CISA zero-trust maturity models reshape identity governance

At a glance

What this is: This is an analysis of how the White House OMB memo and CISA’s zero-trust maturity model change identity governance expectations for government and contractor environments.

Why it matters: It matters because IAM teams must align human, NHI, and machine-access controls to zero-trust assumptions that no longer tolerate implicit trust in hybrid estates.

👉 Read Axiad's analysis of the CISA zero-trust maturity model and OMB memo takeaways

Context

Zero trust is an identity governance model that assumes no user, device, or workload should be trusted by default. The article argues that the White House OMB memo and CISA’s maturity model push public sector and contractor environments toward stronger verification, especially where cloud and hybrid systems make control boundaries harder to define.

For IAM teams, the real issue is not a slogan about zero trust but whether authentication, authorization, and policy enforcement remain consistent across perimeter, cloud, and on-premises systems. That makes the conversation relevant to human identity, workload access, and any non-human identity that can traverse those environments.

Key questions

Q: How should security teams implement zero trust in hybrid environments?

A: Start by standardising identity verification and access policy across cloud, on-premises, and contractor-managed systems. Zero trust fails when access decisions differ by location or hosting model. The practical goal is consistent enforcement, strong authentication, and repeated validation of who or what is requesting access.

Q: Why do hybrid environments make zero trust harder to govern?

A: Hybrid estates spread identity decisions across multiple control planes, which makes inherited trust harder to spot and remove. When the organisation does not fully control every environment, access rules can drift. That creates uneven enforcement, especially for third parties, workloads, and legacy systems.

Q: What breaks when perimeter security is treated as the main trust control?

A: Access governance becomes location-dependent instead of identity-dependent. That means users or systems can appear trusted because they are inside the boundary, even when authentication quality, privilege scope, or review cadence is weak. In practice, this creates blind spots that zero trust is meant to remove.

Q: Who is accountable for zero-trust adoption in public sector contractor ecosystems?

A: Accountability sits with the organisation that grants access and the teams that define policy enforcement, even when delivery is distributed across contractors and managed service providers. Zero trust is not just a technical architecture issue. It is a governance obligation that must be owned, measured, and audited.

Technical breakdown

How CISA’s zero-trust maturity model structures adoption

The CISA zero-trust maturity model is a staged framework for measuring how far an organisation has progressed from awareness to advanced implementation. In practice, it helps security teams assess whether identity, device, application, and data controls are still operating as separate checkpoints or are being coordinated into continuous verification. The model matters because most environments do not become zero trust in one move. They move unevenly, often with stronger controls around some resources and legacy trust assumptions elsewhere.

Practical implication: use the maturity model to identify where identity controls still depend on implicit trust rather than verified access.

Zero trust and perimeter security are complementary, not interchangeable

Perimeter security protects the network edge with firewalls, segmentation, and boundary controls. Zero trust shifts the decision point inward, requiring authentication and authorization before access is granted, regardless of location. The article’s core technical point is that the two models can coexist, but perimeter security alone no longer defines trust in cloud and hybrid environments. That distinction matters because identity is now the control plane for access decisions, not just a layer behind the network boundary.

Practical implication: keep perimeter controls, but anchor access decisions in identity and policy enforcement.

Hybrid and cloud systems create identity control gaps

Hybrid estates complicate zero trust because the organisation does not always control every execution environment, data path, or delegated access relationship. That makes authentication quality, authorization scope, and lifecycle governance harder to standardise across domains. The article points to a common failure pattern: organisations try to modernise trust architecture while still relying on legacy processes built for static network boundaries. The result is fragmented enforcement, where some identities are governed tightly and others retain inherited access assumptions.

Practical implication: inventory where identity enforcement differs across cloud, on-premises, and contractor-managed systems.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Zero trust only works as an identity programme when control is consistent across every access path. The article correctly frames the shift from perimeter trust to continuous verification, but the real governance test is whether human, workload, and contractor access all obey the same decision logic. If one environment still relies on legacy trust, the programme is not zero trust in practice. Practitioner conclusion: assess enforcement consistency before claiming maturity.

Hybrid architecture is a governance problem before it is a network problem. The article’s strongest point is that cloud and on-premises coexistence makes control boundaries harder to define and easier to bypass through inherited access. That means identity teams need a shared policy model for authentication, authorization, and review across environments, not separate security islands. Practitioner conclusion: treat hybrid sprawl as a governance gap, not just an infrastructure one.

Perimeter security has not disappeared, but it no longer answers the trust question on its own. The article is right that perimeter controls still matter as a first line of defence, yet zero trust changes the burden of proof for every access request. This is especially relevant where contractors, managed services, and machine identities operate across trust zones. Practitioner conclusion: keep the perimeter, but stop using it as a proxy for trust.

Identity maturity now depends on whether organisations can govern delegated access without assuming stable network context. The memo and maturity model point toward a future where access must be justified continuously, not merely granted at the boundary. That changes how IAM, PAM, and workload governance teams define readiness. Practitioner conclusion: build maturity around verified identity behaviour, not around network location alone.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• 46% of organisations confirmed a non-human identity breach, which shows the problem is already operational rather than theoretical.
• For the broader NHI control baseline, see Top 10 NHI Issues for the most common governance failures teams need to address.

What this signals

Zero trust programmes will keep failing if IAM teams treat cloud migration as an infrastructure project instead of a control-design problem. The operating question is whether every access path, including contractor and managed-service paths, is bound to the same verification standard.

Identity boundary drift: when policy changes faster than enforcement across hybrid systems, organisations lose sight of where trust actually exists. That is the gap practitioners need to monitor, especially where identity, network, and platform ownership are split.

For teams modernising their programme, the practical next step is to connect zero-trust governance to lifecycle controls, access reviews, and workload identity standards such as NIST SP 800-207 Zero Trust Architecture.

For practitioners

• Map identity controls to the CISA maturity model Assess where authentication, authorization, and access review sit today across awareness, basic, intermediate, and advanced practices. Use the model to expose control areas that are still dependent on legacy perimeter assumptions rather than policy enforcement.
• Unify policy enforcement across hybrid environments Compare cloud, on-premises, and contractor-managed access paths to identify inconsistent trust decisions. Prioritise environments where access is granted differently depending on location, network segment, or hosting model.
• Review contractor and third-party access assumptions Check whether external access is still being governed as if the network boundary itself were trustworthy. Align contractor onboarding, authentication strength, and periodic review to the same identity standards used for internal users and workloads.
• Keep perimeter controls but remove implicit trust Retain firewalls, segmentation, and boundary monitoring, but require identity verification before access to sensitive systems. The objective is layered control, not a false choice between perimeter security and zero trust.

Key takeaways

• Zero trust is an identity governance discipline, not just a network redesign, and it depends on consistent verification across every access path.
• Hybrid and contractor-heavy environments expose the weakest point in most programmes: trust decisions that still vary by system, location, or ownership model.
• Practitioners should measure maturity by enforcement consistency, because perimeter controls alone cannot prove that access is genuinely justified.

Key terms

• Zero Trust: A security model that does not treat location or network position as proof of trust. Access is continuously verified through identity, policy, and context, which makes it a governance discipline as much as an architecture pattern.
• Zero-Trust Maturity Model: A staged framework used to measure how far an organisation has progressed in adopting zero-trust practices. It helps teams identify whether controls are still fragmented or whether identity, device, application, and data decisions are being enforced consistently.
• Perimeter Security: Controls that protect the outer boundary of a network, such as firewalls, segmentation, and boundary monitoring. It remains useful, but it cannot by itself prove that a user, workload, or third party should be trusted once inside the environment.

Deepen your knowledge

Zero trust maturity, identity verification, and hybrid access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning an existing programme to these controls, it is worth exploring.

This post draws on content published by Axiad: CISA zero-trust maturity model takeaways from the White House OMB memo. Read the original.