CISA zero trust maturity model: are your access controls keeping up?

TL;DR: CISA’s Zero Trust Maturity Model translates Zero Trust Architecture into five operational pillars and three maturity stages, with identity, device, network, application workload, and data controls moving from manual to dynamic enforcement. StrongDM’s summary also cites a 15.1% rise in cyberattacks and data breaches in 2021, according to the article.

NHIMG editorial — based on content published by StrongDM: CISA Zero Trust Maturity Model (TL;DR Version)

By the numbers:

• In 2021, the average number of cyberattacks and data breaches increased by 15.1%.

Questions worth separating out

Q: How should organisations implement Zero Trust without breaking existing access workflows?

A: Start by mapping where access is still static, then introduce per-session policy at the highest-risk boundaries first.

Q: Why do service accounts and workloads complicate Zero Trust programmes?

A: Because they often authenticate successfully but are governed like infrastructure, not identities.

Q: How do teams know if Zero Trust is actually improving access control?

A: Look for runtime evidence, not policy statements.

Practitioner guidance

• Map current controls to Zero Trust maturity stages Inventory identity, device, network, workload, and data controls separately, then classify each as Traditional, Advanced, or Optimal based on whether policy is static, partially coordinated, or dynamically enforced.
• Tie session policy to current risk signals Require access decisions to consider device posture, observed behaviour, and resource sensitivity instead of relying only on initial authentication.
• Review workload access as an identity problem Treat application workloads and service access as governed identities, not just infrastructure dependencies.

What's in the full article

StrongDM's full blog covers the operational detail this post intentionally leaves for the source:

• How StrongDM maps access across databases, servers, clusters, and other resources in a Zero Trust operating model
• The article's own explanation of the five CISA pillars and how they relate to access enforcement
• The vendor's walkthrough of how suspicious behaviour is detected and logged in its access flow
• The implementation framing for teams that are trying to move from manual controls to a more automated access posture

👉 Read StrongDM's TL;DR version of the CISA Zero Trust Maturity Model →

CISA zero trust maturity model: are your access controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →