Zero Trust Maturity Assessor
Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.
Best use case
Zero Trust Maturity Assessor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.
Teams using Zero Trust Maturity Assessor should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-zerotrust-assessor/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Zero Trust Maturity Assessor Compares
| Feature / Agent | Zero Trust Maturity Assessor | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
## Purpose & When-To-Use
**Trigger conditions:**
- Zero-trust architecture maturity assessment
- CISA ZTMM compliance requirement
- Zero-trust migration planning
- Security architecture modernization initiative
- Third-party zero-trust readiness questionnaire
**Not for:**
- Zero-trust implementation (provides assessment only)
- Real-time access policy enforcement (use zero-trust products)
- Traditional perimeter security assessment (use security-network-validator)
- Application security (use security-appsec-validator)
---
## Pre-Checks
**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates
**Input validation:**
- `organization_identifier` must be non-empty string
- `ztmm_pillars` must be subset of: [identity, device, network, application, data]
- `target_maturity` must be one of: [initial, advanced, optimal] or omitted
**Source freshness:**
- CISA Zero Trust Maturity Model (accessed 2025-10-26T01:33:55-04:00): https://www.cisa.gov/zero-trust-maturity-model
- NIST SP 800-207 Zero Trust Architecture (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-207/final
---
## Procedure
### Step 1: CISA ZTMM Pillar Assessment
**Identity Pillar (CISA ZTMM 2.0, accessed 2025-10-26T01:33:55-04:00):**
- **Traditional:** Basic directory service, passwords
- **Initial:** Centralized identity management, some MFA
- **Advanced:** Enterprise-wide SSO, MFA everywhere, risk-based auth
- **Optimal:** Continuous authentication, behavior analytics, FIDO2
**Device Pillar:**
- **Traditional:** Manual device tracking
- **Initial:** Device inventory exists, basic compliance
- **Advanced:** Automated compliance checking, device health attestation
- **Optimal:** Real-time device risk scoring, zero-touch provisioning
**Network Pillar:**
- **Traditional:** Perimeter-based security, VLANs
- **Initial:** Some micro-segmentation, encrypted traffic
- **Advanced:** Comprehensive micro-segmentation, application-layer routing
- **Optimal:** Dynamic micro-perimeters, software-defined perimeter (SDP)
**Application Pillar:**
- **Traditional:** Network-based access control
- **Initial:** Application-aware proxies, some authorization
- **Advanced:** Fine-grained authorization, API gateways
- **Optimal:** Continuous authorization, context-aware access
**Data Pillar:**
- **Traditional:** File-system permissions
- **Initial:** Data classification, basic encryption
- **Advanced:** Data-centric security, DLP, rights management
- **Optimal:** Data-level access control, automated data tagging
### Step 2: Maturity Gaps and Roadmap
For each pillar:
1. Identify current maturity level
2. Calculate gap to target maturity (if specified)
3. Prioritize initiatives by impact and effort
4. Generate phased roadmap (90-day, 180-day, 1-year milestones)
**Token budgets:**
- **T1:** ≤2k tokens (current maturity assessment only)
- **T2:** ≤6k tokens (full maturity assessment with roadmap and initiatives)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)
---
## Decision Rules
**Ambiguity thresholds:**
- If pillar data incomplete → assess based on available information and flag gaps
- If technology stack unclear → request architecture documentation
**Abort conditions:**
- No organization identifier → cannot proceed
- Zero pillars selected → default to all 5 pillars
**Maturity scoring:**
- Assign lowest maturity level if any critical gap exists
- Partial compliance = lower maturity level (no partial credit)
---
## Output Contract
**Required fields:**
```json
{
"organization_identifier": "string",
"ztmm_pillars": ["identity", "device", "network", "application", "data"],
"target_maturity": "initial|advanced|optimal or null",
"timestamp": "ISO-8601 with timezone",
"maturity_assessment": {
"identity": {
"current_level": "traditional|initial|advanced|optimal",
"target_level": "initial|advanced|optimal or null",
"gaps": ["list of capability gaps"],
"initiatives": ["prioritized initiatives to progress"]
},
"device": { "..." },
"network": { "..." },
"application": { "..." },
"data": { "..." }
},
"overall_maturity": "traditional|initial|advanced|optimal",
"roadmap": {
"90_day_milestones": ["list of quick wins"],
"180_day_milestones": ["list of medium-term initiatives"],
"1_year_milestones": ["list of strategic initiatives"]
},
"cisa_ztmm_alignment": {
"version": "CISA ZTMM 2.0",
"compliant_pillars": ["list"],
"non_compliant_pillars": ["list"]
}
}
```
---
## Examples
**Example: Identity Pillar Assessment**
```yaml
# Input
organization_identifier: "enterprise-corp"
ztmm_pillars: ["identity"]
target_maturity: "advanced"
# Output (abbreviated)
{
"organization_identifier": "enterprise-corp",
"maturity_assessment": {
"identity": {
"current_level": "initial",
"target_level": "advanced",
"gaps": [
"MFA not enforced organization-wide",
"No risk-based authentication"
],
"initiatives": [
"Deploy enterprise-wide SSO",
"Enable MFA on all accounts",
"Implement risk-based authentication"
]
}
},
"overall_maturity": "initial",
"roadmap": {
"90_day_milestones": ["Enable MFA for privileged accounts"],
"180_day_milestones": ["Deploy SSO across applications"]
}
}
```
---
## Quality Gates
**Token budgets:**
- T1 ≤2k tokens (current maturity assessment only)
- T2 ≤6k tokens (full maturity assessment with roadmap)
**Safety:**
- No organizational details in public examples
- No technology vendor lock-in in recommendations
**Auditability:**
- Assessments cite CISA ZTMM and NIST SP 800-207
- Maturity levels align with CISA definitions
**Determinism:**
- Same capabilities + inputs = consistent maturity level
---
## Resources
**Zero Trust Standards:**
- CISA Zero Trust Maturity Model v2.0: https://www.cisa.gov/zero-trust-maturity-model (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-207 (Zero Trust Architecture): https://csrc.nist.gov/publications/detail/sp/800-207/final (accessed 2025-10-26T01:33:55-04:00)
**Zero Trust Implementation:**
- Google BeyondCorp: https://cloud.google.com/beyondcorp (accessed 2025-10-26T01:33:55-04:00)
- Microsoft Zero Trust: https://www.microsoft.com/en-us/security/business/zero-trust (accessed 2025-10-26T01:33:55-04:00)
**Policy and Guidance:**
- OMB M-22-09 (Federal Zero Trust Strategy): https://www.whitehouse.gov/omb/briefing-room/2022/01/26/m-22-09-federal-zero-trust-strategy/ (accessed 2025-10-26T01:33:55-04:00)Related Skills
Zero Trust Architecture Designer
Design zero-trust architectures with identity-centric security, micro-segmentation, continuous verification, and CISA ZTMM maturity assessment.
UX Wireframe Designer
Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation
TypeScript Tooling Specialist
Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).
Python Tooling Specialist
Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).
Java Tooling Specialist
Generate Java project scaffolding with Maven/Gradle, JUnit 5, Mockito, Checkstyle/SpotBugs, and packaging (JAR/WAR/native-image).
C# .NET Tooling Specialist
Generate C# .NET project scaffolding with dotnet CLI, xUnit/NUnit, StyleCop analyzers, and packaging (NuGet/Docker).
Unit Testing Framework Generator
Generate unit test scaffolding and test suites for Jest, PyTest, Go testing, JUnit, RSpec with mocking, assertions, and coverage configuration
Testing Strategy Composer
Compose comprehensive testing strategies spanning unit, integration, e2e, and performance tests with optimal coverage.
Load Testing Scenario Designer
Design load testing scenarios using k6, JMeter, Gatling, or Locust with ramp-up patterns, think time modeling, and performance SLI validation.
Integration Testing Designer
Design integration test scenarios with database fixtures, external service mocks, contract testing, and test environment setup for microservices and APIs.
Chaos Engineering Experiment Designer
Design chaos engineering experiments to test system resilience with controlled failure injection, hypothesis formulation, and blast radius control.
Terraform Module Best Practices
Design reusable Terraform modules with variable validation, output schemas, module composition, and testing (Terratest).