CISA Zero Trust Maturity Model
CISA Zero Trust Maturity Model for federal agencies
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (13)
Applications and Workloads Pillar
| Code | Title |
|---|---|
| ZTMM-APP-1 | Application Access |
| ZTMM-APP-2 | Application Threat Protection |
| ZTMM-APP-3 | Secure Application Development and Deployment |
| ZTMM-APP-4 | Application Visibility and Analytics |
CISA Zero Trust Maturity Model: Access Control & Identity
Managing access to information systems (CISA Zero Trust Maturity Model)
| Code | Title |
|---|---|
| ZTMM-ID-AO | Identity Pillar: Automation and Orchestration |
| ZTMM-ID-VA | Identity Pillar: Visibility and Analytics |
| ZTMM-STAGE-ADV | Maturity Stage: Advanced |
| ZTMM-STAGE-INIT | Maturity Stage: Initial |
| ZTMM-STAGE-OPT | Maturity Stage: Optimal |
| ZTMM-STAGE-TRAD | Maturity Stage: Traditional |
CISA Zero Trust Maturity Model: Audit & Accountability
Audit logging and accountability measures (CISA Zero Trust Maturity Model)
CISA Zero Trust Maturity Model: Configuration Management
Managing system configurations securely (CISA Zero Trust Maturity Model)
| Code | Title |
|---|---|
| ZTMM-DAT-AVAIL | Data Pillar: Data Availability |
| ZTMM-DAT-CAT | Data Pillar: Data Categorization |
CISA Zero Trust Maturity Model: Incident Response
Detecting and responding to security incidents (CISA Zero Trust Maturity Model)
| Code | Title |
|---|---|
| ZTMM-APP-GOV | Applications Pillar: Governance |
| ZTMM-APP-TEST | Applications Pillar: Application Security Testing |
| ZTMM-DAT-AO | Data Pillar: Automation and Orchestration |
| ZTMM-DAT-GOV | Data Pillar: Governance |
| ZTMM-DAT-VA | Data Pillar: Visibility and Analytics |
CISA Zero Trust Maturity Model: Risk Assessment & Management
Identifying and managing cybersecurity risks (CISA Zero Trust Maturity Model)
| Code | Title |
|---|---|
| ZTMM-APP-AO | Applications Pillar: Automation and Orchestration |
| ZTMM-APP-VA | Applications Pillar: Visibility and Analytics |
| ZTMM-NET-AO | Networks Pillar: Automation and Orchestration |
| ZTMM-NET-ENC | Networks Pillar: Traffic Encryption |
| ZTMM-NET-GOV | Networks Pillar: Governance |
CISA Zero Trust Maturity Model: System & Communications Protection
Protecting systems and communications (CISA Zero Trust Maturity Model)
| Code | Title |
|---|---|
| ZTMM-DEV-AO | Devices Pillar: Automation and Orchestration |
| ZTMM-DEV-GOV | Devices Pillar: Governance |
| ZTMM-DEV-SCRM | Devices Pillar: Asset and Supply Chain Risk Management |
| ZTMM-DEV-VA | Devices Pillar: Visibility and Analytics |
| ZTMM-ID-GOV | Identity Pillar: Governance |
| ZTMM-NET-VA | Networks Pillar: Visibility and Analytics |
Cross-Cutting Capability
| Code | Title |
|---|---|
| ZTMM-CROSS-1 | Visibility and Analytics |
| ZTMM-CROSS-2 | Automation and Orchestration |
| ZTMM-CROSS-3 | Governance for Zero Trust |
Data Pillar
| Code | Title |
|---|---|
| ZTMM-DAT-1 | Data Inventory and Classification |
| ZTMM-DAT-2 | Data Access Control |
| ZTMM-DAT-3 | Data Encryption |
| ZTMM-DAT-4 | Data Loss Prevention |
Devices Pillar
| Code | Title |
|---|---|
| ZTMM-DEV-1 | Device Inventory |
| ZTMM-DEV-2 | Device Compliance and Posture |
| ZTMM-DEV-3 | Device Threat Protection |
Identity Pillar
| Code | Title |
|---|---|
| ZTMM-ID-1 | Identity Authentication |
| ZTMM-ID-2 | Identity Stores |
| ZTMM-ID-3 | Risk Assessments for Identity |
| ZTMM-ID-4 | Access Management |
Maturity
| Code | Title |
|---|---|
| ZTMM-MAT-1 | Maturity Stage Self-Assessment |
Networks Pillar
| Code | Title |
|---|---|
| ZTMM-NET-1 | Network Segmentation |
| ZTMM-NET-2 | Network Traffic Management |
| ZTMM-NET-3 | Resilience and Availability |
Maps to 1 other framework
Frequently Asked Questions
What is CISA Zero Trust Maturity Model?
CISA Zero Trust Maturity Model is a compliance framework from United States with 13 domains and 46 controls. CISA Zero Trust Maturity Model for federal agencies It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does CISA Zero Trust Maturity Model have?
CISA Zero Trust Maturity Model has 46 controls organised across 13 domains. The largest domains are CISA Zero Trust Maturity Model: Access Control & Identity (6 controls), CISA Zero Trust Maturity Model: System & Communications Protection (6 controls), CISA Zero Trust Maturity Model: Incident Response (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does CISA Zero Trust Maturity Model map to?
CISA Zero Trust Maturity Model maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (52% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with CISA Zero Trust Maturity Model compliance?
Start your CISA Zero Trust Maturity Model compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CISA Zero Trust Maturity Model requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 46 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required