Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,313 @@
---
name: implementing-cisa-zero-trust-maturity-model
description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity.
domain: cybersecurity
subdomain: zero-trust-architecture
tags: [zero-trust, cisa, maturity-model, federal-compliance, governance, nist-800-207, identity, devices, networks, applications, data-security]
version: "1.0"
author: mahipal
license: MIT
---
# Implementing CISA Zero Trust Maturity Model
## Overview
The CISA Zero Trust Maturity Model (ZTMM) Version 2.0, released in April 2023, provides federal agencies and organizations with a structured roadmap for adopting zero trust architecture. The model defines five core pillars -- Identity, Devices, Networks, Applications & Workloads, and Data -- each progressing through four maturity stages: Traditional, Initial, Advanced, and Optimal. Three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance) span all pillars. This skill covers assessment, gap analysis, and progressive implementation across all pillars and maturity levels.
## Prerequisites
- Familiarity with NIST SP 800-207 Zero Trust Architecture
- Understanding of federal cybersecurity mandates (EO 14028, OMB M-22-09)
- Access to organizational IT asset inventory and network architecture documentation
- Knowledge of identity and access management (IAM) fundamentals
- Understanding of network segmentation and microsegmentation concepts
## CISA ZTMM Five Pillars
### Pillar 1: Identity
Identity refers to attributes that uniquely describe an agency user or entity, including non-person entities (NPEs) such as service accounts and machine identities.
**Traditional Stage:**
- Password-based authentication
- Limited identity validation
- Manual provisioning and deprovisioning
**Initial Stage:**
- MFA deployed for privileged users
- Identity governance initiated
- Basic identity lifecycle management
**Advanced Stage:**
- Phishing-resistant MFA for all users (FIDO2/WebAuthn)
- Continuous identity validation
- Automated provisioning tied to HR systems
- Identity threat detection and response (ITDR)
**Optimal Stage:**
- Continuous, real-time identity verification
- Passwordless authentication across all systems
- AI-driven anomaly detection for identity behaviors
- Full integration of identity signals into access decisions
### Pillar 2: Devices
Devices include any hardware, software, or firmware asset that connects to a network -- servers, laptops, mobile phones, IoT devices, and network equipment.
**Traditional Stage:**
- Limited device inventory
- Basic endpoint protection (antivirus)
- No device compliance checks
**Initial Stage:**
- Comprehensive device inventory
- Endpoint Detection and Response (EDR) deployment
- Basic device health checks before network access
**Advanced Stage:**
- Real-time device posture assessment
- Automated compliance enforcement
- Device certificates for machine identity
- Vulnerability scanning integrated into access decisions
**Optimal Stage:**
- Continuous device trust scoring
- Automated remediation of non-compliant devices
- Full device lifecycle management integrated with zero trust policies
- Firmware integrity verification
### Pillar 3: Networks
Networks encompass all communications media including internal networks, wireless, and the internet.
**Traditional Stage:**
- Perimeter-based security (firewalls, VPNs)
- Flat internal networks
- Minimal east-west traffic inspection
**Initial Stage:**
- Initial network segmentation
- Encrypted DNS and internal traffic
- Basic network monitoring and logging
**Advanced Stage:**
- Microsegmentation of critical assets
- Software-defined networking (SDN) for dynamic policy enforcement
- Full TLS encryption for all internal communications
- Network Detection and Response (NDR)
**Optimal Stage:**
- Fully software-defined, policy-driven network
- Zero implicit trust zones
- AI-driven network anomaly detection
- Automated threat response integrated with network controls
### Pillar 4: Applications and Workloads
Applications and workloads include agency systems, programs, and services running on-premises, on mobile devices, and in cloud environments.
**Traditional Stage:**
- Perimeter-protected applications
- Manual vulnerability patching
- Limited application-level logging
**Initial Stage:**
- Application-level access controls
- Web Application Firewalls (WAF)
- Regular vulnerability scanning
- Application inventory established
**Advanced Stage:**
- Continuous integration of security testing (SAST/DAST)
- Application-aware microsegmentation
- API security gateways
- Immutable infrastructure patterns
**Optimal Stage:**
- Runtime application self-protection (RASP)
- Automated application security orchestration
- Full DevSecOps pipeline integration
- Zero-standing privileges for application access
### Pillar 5: Data
Data encompasses all structured and unstructured information, at rest, in transit, and in use.
**Traditional Stage:**
- Basic encryption for data at rest
- Limited data classification
- No data loss prevention
**Initial Stage:**
- Data classification scheme implemented
- DLP policies for sensitive data
- Encryption for data in transit (TLS 1.2+)
- Basic data inventory
**Advanced Stage:**
- Automated data classification
- Fine-grained data access controls
- Data activity monitoring
- Rights management for sensitive documents
**Optimal Stage:**
- Real-time data flow analytics
- AI-driven data classification and protection
- Automated response to data exfiltration attempts
- Full data lifecycle governance with zero trust principles
## Cross-Cutting Capabilities
### Visibility and Analytics
```
Maturity Progression:
Traditional -> Manual log review, limited SIEM
Initial -> Centralized logging, basic SIEM correlation
Advanced -> UEBA, automated threat detection, data lake analytics
Optimal -> AI/ML-driven continuous monitoring, predictive analytics
```
### Automation and Orchestration
```
Maturity Progression:
Traditional -> Manual incident response, ad-hoc scripts
Initial -> Basic SOAR playbooks, automated alerting
Advanced -> Integrated SOAR with multi-pillar orchestration
Optimal -> Fully autonomous response, self-healing infrastructure
```
### Governance
```
Maturity Progression:
Traditional -> Ad-hoc policies, manual compliance checks
Initial -> Documented zero trust strategy, basic policy framework
Advanced -> Policy-as-code, continuous compliance monitoring
Optimal -> Dynamic policy engine, real-time governance decisions
```
## Implementation Process
### Phase 1: Assessment and Baseline
1. **Inventory all assets** across the five pillars
2. **Map current capabilities** to ZTMM maturity stages
3. **Conduct gap analysis** between current and target states
4. **Identify quick wins** that move from Traditional to Initial stage
5. **Document dependencies** between pillars
```python
# Example: CISA ZTMM Maturity Assessment Scoring
class ZTMMAssessment:
PILLARS = ['Identity', 'Devices', 'Networks', 'Applications', 'Data']
STAGES = ['Traditional', 'Initial', 'Advanced', 'Optimal']
CROSS_CUTTING = ['Visibility_Analytics', 'Automation_Orchestration', 'Governance']
def __init__(self):
self.scores = {}
def assess_pillar(self, pillar, capabilities):
"""
Assess a pillar against ZTMM criteria.
capabilities: dict of capability_name -> maturity_stage
"""
stage_values = {stage: i for i, stage in enumerate(self.STAGES)}
scores = [stage_values.get(stage, 0) for stage in capabilities.values()]
avg_score = sum(scores) / len(scores) if scores else 0
overall_stage = self.STAGES[int(avg_score)]
self.scores[pillar] = {
'capabilities': capabilities,
'average_score': avg_score,
'overall_stage': overall_stage
}
return self.scores[pillar]
def generate_roadmap(self):
"""Generate prioritized improvement roadmap."""
roadmap = []
for pillar, data in self.scores.items():
for capability, stage in data['capabilities'].items():
stage_idx = self.STAGES.index(stage)
if stage_idx < 3: # Not yet Optimal
next_stage = self.STAGES[stage_idx + 1]
roadmap.append({
'pillar': pillar,
'capability': capability,
'current': stage,
'target': next_stage,
'priority': 3 - stage_idx # Higher priority for lower maturity
})
return sorted(roadmap, key=lambda x: x['priority'], reverse=True)
```
### Phase 2: Identity Foundation
1. Deploy phishing-resistant MFA (FIDO2/WebAuthn)
2. Implement identity governance and administration (IGA)
3. Establish continuous identity verification
4. Integrate identity providers with all applications
5. Deploy identity threat detection and response
### Phase 3: Device Trust
1. Complete asset inventory with automated discovery
2. Deploy EDR across all endpoints
3. Implement device compliance checking
4. Establish device certificate infrastructure
5. Create device trust scoring mechanism
### Phase 4: Network Transformation
1. Implement network segmentation strategy
2. Deploy microsegmentation for critical assets
3. Enable encrypted DNS (DoH/DoT)
4. Enforce TLS 1.3 for all internal communications
5. Deploy NDR capabilities
### Phase 5: Application Security
1. Implement application-level access controls
2. Deploy WAF and API security gateways
3. Integrate security testing into CI/CD pipelines
4. Establish application inventory and classification
5. Implement runtime protection
### Phase 6: Data Protection
1. Implement data classification framework
2. Deploy DLP across endpoints and network
3. Enable data activity monitoring
4. Implement rights management
5. Establish data lifecycle governance
## Compliance Mapping
| CISA ZTMM Pillar | OMB M-22-09 Requirement | NIST 800-207 Section |
|---|---|---|
| Identity | MFA for agency staff | 3.1.1 |
| Devices | EDR for federal endpoints | 3.1.2 |
| Networks | Encrypt DNS traffic | 3.1.3 |
| Applications | Application security testing | 3.1.4 |
| Data | Data categorization | 3.1.5 |
## Metrics and KPIs
- **Identity Pillar**: Percentage of users with phishing-resistant MFA
- **Device Pillar**: Percentage of devices with real-time posture assessment
- **Network Pillar**: Percentage of network segments microsegmented
- **Application Pillar**: Percentage of applications with zero trust access controls
- **Data Pillar**: Percentage of sensitive data classified and protected
- **Overall**: ZTMM stage achieved per pillar (target: Advanced minimum)
## References
- [CISA Zero Trust Maturity Model v2.0](https://www.cisa.gov/zero-trust-maturity-model)
- [CISA ZTMM v2.0 PDF](https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf)
- [NIST SP 800-207 Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final)
- [OMB Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
- [NSA Zero Trust Pillars Guidance](https://media.defense.gov/2024/Apr/09/2003434442/-1/-1/0/CSI_DATA_PILLAR_ZT.PDF)
- [Microsoft Guidance for CISA ZTMM](https://www.microsoft.com/en-us/security/blog/2024/12/19/new-microsoft-guidance-for-the-cisa-zero-trust-maturity-model/)
@@ -0,0 +1,116 @@
# CISA ZTMM Assessment Template
## Organization Information
- **Organization Name**: _______________
- **Assessment Date**: _______________
- **Assessment Lead**: _______________
- **Pillar Owners**:
- Identity: _______________
- Devices: _______________
- Networks: _______________
- Applications: _______________
- Data: _______________
## Pillar Assessment Worksheet
### Identity Pillar
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|---|---|---|---|---|---|---|
| Authentication | [ ] | [ ] | [ ] | [ ] | ___ | |
| Identity Stores | [ ] | [ ] | [ ] | [ ] | ___ | |
| Risk Assessment | [ ] | [ ] | [ ] | [ ] | ___ | |
| Access Management | [ ] | [ ] | [ ] | [ ] | ___ | |
| Identity Lifecycle | [ ] | [ ] | [ ] | [ ] | ___ | |
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
### Devices Pillar
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|---|---|---|---|---|---|---|
| Policy Enforcement | [ ] | [ ] | [ ] | [ ] | ___ | |
| Asset Management | [ ] | [ ] | [ ] | [ ] | ___ | |
| Device Compliance | [ ] | [ ] | [ ] | [ ] | ___ | |
| Device Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
### Networks Pillar
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|---|---|---|---|---|---|---|
| Network Segmentation | [ ] | [ ] | [ ] | [ ] | ___ | |
| Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
| Encryption | [ ] | [ ] | [ ] | [ ] | ___ | |
| Network Resilience | [ ] | [ ] | [ ] | [ ] | ___ | |
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
### Applications & Workloads Pillar
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|---|---|---|---|---|---|---|
| Access Authorization | [ ] | [ ] | [ ] | [ ] | ___ | |
| Threat Protection | [ ] | [ ] | [ ] | [ ] | ___ | |
| Accessibility | [ ] | [ ] | [ ] | [ ] | ___ | |
| Application Security | [ ] | [ ] | [ ] | [ ] | ___ | |
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
### Data Pillar
| Function | Traditional | Initial | Advanced | Optimal | Current | Evidence |
|---|---|---|---|---|---|---|
| Data Inventory | [ ] | [ ] | [ ] | [ ] | ___ | |
| Data Categorization | [ ] | [ ] | [ ] | [ ] | ___ | |
| Data Availability | [ ] | [ ] | [ ] | [ ] | ___ | |
| Data Access | [ ] | [ ] | [ ] | [ ] | ___ | |
| Data Encryption | [ ] | [ ] | [ ] | [ ] | ___ | |
| Visibility & Analytics | [ ] | [ ] | [ ] | [ ] | ___ | |
| Automation & Orchestration | [ ] | [ ] | [ ] | [ ] | ___ | |
| Governance | [ ] | [ ] | [ ] | [ ] | ___ | |
## Gap Analysis Summary
| Pillar | Current Stage | Target Stage | Gap | Priority |
|---|---|---|---|---|
| Identity | ___ | Advanced | ___ | ___ |
| Devices | ___ | Advanced | ___ | ___ |
| Networks | ___ | Advanced | ___ | ___ |
| Applications | ___ | Advanced | ___ | ___ |
| Data | ___ | Advanced | ___ | ___ |
## OMB M-22-09 Compliance Checklist
- [ ] Phishing-resistant MFA deployed for all agency staff
- [ ] Complete device inventory with EDR coverage
- [ ] DNS and HTTP traffic encrypted
- [ ] Applications treated as internet-connected with regular testing
- [ ] Data categorization and automated discovery implemented
## Roadmap Priorities
### Quick Wins (0-3 months)
1. _______________
2. _______________
3. _______________
### Short-term (3-6 months)
1. _______________
2. _______________
3. _______________
### Medium-term (6-12 months)
1. _______________
2. _______________
3. _______________
### Long-term (12-24 months)
1. _______________
2. _______________
3. _______________
@@ -0,0 +1,51 @@
# Standards Reference: CISA Zero Trust Maturity Model
## Primary Standards
### CISA Zero Trust Maturity Model v2.0 (April 2023)
- **Source**: Cybersecurity and Infrastructure Security Agency
- **Scope**: Federal agencies and organizations implementing zero trust
- **Five Pillars**: Identity, Devices, Networks, Applications & Workloads, Data
- **Four Maturity Stages**: Traditional, Initial, Advanced, Optimal
- **Cross-Cutting**: Visibility & Analytics, Automation & Orchestration, Governance
### NIST SP 800-207: Zero Trust Architecture
- **Published**: August 2020
- **Tenets**: Never trust, always verify; assume breach; least privilege access
- **Deployment Models**: Device agent/gateway, enclave, resource portal
- **Key Requirement**: Policy decision point (PDP) and policy enforcement point (PEP)
### Executive Order 14028: Improving the Nation's Cybersecurity
- **Signed**: May 12, 2021
- **Mandate**: Federal agencies must adopt zero trust architecture
- **Timeline**: Agencies required to develop zero trust implementation plans
### OMB Memorandum M-22-09: Federal Zero Trust Strategy
- **Published**: January 2022
- **Requirements per pillar**:
- Identity: Phishing-resistant MFA for all staff
- Devices: EDR deployed across federal endpoints
- Networks: DNS traffic encrypted, HTTP traffic encrypted
- Applications: Application security testing in CI/CD
- Data: Data categorization and automated classification
## Supporting Standards
### NSA Zero Trust Pillar Guidance Series (2024)
- User Pillar (February 2024)
- Device Pillar (March 2024)
- Data Pillar (April 2024)
- Application & Workload Pillar (April 2024)
- Network & Environment Pillar (May 2024)
- Visibility & Analytics Pillar (May 2024)
- Automation & Orchestration Pillar (June 2024)
### DISA Zero Trust Reference Architecture
- Department of Defense specific implementation
- Aligns with NIST 800-207 and CISA ZTMM
- Covers DoD-specific compliance requirements
### FedRAMP Zero Trust Requirements
- Cloud service providers must support zero trust
- Continuous monitoring requirements
- Identity federation standards
@@ -0,0 +1,102 @@
# Workflows: CISA Zero Trust Maturity Model Implementation
## Workflow 1: Initial Maturity Assessment
```
Step 1: Establish Assessment Team
- Identify stakeholders from IT, security, compliance, and business units
- Assign pillar owners for each of the five ZTMM pillars
- Define assessment timeline and reporting cadence
Step 2: Inventory Current Capabilities
- Identity: Catalog authentication methods, identity providers, MFA coverage
- Devices: Enumerate all endpoints, document endpoint security tools
- Networks: Map network architecture, segmentation, encryption status
- Applications: List all applications, classify access controls
- Data: Identify data repositories, classification, DLP status
Step 3: Map to ZTMM Stages
- For each pillar, evaluate each function against the four maturity stages
- Document evidence for current stage determination
- Identify gaps between current and target maturity
- Rate cross-cutting capabilities (visibility, automation, governance)
Step 4: Produce Assessment Report
- Pillar-by-pillar maturity scores
- Gap analysis with prioritized recommendations
- Quick wins vs. long-term transformation items
- Resource requirements and estimated timelines
```
## Workflow 2: Identity Pillar Advancement (Traditional to Advanced)
```
Phase A: MFA Deployment
1. Inventory all user accounts (privileged, standard, service)
2. Select phishing-resistant MFA solution (FIDO2/WebAuthn)
3. Deploy MFA for privileged accounts first
4. Extend MFA to all user accounts
5. Implement MFA for service accounts and APIs
6. Configure conditional access policies
Phase B: Identity Governance
1. Implement identity lifecycle management
2. Connect IAM to HR system for automated provisioning
3. Establish access certification reviews
4. Deploy identity threat detection
5. Implement just-in-time access for elevated privileges
Phase C: Continuous Verification
1. Integrate identity signals into access decisions
2. Deploy risk-based authentication
3. Implement session-level re-authentication for sensitive actions
4. Enable behavioral analytics for identity anomalies
```
## Workflow 3: Cross-Pillar Integration
```
Step 1: Establish Unified Policy Engine
- Define access policies that incorporate all five pillars
- Implement Policy Decision Point (PDP) per NIST 800-207
- Deploy Policy Enforcement Points (PEP) at all access boundaries
Step 2: Integrate Signal Sources
- Identity signals -> trust score component
- Device posture -> trust score component
- Network context -> trust score component
- Application risk -> trust score component
- Data sensitivity -> access control component
Step 3: Implement Continuous Evaluation
- Real-time trust scoring engine
- Dynamic policy adjustment based on risk
- Automated access revocation on policy violation
- Audit logging for all access decisions
Step 4: Measure and Report
- Track maturity progression per pillar quarterly
- Report to leadership with ZTMM scorecard
- Adjust roadmap based on threat landscape changes
- Document lessons learned for continuous improvement
```
## Workflow 4: Governance and Compliance Reporting
```
Step 1: Establish Zero Trust Governance Board
- Executive sponsor, CISO, pillar owners, compliance
- Monthly review of zero trust maturity progress
- Annual strategic review and roadmap adjustment
Step 2: Continuous Compliance Monitoring
- Map ZTMM controls to OMB M-22-09 requirements
- Automate evidence collection for each pillar
- Generate compliance dashboards
- Prepare for FISMA and other audit requirements
Step 3: Reporting to CISA
- Submit agency zero trust implementation plan
- Provide quarterly progress updates
- Document deviations and remediation plans
```
@@ -0,0 +1,415 @@
#!/usr/bin/env python3
"""
CISA Zero Trust Maturity Model Assessment and Roadmap Generator.
Evaluates organizational zero trust maturity across the five CISA ZTMM pillars
(Identity, Devices, Networks, Applications, Data) and three cross-cutting
capabilities (Visibility & Analytics, Automation & Orchestration, Governance).
Generates gap analysis, prioritized roadmap, and compliance mapping.
"""
import json
import csv
import datetime
from dataclasses import dataclass, field
from enum import IntEnum
from typing import Optional
from pathlib import Path
class MaturityStage(IntEnum):
TRADITIONAL = 0
INITIAL = 1
ADVANCED = 2
OPTIMAL = 3
PILLAR_FUNCTIONS = {
"Identity": [
"authentication",
"identity_stores",
"risk_assessment",
"access_management",
"identity_lifecycle",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Devices": [
"policy_enforcement",
"asset_management",
"device_compliance",
"device_threat_protection",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Networks": [
"network_segmentation",
"threat_protection",
"encryption",
"network_resilience",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Applications": [
"access_authorization",
"threat_protection",
"accessibility",
"application_security",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Data": [
"data_inventory",
"data_categorization",
"data_availability",
"data_access",
"data_encryption",
"visibility_analytics",
"automation_orchestration",
"governance",
],
}
OMB_M2209_REQUIREMENTS = {
"Identity": {
"requirement": "Agency staff use enterprise-managed identities with phishing-resistant MFA",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Deploy FIDO2/WebAuthn for all users",
"Integrate identity provider with all applications",
"Implement authorization based on user attributes",
],
},
"Devices": {
"requirement": "Federal government has a complete inventory of authorized devices and can prevent/detect/respond to incidents",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Deploy EDR on all endpoints",
"Maintain real-time asset inventory",
"Enforce device compliance before access",
],
},
"Networks": {
"requirement": "Agencies encrypt all DNS and HTTP traffic within their environment",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Encrypt all DNS traffic (DoH/DoT)",
"Enforce HTTPS for all web traffic",
"Implement network microsegmentation",
],
},
"Applications": {
"requirement": "Agencies treat all applications as internet-connected and routinely test them",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Integrate SAST/DAST into CI/CD",
"Remove application access from VPN dependencies",
"Implement application-level access policies",
],
},
"Data": {
"requirement": "Agencies have thorough data categorization and employ automated tools",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Implement data classification scheme",
"Deploy automated data tagging",
"Enable DLP across all data channels",
],
},
}
@dataclass
class FunctionAssessment:
function_name: str
current_stage: MaturityStage
target_stage: MaturityStage
evidence: str = ""
gaps: list = field(default_factory=list)
recommendations: list = field(default_factory=list)
@dataclass
class PillarAssessment:
pillar_name: str
functions: list = field(default_factory=list)
overall_stage: MaturityStage = MaturityStage.TRADITIONAL
compliance_gap: bool = False
def calculate_overall(self):
if not self.functions:
return
scores = [f.current_stage.value for f in self.functions]
avg = sum(scores) / len(scores)
self.overall_stage = MaturityStage(int(avg))
def check_compliance(self):
req = OMB_M2209_REQUIREMENTS.get(self.pillar_name)
if req:
self.compliance_gap = self.overall_stage < req["target_stage"]
@dataclass
class RoadmapItem:
pillar: str
function_name: str
current_stage: str
target_stage: str
priority: int # 1=highest, 4=lowest
effort: str # low, medium, high
recommendations: list = field(default_factory=list)
dependencies: list = field(default_factory=list)
class ZTMMAssessment:
"""Full CISA Zero Trust Maturity Model assessment engine."""
def __init__(self, organization_name: str):
self.organization = organization_name
self.assessment_date = datetime.datetime.now().isoformat()
self.pillar_assessments: dict[str, PillarAssessment] = {}
self.roadmap: list[RoadmapItem] = []
def assess_function(
self,
pillar: str,
function_name: str,
current_stage: int,
target_stage: int = 3,
evidence: str = "",
gaps: Optional[list] = None,
) -> FunctionAssessment:
current = MaturityStage(current_stage)
target = MaturityStage(target_stage)
fa = FunctionAssessment(
function_name=function_name,
current_stage=current,
target_stage=target,
evidence=evidence,
gaps=gaps or [],
)
if pillar not in self.pillar_assessments:
self.pillar_assessments[pillar] = PillarAssessment(pillar_name=pillar)
self.pillar_assessments[pillar].functions.append(fa)
return fa
def calculate_maturity(self):
for pa in self.pillar_assessments.values():
pa.calculate_overall()
pa.check_compliance()
def generate_roadmap(self) -> list[RoadmapItem]:
self.roadmap = []
effort_map = {0: "high", 1: "medium", 2: "low", 3: "low"}
for pillar_name, pa in self.pillar_assessments.items():
for func in pa.functions:
if func.current_stage < func.target_stage:
gap = func.target_stage.value - func.current_stage.value
next_stage = MaturityStage(func.current_stage.value + 1)
item = RoadmapItem(
pillar=pillar_name,
function_name=func.function_name,
current_stage=func.current_stage.name,
target_stage=next_stage.name,
priority=max(1, 4 - gap),
effort=effort_map.get(func.current_stage.value, "high"),
recommendations=func.recommendations,
)
self.roadmap.append(item)
self.roadmap.sort(key=lambda x: (x.priority, x.effort != "low"))
return self.roadmap
def get_compliance_status(self) -> dict:
status = {}
for pillar_name, pa in self.pillar_assessments.items():
req = OMB_M2209_REQUIREMENTS.get(pillar_name, {})
status[pillar_name] = {
"current_stage": pa.overall_stage.name,
"required_stage": req.get("target_stage", MaturityStage.ADVANCED).name,
"compliant": not pa.compliance_gap,
"requirement": req.get("requirement", "N/A"),
"key_actions": req.get("key_actions", []),
}
return status
def get_summary(self) -> dict:
summary = {
"organization": self.organization,
"assessment_date": self.assessment_date,
"pillars": {},
"overall_maturity": "TRADITIONAL",
}
stages = []
for name, pa in self.pillar_assessments.items():
summary["pillars"][name] = {
"stage": pa.overall_stage.name,
"score": pa.overall_stage.value,
"functions_assessed": len(pa.functions),
"compliance_gap": pa.compliance_gap,
}
stages.append(pa.overall_stage.value)
if stages:
avg = sum(stages) / len(stages)
summary["overall_maturity"] = MaturityStage(int(avg)).name
summary["overall_score"] = round(avg, 2)
return summary
def export_report(self, output_path: str):
report = {
"summary": self.get_summary(),
"compliance_status": self.get_compliance_status(),
"roadmap": [
{
"pillar": r.pillar,
"function": r.function_name,
"current": r.current_stage,
"target": r.target_stage,
"priority": r.priority,
"effort": r.effort,
}
for r in self.roadmap
],
"detailed_assessments": {},
}
for name, pa in self.pillar_assessments.items():
report["detailed_assessments"][name] = {
"overall_stage": pa.overall_stage.name,
"functions": [
{
"name": f.function_name,
"current": f.current_stage.name,
"target": f.target_stage.name,
"evidence": f.evidence,
"gaps": f.gaps,
}
for f in pa.functions
],
}
path = Path(output_path)
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w") as f:
json.dump(report, f, indent=2)
return report
def export_csv(self, output_path: str):
path = Path(output_path)
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w", newline="") as f:
writer = csv.writer(f)
writer.writerow([
"Pillar", "Function", "Current Stage", "Target Stage",
"Gap", "Priority", "Effort", "Evidence"
])
for name, pa in self.pillar_assessments.items():
for func in pa.functions:
gap = func.target_stage.value - func.current_stage.value
writer.writerow([
name, func.function_name,
func.current_stage.name, func.target_stage.name,
gap, max(1, 4 - gap),
"high" if func.current_stage == MaturityStage.TRADITIONAL else "medium",
func.evidence,
])
def run_sample_assessment():
"""Run a sample assessment demonstrating the ZTMM assessment process."""
assessment = ZTMMAssessment("Example Federal Agency")
# Identity Pillar Assessment
assessment.assess_function("Identity", "authentication", 1, 3,
evidence="MFA deployed for 60% of users, not phishing-resistant",
gaps=["No FIDO2/WebAuthn deployment", "Service accounts lack MFA"])
assessment.assess_function("Identity", "identity_stores", 1, 3,
evidence="Centralized AD, partial cloud identity integration")
assessment.assess_function("Identity", "risk_assessment", 0, 3,
evidence="No risk-based authentication in place")
assessment.assess_function("Identity", "access_management", 1, 3,
evidence="Basic RBAC, no attribute-based access control")
assessment.assess_function("Identity", "identity_lifecycle", 1, 3,
evidence="Manual provisioning, no HR integration")
# Devices Pillar Assessment
assessment.assess_function("Devices", "policy_enforcement", 1, 3,
evidence="MDM deployed, basic compliance checks")
assessment.assess_function("Devices", "asset_management", 1, 3,
evidence="Partial inventory, no IoT coverage")
assessment.assess_function("Devices", "device_compliance", 0, 3,
evidence="No real-time compliance checking")
assessment.assess_function("Devices", "device_threat_protection", 1, 3,
evidence="EDR on 70% of endpoints")
# Networks Pillar Assessment
assessment.assess_function("Networks", "network_segmentation", 0, 3,
evidence="Flat network, basic VLAN segmentation only")
assessment.assess_function("Networks", "threat_protection", 1, 3,
evidence="Perimeter firewall, no NDR")
assessment.assess_function("Networks", "encryption", 1, 3,
evidence="TLS for external, plaintext internal")
assessment.assess_function("Networks", "network_resilience", 1, 3,
evidence="Basic redundancy, no SD-WAN")
# Applications Pillar Assessment
assessment.assess_function("Applications", "access_authorization", 1, 3,
evidence="VPN-based access for internal apps")
assessment.assess_function("Applications", "threat_protection", 1, 3,
evidence="WAF for public apps only")
assessment.assess_function("Applications", "application_security", 0, 3,
evidence="Annual pen tests, no CI/CD security integration")
# Data Pillar Assessment
assessment.assess_function("Data", "data_inventory", 0, 3,
evidence="No comprehensive data inventory")
assessment.assess_function("Data", "data_categorization", 1, 3,
evidence="Basic classification, manual process")
assessment.assess_function("Data", "data_access", 1, 3,
evidence="Role-based access, no fine-grained controls")
assessment.assess_function("Data", "data_encryption", 1, 3,
evidence="Encryption at rest for databases, not all storage")
# Calculate and report
assessment.calculate_maturity()
roadmap = assessment.generate_roadmap()
print("=" * 70)
print(f"CISA ZTMM Assessment: {assessment.organization}")
print(f"Date: {assessment.assessment_date}")
print("=" * 70)
summary = assessment.get_summary()
print(f"\nOverall Maturity: {summary['overall_maturity']} (Score: {summary.get('overall_score', 'N/A')})")
print("\nPillar Maturity Scores:")
for pillar, data in summary["pillars"].items():
compliance = " [COMPLIANCE GAP]" if data["compliance_gap"] else " [COMPLIANT]"
print(f" {pillar:20s}: {data['stage']:12s} (Score: {data['score']}){compliance}")
print("\nOMB M-22-09 Compliance Status:")
compliance = assessment.get_compliance_status()
for pillar, status in compliance.items():
icon = "PASS" if status["compliant"] else "FAIL"
print(f" [{icon}] {pillar}: {status['current_stage']} / Required: {status['required_stage']}")
print(f"\nPrioritized Roadmap ({len(roadmap)} items):")
for i, item in enumerate(roadmap[:10], 1):
print(f" {i}. [{item.pillar}] {item.function_name}: "
f"{item.current_stage} -> {item.target_stage} "
f"(Priority: {item.priority}, Effort: {item.effort})")
# Export reports
assessment.export_report("ztmm_assessment_report.json")
assessment.export_csv("ztmm_assessment_report.csv")
print("\nReports exported: ztmm_assessment_report.json, ztmm_assessment_report.csv")
if __name__ == "__main__":
run_sample_assessment()