Software Bill of Materials artifacts, and Continuous Diagnostics and Mitigation program integration round out the evidence inventory. The trap on Devices: Advanced requires automated vulnerability remediation. Endpoint Detection and Response alone does not auto-remediate. The score is Initial until automation is in place.
Networks
Seven functions covering Network Segmentation, Traffic Management, Encryption, Resilience, Visibility and Analytics, Automation and Orchestration, and Governance. Evidence: network segmentation maps at the data center, cloud subscription, and Zero Trust Network Access broker layer; encrypted DNS deployment under M-22-09; HTTPS-only enforcement on .gov domains; network telemetry coverage by segment. The trap: a next-generation firewall is not a micro-perimeter. An agency with three trust zones, DMZ, internal, sensitive, scores Initial regardless of firewall vendor. Advanced requires ingress and egress micro-perimeters and dynamic risk-aware traffic rules.
Applications and Workloads
Eight functions covering Application Access, Threat Protections, Accessible Applications, Secure Software Development Life Cycle, Security Testing, Visibility and Analytics, Automation and Orchestration, and Governance. Evidence: secure pipeline configurations, runtime protection through Web Application Firewalls and Runtime Application Self-Protection, secrets management with rotation logs, and software composition analysis aligned to OMB Memorandum M-22-18 for software acquisitions. The trap: agencies score using their flagship modernized application as the example. The portfolio average is the score. Legacy systems on the mainframe count.
Data
Eight functions covering Inventory Management, Categorization, Availability, Access, Encryption, Visibility and Analytics, Automation and Orchestration, and Governance. This is the lowest-scoring pillar across federal, and the honest answer for most agencies is that Data sits between Traditional and Initial. Evidence: data classification scheme covering Controlled Unclassified Information and personally identifiable information categories; Data Loss Prevention coverage by environment; encryption at rest with documented key management; data lineage for sensitive flows; insider risk signals integrated into access decisions. The trap: encrypting the database covers one function. Inventory, categorization, lineage, and exfiltration prevention are six others.
The cross-cutting score is the lowest of the five pillar-level scores for that capability, not the highest. Agencies that average their Visibility and Analytics scores across pillars are inflating. Auditors do not average; they ask which pillar is the weakest and how that weakness blocks enterprise-wide visibility.
Governance: The Cross-Cutting Capability Most Self-Assessments Skip
CISA defines Governance as the enforcement of enterprise cybersecurity policies, procedures, and processes in and across pillars. A signed policy document is not Advanced Governance. Advanced is implemented enterprise-wide with automation and periodic updates. Optimal is continuous enforcement with dynamic policy updates.
The auditor will request specific Governance artifacts by pillar. A documented zero trust policy library under version control with assigned owners. A policy review cadence with quarterly or annual sign-offs. An exception register where every policy exception has a business justification, a compensating control, an expiration date, and a designated approver above the requester’s grade. Policy enforcement instrumentation where every policy is paired with a tool that enforces it and an artifact that proves enforcement. A screenshot is not an artifact. A tenant configuration export is. Continuous Access Evaluation across the access plane is an Optimal Governance expectation. Policy automation through Infrastructure as Code is the structural requirement: Conditional Access policies committed to a repository, network policies as code, data lifecycle policies as code.
An agency with a Governance policy document signed by the CIO but no policy-as-code repository, no exception register, and no enforcement instrumentation scores Initial on Governance. The pillar-level Identity score cannot exceed the Identity Governance function score. That structural constraint is what makes the average a misleading measurement.
Producing a Defensible Score: The Artifact Archive
The artifact archive is the difference between a score that survives an Inspector General review and one that gets re-scored downward by the IG. A defensible archive structures evidence by function, not by pillar.
- Build a directory structure with one folder per function inside each pillar (1.1, 1.2 through 1.7; 2.1 through 2.7; 3.1 through 3.7; 4.1 through 4.8; 5.1 through 5.8).
- For each function, store the configuration export, telemetry sample, policy document, or log extract that justifies the claimed stage.
- Date every artifact. Inspectors discount artifacts older than the last fiscal year unless the control is annual by design.
- Write a one-page scoring narrative per function: claimed stage, evidence pointer, identified gap, planned remediation.
- Build an executive summary with pillar-by-pillar stages, the top five gaps, and the fiscal year 2026 funding rationale.
- Create a function-by-function cross-walk to FISMA metrics and recent IG findings.
- Have a peer reviewer at a sister agency or a contracted assessor stress-test the score before the IG sees it.
Three habits make a self-assessment defensible. Score every function, not every pillar. If an artifact for a function does not exist, the function score is Traditional. No exceptions. Date every artifact and discount stale ones. Have a peer review the score before the IG does. The first time someone challenges a score should not be in an entrance conference. The deeper architectural choices are covered in the federal implementation roadmap for CISA’s Zero Trust Maturity Model.
Common Scoring Pitfalls
Five pitfalls account for most overclaimed scores in federal self-assessments.
Overclaiming Optimal. Optimal requires continuous, automated, behavior-based, and dynamic operation simultaneously. Almost no federal agency is Optimal on any pillar today. Claiming Optimal on Identity because phishing-resistant multi-factor authentication is enforced ignores the requirement for continuous validation with risk-based access decisions across all identities including service accounts.
Ignoring cross-cutting capabilities. A self-assessment with five pillar scores and no Visibility, Automation, or Governance scores is incomplete. The cross-cutting scores often pull the maturity narrative down. That is the point. Hiding them does not raise the actual maturity.
Mixing tools with maturity. Owning Microsoft Sentinel, CrowdStrike, Zscaler, or Palo Alto Prisma does not produce a maturity stage. Configuring them, integrating them with policy, and operationalizing them with playbooks does. Tool inventory does not equal maturity. A Security Orchestration, Automation, and Response platform with no playbooks in production scores Traditional with a procurement, not Initial.
Citing vendor scorecards as the agency’s score. A Microsoft, Zscaler, Palo Alto, or Okta self-assessment tool is a useful reference for implementation. It is not the agency’s score against CISA ZTMM. The score must be against CISA’s published model, produced by the agency, signed by the Chief Information Officer.
Conflating NIST Special Publication 800-207 with CISA ZTMM. NIST SP 800-207 defines what zero trust architecture is. CISA ZTMM v2.0 measures federal agency progress toward it. Both are authoritative. They are not interchangeable.
The auditor will not ask whether the agency has zero trust. The auditor will ask which stage the agency is in, which function the score is anchored to, and where the evidence lives. A defensible self-assessment scores at the function level, dates every artifact, and accepts the lowest cross-cutting capability as the honest answer. Run the score the way the IG will read it, and the FISMA finding becomes a budget request.
Frequently Asked Questions
What is a zero trust maturity self-assessment under CISA ZTMM?
A zero trust maturity self-assessment is a federal agency’s documented score against CISA Zero Trust Maturity Model v2.0, structured by function rather than pillar. The agency assigns each function a stage of Traditional, Initial, Advanced, or Optimal, and attaches an evidence artifact to each claim. The output is an Inspector General-defensible package showing stage, function, evidence, and identified gaps.
Is CISA ZTMM v2.0 still the current version?
Yes. Version 2.0 was published April 11, 2023, and remains the current published version as of April 2026. No version 3.0 has been released. Agencies should score against v2.0 and document the version in the scoring narrative.
How many functions are in the CISA ZTMM v2.0 model?
Approximately 37 functions across the five pillars. Identity has seven, Devices has seven, Networks has seven, Applications and Workloads has eight, and Data has eight. Each function has its own four-stage maturity description, producing roughly 150 stage descriptions total.
Does scoring at the pillar level satisfy a FISMA Inspector General review?
No. Pillar-level scoring averages function-level claims and obscures weak functions that drive the cross-cutting capability scores. Inspectors General now map findings to specific functions, and a pillar score without function-level evidence is the structural pattern the IG flags.
What is the difference between OMB M-22-09 action completion and ZTMM maturity stage?
OMB M-22-09 action completion measures whether an agency has executed specific tasks like deploying centralized identity, encrypting DNS traffic, or rolling out Endpoint Detection and Response. ZTMM maturity stage measures the operational maturity of the resulting capability. Federal CIO Clare Martorana’s fall 2024 figure of 81 percent to 87 percent action completion is not a ZTMM stage claim. The two measurements are not interchangeable.
Can a vendor maturity assessment substitute for a CISA ZTMM self-assessment?
No. Vendor maturity assessments from Microsoft, Zscaler, Palo Alto, Okta, or others are useful as implementation references for the technology stack the agency operates. They are not authoritative for scoring against CISA’s model. The agency’s score must be produced by the agency, anchored to CISA’s published criteria, and signed by the Chief Information Officer.
How does Governance fit into the ZTMM scoring?
Governance is one of three cross-cutting capabilities that appear as a function inside each pillar. The honest cross-cutting Governance score is the lowest of the five pillar-level Governance function scores. A signed policy document scores Initial; Advanced requires enterprise-wide implementation with automation; Optimal requires continuous enforcement with dynamic policy updates and policy-as-code.
When should an agency engage a third-party assessor for the score?
Engage a peer reviewer or contracted assessor before the Inspector General sees the score, not after. The first time someone challenges a function-level claim should be during a peer review, not during an entrance conference. The cost of an external pre-review is a fraction of the cost of an IG finding that re-scores the agency downward.
Subscribe to The Authority Brief for next week’s analysis.
