implementing-cisa-zero-trust-maturity-model
Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity.
Best use case
implementing-cisa-zero-trust-maturity-model is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity.
Teams using implementing-cisa-zero-trust-maturity-model should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-cisa-zero-trust-maturity-model/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-cisa-zero-trust-maturity-model Compares
| Feature / Agent | implementing-cisa-zero-trust-maturity-model | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# Implementing CISA Zero Trust Maturity Model
## Overview
The CISA Zero Trust Maturity Model (ZTMM) Version 2.0, released in April 2023, provides federal agencies and organizations with a structured roadmap for adopting zero trust architecture. The model defines five core pillars -- Identity, Devices, Networks, Applications & Workloads, and Data -- each progressing through four maturity stages: Traditional, Initial, Advanced, and Optimal. Three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance) span all pillars. This skill covers assessment, gap analysis, and progressive implementation across all pillars and maturity levels.
## When to Use
- When deploying or configuring implementing cisa zero trust maturity model capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Familiarity with NIST SP 800-207 Zero Trust Architecture
- Understanding of federal cybersecurity mandates (EO 14028, OMB M-22-09)
- Access to organizational IT asset inventory and network architecture documentation
- Knowledge of identity and access management (IAM) fundamentals
- Understanding of network segmentation and microsegmentation concepts
## CISA ZTMM Five Pillars
### Pillar 1: Identity
Identity refers to attributes that uniquely describe an agency user or entity, including non-person entities (NPEs) such as service accounts and machine identities.
**Traditional Stage:**
- Password-based authentication
- Limited identity validation
- Manual provisioning and deprovisioning
**Initial Stage:**
- MFA deployed for privileged users
- Identity governance initiated
- Basic identity lifecycle management
**Advanced Stage:**
- Phishing-resistant MFA for all users (FIDO2/WebAuthn)
- Continuous identity validation
- Automated provisioning tied to HR systems
- Identity threat detection and response (ITDR)
**Optimal Stage:**
- Continuous, real-time identity verification
- Passwordless authentication across all systems
- AI-driven anomaly detection for identity behaviors
- Full integration of identity signals into access decisions
### Pillar 2: Devices
Devices include any hardware, software, or firmware asset that connects to a network -- servers, laptops, mobile phones, IoT devices, and network equipment.
**Traditional Stage:**
- Limited device inventory
- Basic endpoint protection (antivirus)
- No device compliance checks
**Initial Stage:**
- Comprehensive device inventory
- Endpoint Detection and Response (EDR) deployment
- Basic device health checks before network access
**Advanced Stage:**
- Real-time device posture assessment
- Automated compliance enforcement
- Device certificates for machine identity
- Vulnerability scanning integrated into access decisions
**Optimal Stage:**
- Continuous device trust scoring
- Automated remediation of non-compliant devices
- Full device lifecycle management integrated with zero trust policies
- Firmware integrity verification
### Pillar 3: Networks
Networks encompass all communications media including internal networks, wireless, and the internet.
**Traditional Stage:**
- Perimeter-based security (firewalls, VPNs)
- Flat internal networks
- Minimal east-west traffic inspection
**Initial Stage:**
- Initial network segmentation
- Encrypted DNS and internal traffic
- Basic network monitoring and logging
**Advanced Stage:**
- Microsegmentation of critical assets
- Software-defined networking (SDN) for dynamic policy enforcement
- Full TLS encryption for all internal communications
- Network Detection and Response (NDR)
**Optimal Stage:**
- Fully software-defined, policy-driven network
- Zero implicit trust zones
- AI-driven network anomaly detection
- Automated threat response integrated with network controls
### Pillar 4: Applications and Workloads
Applications and workloads include agency systems, programs, and services running on-premises, on mobile devices, and in cloud environments.
**Traditional Stage:**
- Perimeter-protected applications
- Manual vulnerability patching
- Limited application-level logging
**Initial Stage:**
- Application-level access controls
- Web Application Firewalls (WAF)
- Regular vulnerability scanning
- Application inventory established
**Advanced Stage:**
- Continuous integration of security testing (SAST/DAST)
- Application-aware microsegmentation
- API security gateways
- Immutable infrastructure patterns
**Optimal Stage:**
- Runtime application self-protection (RASP)
- Automated application security orchestration
- Full DevSecOps pipeline integration
- Zero-standing privileges for application access
### Pillar 5: Data
Data encompasses all structured and unstructured information, at rest, in transit, and in use.
**Traditional Stage:**
- Basic encryption for data at rest
- Limited data classification
- No data loss prevention
**Initial Stage:**
- Data classification scheme implemented
- DLP policies for sensitive data
- Encryption for data in transit (TLS 1.2+)
- Basic data inventory
**Advanced Stage:**
- Automated data classification
- Fine-grained data access controls
- Data activity monitoring
- Rights management for sensitive documents
**Optimal Stage:**
- Real-time data flow analytics
- AI-driven data classification and protection
- Automated response to data exfiltration attempts
- Full data lifecycle governance with zero trust principles
## Cross-Cutting Capabilities
### Visibility and Analytics
```
Maturity Progression:
Traditional -> Manual log review, limited SIEM
Initial -> Centralized logging, basic SIEM correlation
Advanced -> UEBA, automated threat detection, data lake analytics
Optimal -> AI/ML-driven continuous monitoring, predictive analytics
```
### Automation and Orchestration
```
Maturity Progression:
Traditional -> Manual incident response, ad-hoc scripts
Initial -> Basic SOAR playbooks, automated alerting
Advanced -> Integrated SOAR with multi-pillar orchestration
Optimal -> Fully autonomous response, self-healing infrastructure
```
### Governance
```
Maturity Progression:
Traditional -> Ad-hoc policies, manual compliance checks
Initial -> Documented zero trust strategy, basic policy framework
Advanced -> Policy-as-code, continuous compliance monitoring
Optimal -> Dynamic policy engine, real-time governance decisions
```
## Implementation Process
### Phase 1: Assessment and Baseline
1. **Inventory all assets** across the five pillars
2. **Map current capabilities** to ZTMM maturity stages
3. **Conduct gap analysis** between current and target states
4. **Identify quick wins** that move from Traditional to Initial stage
5. **Document dependencies** between pillars
```python
# Example: CISA ZTMM Maturity Assessment Scoring
class ZTMMAssessment:
PILLARS = ['Identity', 'Devices', 'Networks', 'Applications', 'Data']
STAGES = ['Traditional', 'Initial', 'Advanced', 'Optimal']
CROSS_CUTTING = ['Visibility_Analytics', 'Automation_Orchestration', 'Governance']
def __init__(self):
self.scores = {}
def assess_pillar(self, pillar, capabilities):
"""
Assess a pillar against ZTMM criteria.
capabilities: dict of capability_name -> maturity_stage
"""
stage_values = {stage: i for i, stage in enumerate(self.STAGES)}
scores = [stage_values.get(stage, 0) for stage in capabilities.values()]
avg_score = sum(scores) / len(scores) if scores else 0
overall_stage = self.STAGES[int(avg_score)]
self.scores[pillar] = {
'capabilities': capabilities,
'average_score': avg_score,
'overall_stage': overall_stage
}
return self.scores[pillar]
def generate_roadmap(self):
"""Generate prioritized improvement roadmap."""
roadmap = []
for pillar, data in self.scores.items():
for capability, stage in data['capabilities'].items():
stage_idx = self.STAGES.index(stage)
if stage_idx < 3: # Not yet Optimal
next_stage = self.STAGES[stage_idx + 1]
roadmap.append({
'pillar': pillar,
'capability': capability,
'current': stage,
'target': next_stage,
'priority': 3 - stage_idx # Higher priority for lower maturity
})
return sorted(roadmap, key=lambda x: x['priority'], reverse=True)
```
### Phase 2: Identity Foundation
1. Deploy phishing-resistant MFA (FIDO2/WebAuthn)
2. Implement identity governance and administration (IGA)
3. Establish continuous identity verification
4. Integrate identity providers with all applications
5. Deploy identity threat detection and response
### Phase 3: Device Trust
1. Complete asset inventory with automated discovery
2. Deploy EDR across all endpoints
3. Implement device compliance checking
4. Establish device certificate infrastructure
5. Create device trust scoring mechanism
### Phase 4: Network Transformation
1. Implement network segmentation strategy
2. Deploy microsegmentation for critical assets
3. Enable encrypted DNS (DoH/DoT)
4. Enforce TLS 1.3 for all internal communications
5. Deploy NDR capabilities
### Phase 5: Application Security
1. Implement application-level access controls
2. Deploy WAF and API security gateways
3. Integrate security testing into CI/CD pipelines
4. Establish application inventory and classification
5. Implement runtime protection
### Phase 6: Data Protection
1. Implement data classification framework
2. Deploy DLP across endpoints and network
3. Enable data activity monitoring
4. Implement rights management
5. Establish data lifecycle governance
## Compliance Mapping
| CISA ZTMM Pillar | OMB M-22-09 Requirement | NIST 800-207 Section |
|---|---|---|
| Identity | MFA for agency staff | 3.1.1 |
| Devices | EDR for federal endpoints | 3.1.2 |
| Networks | Encrypt DNS traffic | 3.1.3 |
| Applications | Application security testing | 3.1.4 |
| Data | Data categorization | 3.1.5 |
## Metrics and KPIs
- **Identity Pillar**: Percentage of users with phishing-resistant MFA
- **Device Pillar**: Percentage of devices with real-time posture assessment
- **Network Pillar**: Percentage of network segments microsegmented
- **Application Pillar**: Percentage of applications with zero trust access controls
- **Data Pillar**: Percentage of sensitive data classified and protected
- **Overall**: ZTMM stage achieved per pillar (target: Advanced minimum)
## References
- [CISA Zero Trust Maturity Model v2.0](https://www.cisa.gov/zero-trust-maturity-model)
- [CISA ZTMM v2.0 PDF](https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf)
- [NIST SP 800-207 Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
- [OMB Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
- [NSA Zero Trust Pillars Guidance](https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF)
- [Microsoft Guidance for CISA ZTMM](https://www.microsoft.com/en-us/security/blog/2024/12/19/new-microsoft-guidance-for-the-cisa-zero-trust-maturity-model/)Related Skills
performing-threat-modeling-with-owasp-threat-dragon
Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies, and generate threat model reports for secure design review.
performing-nist-csf-maturity-assessment
The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, provides a comprehensive taxonomy for managing cybersecurity risk through six core Functions - Govern, Identify, Protect, Detect, Respond, and Recover. This skill covers conducting a maturity assessment against the CSF using Implementation Tiers to measure organizational cybersecurity posture and create improvement roadmaps.
performing-active-directory-forest-trust-attack
Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
implementing-zero-trust-network-access
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
implementing-zero-trust-network-access-with-zscaler
Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, context-aware access to private applications through the Zscaler Zero Trust Exchange.
implementing-zero-trust-in-cloud
This skill guides organizations through implementing zero trust architecture in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, and GCP environments.
implementing-zero-trust-for-saas-applications
Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for cloud-hosted services.
implementing-zero-trust-dns-with-nextdns
Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, privacy protection, and organizational policy enforcement across all endpoints.
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
implementing-zero-knowledge-proof-for-authentication
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati