CISA Zero Trust Maturity Model 2.0 expected in coming days

The latest guidance will update key definitions and metrics for the governmentwide adoption of zero-trust security architectures.
Sean Connelly, TIC Program Manager, CISA, DHS
Sean Connelly speaks Jan. 28, 2020, at the Zero Trust Security Summit presented by Duo Security and produced by FedScoop and CyberScoop. (Scoop News Group)

The Cybersecurity and Infrastructure Security Agency will publish the second version of its Zero Trust Maturity Model in the coming days, a top agency official said Thursday.

The latest version of the guidance is expected to update key definitions and metrics for the governmentwide adoption of zero-trust security architectures.

It comes more than a year after the release of CISA’s Zero Trust Maturity Model, which set out how U.S. government departments could deploy its Continuous Diagnostics and Mitigation (CDM) program to improve network visibility.

“So just to get everyone prepared in the next week or so we should have the second version of the Maturity Model. It’s not on the website yet today as we’d expected, but it should be next week,” said CISA Senior Cybersecurity Architect Sean Connelly. Connelly was speaking at during the 2023 ATARC Zero Trust Summit in Washington on Thursday.


The Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — are meant to be a  guide for federal agencies zero trust strategy implementations and most agencies have started off focusing on identity and data questions.

Federal agencies have been pushed to submit their zero-trust architecture implementation plans as required by the White House’ Office of Management and Budget (OMB).

“Last year agencies part of the zero trust strategy were responsible for sending in a direct implementation plan, to hold themselves accountable — we’re reviewing each of those plans and matching them up with our new maturity model,” Connelly added.

CISA describes its maturity model as “one of many roadmaps” for federal agencies shifting to zero trust architectures, which are intended to prevent unauthorized or dangerous access to government data and services by consistently verifying user credentials across network checkpoints.

Latest Podcasts