Anthropic-Cybersecurity-Skills/skills/implementing-cisa-zero-trust-maturity-model/references/workflows.md

# Workflows: CISA Zero Trust Maturity Model Implementation

## Workflow 1: Initial Maturity Assessment

```
Step 1: Establish Assessment Team
  - Identify stakeholders from IT, security, compliance, and business units
  - Assign pillar owners for each of the five ZTMM pillars
  - Define assessment timeline and reporting cadence

Step 2: Inventory Current Capabilities
  - Identity: Catalog authentication methods, identity providers, MFA coverage
  - Devices: Enumerate all endpoints, document endpoint security tools
  - Networks: Map network architecture, segmentation, encryption status
  - Applications: List all applications, classify access controls
  - Data: Identify data repositories, classification, DLP status

Step 3: Map to ZTMM Stages
  - For each pillar, evaluate each function against the four maturity stages
  - Document evidence for current stage determination
  - Identify gaps between current and target maturity
  - Rate cross-cutting capabilities (visibility, automation, governance)

Step 4: Produce Assessment Report
  - Pillar-by-pillar maturity scores
  - Gap analysis with prioritized recommendations
  - Quick wins vs. long-term transformation items
  - Resource requirements and estimated timelines
```

## Workflow 2: Identity Pillar Advancement (Traditional to Advanced)

```
Phase A: MFA Deployment
  1. Inventory all user accounts (privileged, standard, service)
  2. Select phishing-resistant MFA solution (FIDO2/WebAuthn)
  3. Deploy MFA for privileged accounts first
  4. Extend MFA to all user accounts
  5. Implement MFA for service accounts and APIs
  6. Configure conditional access policies

Phase B: Identity Governance
  1. Implement identity lifecycle management
  2. Connect IAM to HR system for automated provisioning
  3. Establish access certification reviews
  4. Deploy identity threat detection
  5. Implement just-in-time access for elevated privileges

Phase C: Continuous Verification
  1. Integrate identity signals into access decisions
  2. Deploy risk-based authentication
  3. Implement session-level re-authentication for sensitive actions
  4. Enable behavioral analytics for identity anomalies
```

## Workflow 3: Cross-Pillar Integration

```
Step 1: Establish Unified Policy Engine
  - Define access policies that incorporate all five pillars
  - Implement Policy Decision Point (PDP) per NIST 800-207
  - Deploy Policy Enforcement Points (PEP) at all access boundaries

Step 2: Integrate Signal Sources
  - Identity signals -> trust score component
  - Device posture -> trust score component
  - Network context -> trust score component
  - Application risk -> trust score component
  - Data sensitivity -> access control component

Step 3: Implement Continuous Evaluation
  - Real-time trust scoring engine
  - Dynamic policy adjustment based on risk
  - Automated access revocation on policy violation
  - Audit logging for all access decisions

Step 4: Measure and Report
  - Track maturity progression per pillar quarterly
  - Report to leadership with ZTMM scorecard
  - Adjust roadmap based on threat landscape changes
  - Document lessons learned for continuous improvement
```

## Workflow 4: Governance and Compliance Reporting

```
Step 1: Establish Zero Trust Governance Board
  - Executive sponsor, CISO, pillar owners, compliance
  - Monthly review of zero trust maturity progress
  - Annual strategic review and roadmap adjustment

Step 2: Continuous Compliance Monitoring
  - Map ZTMM controls to OMB M-22-09 requirements
  - Automate evidence collection for each pillar
  - Generate compliance dashboards
  - Prepare for FISMA and other audit requirements

Step 3: Reporting to CISA
  - Submit agency zero trust implementation plan
  - Provide quarterly progress updates
  - Document deviations and remediation plans
```