Skip to main content


The Cybersecurity and Infrastructure Security Agency (CISA) is an agency within the Department of Homeland Security. Its mission is to strengthen, coordinate, and improve cybersecurity at all levels of government. CISA officially became an agency in 2018. It is a successor agency to the NPPD, which was formed in 2007.

Executive Order 14028, "Improving the Nation's Cybersecurity," pushes agencies to redesign their network architectures in accordance with zero trust cybersecurity principles. CISA and the Office of Management and Budget (OMB) are working together to move the US government towards a zero trust architecture. To this end, they maintain a central repository on zero trust guidance for civilian federal agencies.

Zero Trust Maturity Model

Chief among the publications released by CISA to help with this effort is its Zero Trust Maturity Model. The model is a roadmap - one of many roadmaps - for agencies to reference as they transition towards a zero trust architecture.

CISA's maturity model is based on the foundation of zero trust. It is organized around five pillars - identity, device, network/environment, application workload, and data - as well as three cross-cutting capabilities - visibility and analytics, automation and orchestration, and governance.

CISA provides a maturity grade - traditional, advanced, or optimal - for each zero trust technology pillar, as seen in this high-level illustration.

The publication includes a more granular look at each technology pillar, by considering how specific functions related to each domain should be evaluated in terms of maturity to zero trust principles.

Pillar 1: Identity

Pillar 2: Device

Pillar 3: Network/environment

Pillar 4: Application workload

Pillar 5: Data