# CISA Zero Trust Maturity Model The CISA Zero Trust Maturity Model is a framework for measuring the maturity of a Zero Trust strategy. A Zero Trust strategy aims to make [[cybersecurity]] an intentional part of technology design and implementation, building policy enforcement into technology flows with the aim of reducing the potential for adversary abuse. ## Capability Scope | **CISA ZTMM Function** | **Capability Scope** | | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Identity** ------------------------- | -------------------------- | | Authentication | [[Identity and Access Management]] | | Identity Stores | [[Identity and Access Management]]<br>[[Data Management]] | | Risk Assessments | [[Identity and Access Management]] | | Access Management <br>(New Function) | [[Identity and Access Management]] | | Visibility and Analytics Capability | [[Identity and Access Management]]<br>[[Incident Containment]]<br>[[Log Management]] | | Automation and Orchestration Capability | [[Identity and Access Management]]<br>[[Policy Automation]] | | Governance Capability | [[Identity and Access Management]]<br>[[Asset Management]] | | **Devices** ------------------------ | -------------------------- | | Policy Enforcement & Compliance Monitoring<br>(New Function) | [[Device Management]]<br>[[Compliance]] | | Asset & Supply Chain Risk Management<br>(New Function) | [[Device Management]]<br>[[Asset Management]] | | Resource Access<br>(Formerly Data Access) | [[Device Management]]<br>[[Identity and Access Management]] | | Device Threat Protection<br>(New Function) | [[Device Management]]<br>[[Allow Listing]]<br>[[Deny Listing]]<br>[[Deception Management]] | | Visibility and Analytics Capability | [[Device Management]]<br>[[Incident Containment]]<br>[[Log Management]] | | Automation and Orchestration Capability | [[Device Management]]<br>[[Policy Automation]] | | Governance Capability | [[Device Management]]<br>[[Asset Management]] | | **Networks** ----------------------- | -------------------------- | | Network Segmentation | [[Network Management]] | | Network Traffic Management<br>(New Function) | [[Network Management]] | | Traffic Encryption<br>(Formerly Encryption) | [[Network Management]] | | Visibility and Analytics Capability | [[Network Management]]<br>[[Incident Containment]]<br>[[Log Management]] | | Automation and Orchestration Capability | [[Network Management]]<br>[[Policy Automation]] | | Governance Capability | [[Network Management]]<br>[[Asset Management]] | | **Applications and Workloads** --- | -------------------------- | | Application Access <br>(Formerly Access Authorization) | [[Application Management]]<br>[[Identity and Access Management]] | | Application Threat Protections <br>(Formerly Threat Protections) | [[Application Management]]<br>[[Identity and Access Management]]<br>[[Allow Listing]]<br>[[Deny Listing]]<br>[[Deception Management]] | | Accessible Applications <br>(Formerly Accessibility) | [[Application Management]]<br>[[Identity and Access Management]]<br>[[Adversary Intelligence]]<br>[[Allow Listing]]<br>[[Deny Listing]] | | Secure Application Development and <br>Deployment Workflow<br>(New Function) | [[Application Management]]<br>[[Code Management]] | | Application Security Testing<br>(New Function) | [[Application Management]]<br>[[Code Management]]<br>[[Control Verification]] | | Visibility and Analytics Capability | [[Application Management]]<br>[[Incident Containment]]<br>[[Log Management]]<br>[[Stream Processing]]<br>[[Control Verification]]<br>[[Alert Correlation]] | | Automation and Orchestration Capability | [[Policy Automation]]<br>[[Code Management]] | | Governance Capability | [[Application Management]]<br>[[Asset Management]]<br>[[Code Management]]<br>[[Policy Automation]]<br>[[Compliance]]<br>[[Control Development]] | | **Data** ---------------------------- | -------------------------- | | Data Inventory Management | [[Data Management]] | | Data Categorization<br>(New Function) | [[Data Management]] | | Data Availability | [[Data Management]] | | Data Access | [[Identity and Access Management]] | | Data Encryption | [[Data Management]]<br>[[Identity and Access Management]] | | Visibility and Analytics Capability | [[Data Management]]<br>[[Log Management]]<br>[[Stream Processing]]<br>[[Control Verification]]<br>[[Alert Correlation]] | | Automation and Orchestration Capability | [[Data Management]]<br>[[Policy Automation]] | | Governance Capability | [[Data Management]]<br>[[Asset Management]]<br>[[Policy Automation]]<br>[[Compliance]]<br>Privacy<br>[[Control Development]] | | **Cross Cutting Capabilities** ----- | -------------------------- | | Visibility and Analytics Capability | [[Log Management]]<br>[[Stream Processing]]<br>[[Control Verification]]<br>[[Alert Correlation]] | | Automation and Orchestration Capability | [[Policy Automation]]<br>[[Incident Management]] | | Governance Capability | [[Asset Management]]<br>[[Policy Automation]]<br>[[Compliance]]<br>[[Control Development]] | ## Inspiration & Resources + [Zero Trust Maturity Model Version 2.0 (cisa.gov)](https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf) + [SP 800-207, Zero Trust Architecture | CSRC (nist.gov)](https://csrc.nist.gov/pubs/sp/800/207/final) ## Release Notes + [[WIP - Q3 2024 Release#Map CISA Zero Trust Maturity Model to Cybersecurity Capabilities]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.