Notifications
Clear all
Topic starter
07/06/2026 9:08 pm
TL;DR: CISA’s Zero Trust Maturity Model translates Zero Trust Architecture into five operational pillars and three maturity stages, with identity, device, network, application workload, and data controls moving from manual to dynamic enforcement. StrongDM’s summary also cites a 15.1% rise in cyberattacks and data breaches in 2021, according to the article.
NHIMG editorial — based on content published by StrongDM: CISA Zero Trust Maturity Model (TL;DR Version)
By the numbers:
- In 2021, the average number of cyberattacks and data breaches increased by 15.1%.
Questions worth separating out
Q: How should organisations implement Zero Trust without breaking existing access workflows?
A: Start by mapping where access is still static, then introduce per-session policy at the highest-risk boundaries first.
Q: Why do service accounts and workloads complicate Zero Trust programmes?
A: Because they often authenticate successfully but are governed like infrastructure, not identities.
Q: How do teams know if Zero Trust is actually improving access control?
A: Look for runtime evidence, not policy statements.
Practitioner guidance
- Map current controls to Zero Trust maturity stages Inventory identity, device, network, workload, and data controls separately, then classify each as Traditional, Advanced, or Optimal based on whether policy is static, partially coordinated, or dynamically enforced.
- Tie session policy to current risk signals Require access decisions to consider device posture, observed behaviour, and resource sensitivity instead of relying only on initial authentication.
- Review workload access as an identity problem Treat application workloads and service access as governed identities, not just infrastructure dependencies.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- How StrongDM maps access across databases, servers, clusters, and other resources in a Zero Trust operating model
- The article's own explanation of the five CISA pillars and how they relate to access enforcement
- The vendor's walkthrough of how suspicious behaviour is detected and logged in its access flow
- The implementation framing for teams that are trying to move from manual controls to a more automated access posture
👉 Read StrongDM's TL;DR version of the CISA Zero Trust Maturity Model →
CISA zero trust maturity model: are your access controls keeping up?
Explore further
08/06/2026 8:57 am
Zero Trust fails when organisations treat authentication as a one-time event. The CISA model is explicit that access should be granted per session and enforced dynamically, which exposes the weakness of programmes that still think in terms of durable trust after login. That assumption is especially fragile in environments with shared infrastructure, service accounts, and cloud workloads. The practitioner conclusion is simple: identity governance has to move from login-centric control to continuous authorisation.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: What is the difference between static access control and dynamic policy in Zero Trust?
A: Static control grants access based on a fixed rule or pre-approved entitlement, while dynamic policy evaluates current conditions before and during access. In practice, dynamic policy is what lets a Zero Trust programme react to risk, posture, and resource state instead of depending on trust established at login.
👉 Read our full editorial: CISA zero trust maturity model and what it means for access governance
