Zero Trust Maturity Assessor

Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.

Best use case

Zero Trust Maturity Assessor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.

Teams using Zero Trust Maturity Assessor should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-zerotrust-assessor/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-zerotrust-assessor/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-zerotrust-assessor/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Zero Trust Maturity Assessor Compares

Feature / AgentZero Trust Maturity AssessorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Evaluate zero-trust architecture maturity using CISA ZTMM with identity verification, device trust, micro-segmentation, and continuous monitoring.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- Zero-trust architecture maturity assessment
- CISA ZTMM compliance requirement
- Zero-trust migration planning
- Security architecture modernization initiative
- Third-party zero-trust readiness questionnaire

**Not for:**
- Zero-trust implementation (provides assessment only)
- Real-time access policy enforcement (use zero-trust products)
- Traditional perimeter security assessment (use security-network-validator)
- Application security (use security-appsec-validator)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `organization_identifier` must be non-empty string
- `ztmm_pillars` must be subset of: [identity, device, network, application, data]
- `target_maturity` must be one of: [initial, advanced, optimal] or omitted

**Source freshness:**
- CISA Zero Trust Maturity Model (accessed 2025-10-26T01:33:55-04:00): https://www.cisa.gov/zero-trust-maturity-model
- NIST SP 800-207 Zero Trust Architecture (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-207/final

---

## Procedure

### Step 1: CISA ZTMM Pillar Assessment

**Identity Pillar (CISA ZTMM 2.0, accessed 2025-10-26T01:33:55-04:00):**
- **Traditional:** Basic directory service, passwords
- **Initial:** Centralized identity management, some MFA
- **Advanced:** Enterprise-wide SSO, MFA everywhere, risk-based auth
- **Optimal:** Continuous authentication, behavior analytics, FIDO2

**Device Pillar:**
- **Traditional:** Manual device tracking
- **Initial:** Device inventory exists, basic compliance
- **Advanced:** Automated compliance checking, device health attestation
- **Optimal:** Real-time device risk scoring, zero-touch provisioning

**Network Pillar:**
- **Traditional:** Perimeter-based security, VLANs
- **Initial:** Some micro-segmentation, encrypted traffic
- **Advanced:** Comprehensive micro-segmentation, application-layer routing
- **Optimal:** Dynamic micro-perimeters, software-defined perimeter (SDP)

**Application Pillar:**
- **Traditional:** Network-based access control
- **Initial:** Application-aware proxies, some authorization
- **Advanced:** Fine-grained authorization, API gateways
- **Optimal:** Continuous authorization, context-aware access

**Data Pillar:**
- **Traditional:** File-system permissions
- **Initial:** Data classification, basic encryption
- **Advanced:** Data-centric security, DLP, rights management
- **Optimal:** Data-level access control, automated data tagging

### Step 2: Maturity Gaps and Roadmap

For each pillar:
1. Identify current maturity level
2. Calculate gap to target maturity (if specified)
3. Prioritize initiatives by impact and effort
4. Generate phased roadmap (90-day, 180-day, 1-year milestones)

**Token budgets:**
- **T1:** ≤2k tokens (current maturity assessment only)
- **T2:** ≤6k tokens (full maturity assessment with roadmap and initiatives)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)

---

## Decision Rules

**Ambiguity thresholds:**
- If pillar data incomplete → assess based on available information and flag gaps
- If technology stack unclear → request architecture documentation

**Abort conditions:**
- No organization identifier → cannot proceed
- Zero pillars selected → default to all 5 pillars

**Maturity scoring:**
- Assign lowest maturity level if any critical gap exists
- Partial compliance = lower maturity level (no partial credit)

---

## Output Contract

**Required fields:**
```json
{
  "organization_identifier": "string",
  "ztmm_pillars": ["identity", "device", "network", "application", "data"],
  "target_maturity": "initial|advanced|optimal or null",
  "timestamp": "ISO-8601 with timezone",
  "maturity_assessment": {
    "identity": {
      "current_level": "traditional|initial|advanced|optimal",
      "target_level": "initial|advanced|optimal or null",
      "gaps": ["list of capability gaps"],
      "initiatives": ["prioritized initiatives to progress"]
    },
    "device": { "..." },
    "network": { "..." },
    "application": { "..." },
    "data": { "..." }
  },
  "overall_maturity": "traditional|initial|advanced|optimal",
  "roadmap": {
    "90_day_milestones": ["list of quick wins"],
    "180_day_milestones": ["list of medium-term initiatives"],
    "1_year_milestones": ["list of strategic initiatives"]
  },
  "cisa_ztmm_alignment": {
    "version": "CISA ZTMM 2.0",
    "compliant_pillars": ["list"],
    "non_compliant_pillars": ["list"]
  }
}
```

---

## Examples

**Example: Identity Pillar Assessment**

```yaml
# Input
organization_identifier: "enterprise-corp"
ztmm_pillars: ["identity"]
target_maturity: "advanced"

# Output (abbreviated)
{
  "organization_identifier": "enterprise-corp",
  "maturity_assessment": {
    "identity": {
      "current_level": "initial",
      "target_level": "advanced",
      "gaps": [
        "MFA not enforced organization-wide",
        "No risk-based authentication"
      ],
      "initiatives": [
        "Deploy enterprise-wide SSO",
        "Enable MFA on all accounts",
        "Implement risk-based authentication"
      ]
    }
  },
  "overall_maturity": "initial",
  "roadmap": {
    "90_day_milestones": ["Enable MFA for privileged accounts"],
    "180_day_milestones": ["Deploy SSO across applications"]
  }
}
```

---

## Quality Gates

**Token budgets:**
- T1 ≤2k tokens (current maturity assessment only)
- T2 ≤6k tokens (full maturity assessment with roadmap)

**Safety:**
- No organizational details in public examples
- No technology vendor lock-in in recommendations

**Auditability:**
- Assessments cite CISA ZTMM and NIST SP 800-207
- Maturity levels align with CISA definitions

**Determinism:**
- Same capabilities + inputs = consistent maturity level

---

## Resources

**Zero Trust Standards:**
- CISA Zero Trust Maturity Model v2.0: https://www.cisa.gov/zero-trust-maturity-model (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-207 (Zero Trust Architecture): https://csrc.nist.gov/publications/detail/sp/800-207/final (accessed 2025-10-26T01:33:55-04:00)

**Zero Trust Implementation:**
- Google BeyondCorp: https://cloud.google.com/beyondcorp (accessed 2025-10-26T01:33:55-04:00)
- Microsoft Zero Trust: https://www.microsoft.com/en-us/security/business/zero-trust (accessed 2025-10-26T01:33:55-04:00)

**Policy and Guidance:**
- OMB M-22-09 (Federal Zero Trust Strategy): https://www.whitehouse.gov/omb/briefing-room/2022/01/26/m-22-09-federal-zero-trust-strategy/ (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Zero Trust Architecture Designer

5
from williamzujkowski/cognitive-toolworks

Design zero-trust architectures with identity-centric security, micro-segmentation, continuous verification, and CISA ZTMM maturity assessment.

UX Wireframe Designer

5
from williamzujkowski/cognitive-toolworks

Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation

TypeScript Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).

Python Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).

Java Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Java project scaffolding with Maven/Gradle, JUnit 5, Mockito, Checkstyle/SpotBugs, and packaging (JAR/WAR/native-image).

C# .NET Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate C# .NET project scaffolding with dotnet CLI, xUnit/NUnit, StyleCop analyzers, and packaging (NuGet/Docker).

Unit Testing Framework Generator

5
from williamzujkowski/cognitive-toolworks

Generate unit test scaffolding and test suites for Jest, PyTest, Go testing, JUnit, RSpec with mocking, assertions, and coverage configuration

Testing Strategy Composer

5
from williamzujkowski/cognitive-toolworks

Compose comprehensive testing strategies spanning unit, integration, e2e, and performance tests with optimal coverage.

Load Testing Scenario Designer

5
from williamzujkowski/cognitive-toolworks

Design load testing scenarios using k6, JMeter, Gatling, or Locust with ramp-up patterns, think time modeling, and performance SLI validation.

Integration Testing Designer

5
from williamzujkowski/cognitive-toolworks

Design integration test scenarios with database fixtures, external service mocks, contract testing, and test environment setup for microservices and APIs.

Chaos Engineering Experiment Designer

5
from williamzujkowski/cognitive-toolworks

Design chaos engineering experiments to test system resilience with controlled failure injection, hypothesis formulation, and blast radius control.

Terraform Module Best Practices

5
from williamzujkowski/cognitive-toolworks

Design reusable Terraform modules with variable validation, output schemas, module composition, and testing (Terratest).