# Standards Reference: CISA Zero Trust Maturity Model

## Primary Standards

### CISA Zero Trust Maturity Model v2.0 (April 2023)
- **Source**: Cybersecurity and Infrastructure Security Agency
- **Scope**: Federal agencies and organizations implementing zero trust
- **Five Pillars**: Identity, Devices, Networks, Applications & Workloads, Data
- **Four Maturity Stages**: Traditional, Initial, Advanced, Optimal
- **Cross-Cutting**: Visibility & Analytics, Automation & Orchestration, Governance

### NIST SP 800-207: Zero Trust Architecture
- **Published**: August 2020
- **Tenets**: Never trust, always verify; assume breach; least privilege access
- **Deployment Models**: Device agent/gateway, enclave, resource portal
- **Key Requirement**: Policy decision point (PDP) and policy enforcement point (PEP)

### Executive Order 14028: Improving the Nation's Cybersecurity
- **Signed**: May 12, 2021
- **Mandate**: Federal agencies must adopt zero trust architecture
- **Timeline**: Agencies required to develop zero trust implementation plans

### OMB Memorandum M-22-09: Federal Zero Trust Strategy
- **Published**: January 2022
- **Requirements per pillar**:
  - Identity: Phishing-resistant MFA for all staff
  - Devices: EDR deployed across federal endpoints
  - Networks: DNS traffic encrypted, HTTP traffic encrypted
  - Applications: Application security testing in CI/CD
  - Data: Data categorization and automated classification

## Supporting Standards

### NSA Zero Trust Pillar Guidance Series (2024)
- User Pillar (February 2024)
- Device Pillar (March 2024)
- Data Pillar (April 2024)
- Application & Workload Pillar (April 2024)
- Network & Environment Pillar (May 2024)
- Visibility & Analytics Pillar (May 2024)
- Automation & Orchestration Pillar (June 2024)

### DISA Zero Trust Reference Architecture
- Department of Defense specific implementation
- Aligns with NIST 800-207 and CISA ZTMM
- Covers DoD-specific compliance requirements

### FedRAMP Zero Trust Requirements
- Cloud service providers must support zero trust
- Continuous monitoring requirements
- Identity federation standards