Framework

CISA Zero Trust Maturity Model
the five pillars, four stages, and three capabilities of ZTMM v2.0

The CISA Zero Trust Maturity Model (ZTMM) is the maturity inventory the Cybersecurity and Infrastructure Security Agency publishes for federal civilian agencies and any organisation that wants a published, scorecard-shaped read on Zero Trust progress. ZTMM v2.0, released April 2023, organises Zero Trust across five pillars (Identity, Devices, Networks, Applications and Workloads, Data) plus three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, Governance), with four maturity stages per pillar (Traditional, Initial, Advanced, Optimal). It pairs with NIST SP 800-207 as the architectural reference; ZTMM tracks where the programme is, SP 800-207 describes what the architecture is.

Get Started Free

No credit card required. Free plan available forever.

CISA Zero Trust Maturity Model explained

The CISA Zero Trust Maturity Model (ZTMM) is the maturity inventory the Cybersecurity and Infrastructure Security Agency publishes for federal civilian agencies and any organisation that wants a published, scorecard-shaped read on Zero Trust progress. ZTMM v2.0, released in April 2023, organises Zero Trust across five pillars (Identity, Devices, Networks, Applications and Workloads, Data) plus three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, Governance), with four maturity stages per pillar and per capability (Traditional, Initial, Advanced, Optimal).

ZTMM is the maturity inventory, not the architectural reference. The reference architecture is NIST SP 800-207, which names the seven tenets, the Policy Engine and Policy Administrator and Policy Enforcement Point components, the trust algorithm input categories, and the deployment approaches. ZTMM tracks where the programme is on the journey; SP 800-207 describes what the architecture is at the end of it. A serious Zero Trust programme reads both together.

For internal security teams, AppSec teams, product security teams, vulnerability management functions, GRC owners, security engineering teams, security architects, security operations leaders, and CISOs, ZTMM is the most frequently asked-after Zero Trust scorecard. The published per-pillar criteria turn a Zero Trust report from narrative into structured evidence, which is why ZTMM has become the default Zero Trust reporting frame across the federal civilian community, the critical infrastructure community, public-company registrants under the SEC disclosure rules, and any enterprise that wants its Zero Trust progress to be readable by an external audience without bespoke explanation.

The five ZTMM pillars

ZTMM organises the Zero Trust progression across five pillars, each with its own subcategories, its own evidence expectations, and its own maturity-stage criteria. The pillars are not independent; the Identity pillar feeds the access decisions every other pillar enforces, and the Visibility and Analytics, Automation and Orchestration, and Governance capabilities apply inside each pillar rather than next to them. The five-pillar structure makes the per-pillar gap analysis tractable.

Identity pillar

Carries the identity-side maturity inventory. Subcategories under the Identity pillar cover authentication strength, identity stores, identity risk assessments, access management, and identity-side visibility and analytics. The maturity progression moves from password-only authentication and manual identity governance at Traditional, through MFA on most accounts at Initial, to phishing-resistant MFA and dynamic risk-based access decisions at Advanced, to continuous identity validation and real-time risk-based access at Optimal.

Devices pillar

Carries the device-side maturity inventory. Subcategories cover policy enforcement and compliance monitoring, asset and supply chain risk, resource access, device threat protection, and device-side visibility and analytics. The progression moves from manual asset inventory and limited posture awareness at Traditional, to partial automated inventory with basic posture checks at Initial, to continuous posture verification feeding access decisions at Advanced, to real-time posture telemetry driving the trust algorithm at Optimal.

Networks pillar

Carries the network-side maturity inventory. Subcategories cover network segmentation, network traffic management, traffic encryption, and network resilience. The progression moves from a flat network with VLAN macro-segmentation at Traditional, to defined segmentation with some micro-segmentation at Initial, to dynamic identity-aware segmentation with encrypted east-west traffic at Advanced, to fully software-defined segmentation with application-aware traffic management at Optimal.

Applications and Workloads pillar

Carries the application-side maturity inventory. Subcategories cover application access, application threat protections, accessible applications, secure application development and deployment, and application security testing. The progression moves from perimeter-protected applications and ad hoc testing at Traditional, to MFA-protected applications and defined SAST/DAST cadence at Initial, to identity- and context-aware application access with continuous testing in CI at Advanced, to application-level policy enforcement and blocking gates at Optimal.

Data pillar

Carries the data-side maturity inventory. Subcategories cover data inventory management, data categorisation, data availability, data access, and data encryption. The progression moves from manual data inventory and broad role-based access at Traditional, to defined data categorisation with basic data-loss telemetry at Initial, to dynamic data-aware access with continuous DLP at Advanced, to fully automated data inventory and end-to-end lifecycle protection at Optimal.

The three cross-cutting capabilities

The three cross-cutting capabilities sit inside every pillar rather than next to the pillars. ZTMM expects each pillar to have its own visibility and analytics maturity, its own automation and orchestration maturity, and its own governance maturity, on top of the pillar-side functional maturity. The structure forces the scorecard to surface gaps in the cross-cutting dimensions independently of the underlying functional gaps.

Visibility and Analytics

The telemetry collection, correlation, and analytical posture every pillar reads against. ZTMM expects visibility across identity events, device posture changes, network traffic decisions, application access decisions, and data access decisions, with correlated analytics that surface anomalies the trust algorithm can read against. The capability matures from limited siloed logging at Traditional to enterprise-wide correlated analytics with anomaly detection at Optimal.

Automation and Orchestration

The workflow automation, response orchestration, and policy refresh discipline that compounds across the pillars. ZTMM expects automated joiner-mover-leaver in Identity, automated remediation of device drift in Devices, automated policy refresh against the asset catalogue in Networks, automated CI security testing in Applications, and automated data classification in Data. The capability matures from manual workflows at Traditional to fully automated orchestrated response at Optimal.

Governance

The strategy ownership, policy hierarchy, exception handling, and reporting cadence the maturity model expects at every stage. ZTMM expects a documented Zero Trust strategy, named pillar owners, an exception register, a policy refresh cadence, and an executive-level reporting rhythm tied to the scorecard. The capability matures from ad hoc governance at Traditional to centralised policy with dynamic enforcement and continuous improvement at Optimal.

The four maturity stages

ZTMM names four maturity stages per pillar and per cross-cutting capability. The stages are operating postures backed by evidence, not aspirational labels. The progression compounds: Optimal on a pillar requires the Advanced criteria to be in place, which requires the Initial criteria to be in place. Maturity is per pillar; the scorecard records a per-pillar and per-capability stage rather than an aggregate Zero Trust score.

Traditional

The starting posture. Manual processes, siloed tooling, perimeter-based trust, password-only authentication, broad role-based access, and limited telemetry. The Traditional stage is the honest baseline a programme needs to record before claiming progress; programmes that skip the Traditional read overstate the Initial-stage gap.

Initial

Foundational automation and named controls. MFA on most accounts, partial automated identity provisioning, defined network segmentation, MFA-protected applications, defined data categorisation, and basic telemetry across pillars. The Initial stage is where most non-federal programmes sit when they begin ZTMM tracking; it is also the stage where the gap to Advanced becomes specific enough to plan against.

Advanced

Continuous, integrated, identity- and context-aware operations across pillars. Phishing-resistant MFA, continuous device-posture verification feeding access decisions, dynamic identity-aware network segmentation, continuous application security testing in CI, dynamic data-aware access decisions, and correlated cross-pillar analytics. The Advanced stage is where the cross-pillar inputs to the trust algorithm start carrying meaningful weight together.

Optimal

Fully automated, machine-readable policy, and real-time enforcement with continuous improvement. Continuous identity validation, real-time device-posture telemetry, software-defined network segmentation, application-level policy enforcement with blocking gates, fully automated data classification, and enterprise-wide correlated analytics with anomaly detection. Optimal is the published end state; few programmes reach Optimal across every pillar simultaneously and the maturity is honest about that.

How the ZTMM scorecard reads

The ZTMM scorecard is what makes the maturity model operable. The reading mechanics below are the ones a programme has to settle before the scorecard becomes useful as a planning, reporting, and audit input.

Maturity is per pillar and per capability, not aggregate. A programme can sit at Advanced on Identity, Initial on Devices, and Traditional on Data without contradiction; the scorecard records each pillar and each capability individually, and the maturity gap on the lagging pillar is the planning input.
Subcategories under each pillar carry the published criteria. The CISA publication lists subcategories per pillar (for example Identity covers Authentication, Identity Stores, Risk Assessments, Access Management, plus Visibility and Analytics, Automation and Orchestration, and Governance dimensions) and a per-subcategory description of the Traditional, Initial, Advanced, and Optimal states. The scorecard read therefore happens at the subcategory level, then rolls up to the pillar.
Cross-cutting capabilities apply per pillar. The Visibility and Analytics, Automation and Orchestration, and Governance dimensions appear inside each pillar rather than as a separate independent inventory. The scorecard records the cross-cutting maturity per pillar as well, so the programme has a per-pillar visibility maturity, a per-pillar automation maturity, and a per-pillar governance maturity, plus the underlying functional maturity.
Stages are operating postures, not labels. A claim that a programme is at Advanced on the Identity pillar is the assertion that the operating evidence supports the Advanced criteria for every subcategory under Identity; missing evidence on one subcategory caps the pillar maturity at the lower stage. The published criteria are the constraint, not the convenience.
Movement is bidirectional. A programme that loses MFA coverage on a critical identity segment, or whose device posture telemetry breaks, can move backwards on the scorecard. ZTMM names continuous improvement as the governance discipline, which means the scorecard refresh cadence is what keeps the read honest rather than the most recent maximum.

ZTMM in the federal and non-federal context

ZTMM was published for federal civilian agencies operating under OMB Memorandum M-22-09, and it has become the de-facto Zero Trust scorecard format outside that community as well. The context below explains the audiences that read against ZTMM and the surrounding mandates and reference structures.

Federal civilian agencies are the named primary audience under OMB Memorandum M-22-09, which directs agencies to adopt the Zero Trust strategy and meet specific outcomes by named milestones across identity, devices, networks, applications and workloads, and data. ZTMM is the maturity inventory the OMB strategy reads against; the strategy memo names the outcome targets, and ZTMM names the operating posture the targets describe.
The DoD Zero Trust Reference Architecture is the defence-side companion to the federal-civilian ZTMM, with seven pillars (Identity, Devices, Network and Environment, Applications and Workloads, Data, Visibility and Analytics, Automation and Orchestration) and explicit overlap with the CISA maturity model. A defence programme reads against the DoD reference and the CISA ZTMM together; the operating evidence overlaps substantially even though the pillar count differs.
Non-federal organisations use ZTMM as a published scorecard structure rather than as a regulatory obligation. Critical infrastructure operators, enterprises that sell to the federal market, organisations that operate under the State and Local Cybersecurity Grant Program, and any programme that wants a published Zero Trust reporting structure adopt ZTMM as the scorecard format and SP 800-207 as the architectural reference.
The maturity model is voluntary outside the federal civilian space. There is no certification, no audit attestation, and no third-party body that issues a ZTMM rating; the scorecard is the programme self-assessment against the published criteria, with the evidence pack as the supporting record. Many programmes nonetheless commission third-party reads against ZTMM as part of broader audit, board-reporting, or customer-evidence cycles.

Evidence the maturity model expects

A ZTMM scorecard reads well when the evidence is produced as a side effect of the operating work rather than reconstructed at scorecard refresh time. The minimum set below maps to the artefacts examiners, federal customers, audit committees, and customer security reviewers most often ask against, and the same artefacts feed parallel reads under NIST SP 800-207, NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, FedRAMP, CIS Controls, DORA, and NIS2 when the underlying record is structured.

Documented Zero Trust strategy with the in-scope pillars, the target maturity per pillar, the timeline, the named pillar owners, and the executive sponsor
ZTMM scorecard per pillar (Identity, Devices, Networks, Applications and Workloads, Data) and per cross-cutting capability (Visibility and Analytics, Automation and Orchestration, Governance), with the maturity stage and the supporting evidence per subcategory
Subject and resource inventory with the criticality classification, the assigned pillar policy, and the named owner per resource class
Identity governance evidence covering account lifecycle, joiner-mover-leaver records, privilege review cadence, MFA enforcement strength per identity class, and phishing-resistant MFA coverage where applicable
Device posture evidence covering asset inventory completeness, configuration baseline, patch level, security agent presence, and the posture telemetry feeding access decisions where applicable
Network segmentation and encryption evidence covering segmentation policy, east-west traffic encryption coverage, identity-aware network policy where applicable, and the resilience posture
Application access and security testing evidence covering identity-aware application access, SAST/DAST/SCA coverage and cadence, blocking gate configuration where applicable, and the workload runtime posture
Data inventory and protection evidence covering data inventory completeness, categorisation, access policy per classification, encryption coverage per classification, and data-loss telemetry
Cross-cutting telemetry evidence covering the correlated analytics surface per pillar, the automation and orchestration coverage per pillar, and the governance cadence (strategy reviews, policy refresh, exception decisions, leadership reporting)
Scorecard refresh record with named refresh cadence, the evidence reviewed per refresh, the maturity-stage changes per pillar, and the improvement actions queued for the next cycle

Failure modes the maturity model is designed to surface

ZTMM is forgiving on the choice of identity provider, the choice of device management platform, the choice of network segmentation product, the choice of application-level access broker, and the choice of data classification toolchain. It is unforgiving about a small number of patterns that turn the scorecard cosmetic rather than operational. The patterns below recur across early and mid-stage ZTMM adoptions.

Treating ZTMM as the architecture rather than the scorecard. ZTMM is the maturity inventory; it does not specify a design. Programmes that adopt ZTMM as the architectural blueprint discover under operating pressure that the scorecard does not describe how the trust algorithm consumes the asset posture, how the Policy Decision Point holds policy, or how the Policy Enforcement Points fail. NIST SP 800-207 is the architectural reference that ZTMM tracks progress against.
Aggregating the scorecard. A single Zero Trust maturity number across the whole programme is the wrong read; it averages out the Identity-pillar Advanced posture with the Data-pillar Traditional posture and conceals the planning input. The scorecard is per pillar and per capability for a reason.
Claiming a maturity stage without the evidence pack. ZTMM stages are operating postures backed by evidence. A claim of Advanced on Identity that cannot produce the phishing-resistant MFA coverage record, the privileged-account separation record, and the identity-side analytics evidence does not survive an external read. The evidence pack is the maturity, not the assertion.
Confusing pillar progress with cross-cutting progress. The cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, Governance) apply per pillar; a programme that builds strong Identity visibility but leaves Data with no analytics has a per-pillar gap that the scorecard surfaces. Programmes that treat the cross-cutting capabilities as separate from the pillars miss the integration the maturity model is structured around.
Skipping the Traditional baseline. The starting Traditional read is the honest record the rest of the scorecard reads against. Programmes that begin recording at Initial overstate the gap they have closed and understate the work that remains; the Traditional baseline is the diff anchor the maturity progression is measured against.
One-shot scorecard refresh. ZTMM names continuous improvement as the governance discipline. A scorecard refreshed once at programme kickoff and not again until the next audit is a stale read; the maturity claim has to be supported by current evidence. The scorecard refresh cadence (often quarterly or semi-annually) is what keeps the model operational rather than ceremonial.
Mixing the CISA ZTMM with the DoD Zero Trust Reference Architecture without recording which read is which. The two are related but the pillar count and the subcategory breakdown differ. Programmes that produce one scorecard and label it as both confuse readers, especially when the evidence pack maps cleanly to one of the two reference structures and partially to the other.

How ZTMM relates to adjacent frameworks

ZTMM sits in a busy Zero Trust and broader cybersecurity neighbourhood. The relationships below are the ones programmes encounter most often when they read ZTMM against the rest of their framework footprint. The relationships matter because programmes that try to operate each framework in isolation rebuild the same evidence multiple times.

ZTMM vs NIST SP 800-207

NIST SP 800-207 is the architectural reference; ZTMM is the maturity inventory. SP 800-207 names the seven tenets, the Policy Engine, Policy Administrator, and Policy Enforcement Point components, and the trust algorithm inputs. ZTMM names the five pillars, four stages, and three cross-cutting capabilities. A Zero Trust programme reads both together: SP 800-207 describes what the architecture is, ZTMM tracks where the programme is on the maturity progression.

ZTMM vs NIST CSF 2.0

NIST CSF 2.0 is the comprehensive cybersecurity outcome framework across GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. ZTMM is the Zero-Trust-specific maturity model within the broader cybersecurity programme. Programmes operating CSF 2.0 as the long-term framework adopt ZTMM as the Zero-Trust scorecard, with the GOVERN function carrying the strategy ownership ZTMM expects and the PROTECT function carrying most of the pillar-side control evidence.

ZTMM vs CIS Controls

CIS Controls v8.1 are prioritised defensive actions organised into 18 controls with three implementation groups (IG1, IG2, IG3). ZTMM is a Zero-Trust-specific maturity model. CIS Controls IG2 covers most of the pillar-side practices ZTMM expects at the Initial-to-Advanced range, so programmes operating CIS Controls already produce most of the underlying evidence ZTMM reads against. Where CIS Controls is the prescriptive practice set, ZTMM is the maturity overlay.

ZTMM vs FedRAMP

FedRAMP is the security authorisation programme for cloud service providers serving the federal government, with control baselines (Low, Moderate, High) drawn from NIST SP 800-53. ZTMM is the federal-civilian Zero-Trust maturity model. FedRAMP authorisations carry most of the access-control, identity, audit, and continuous monitoring evidence that the ZTMM Identity, Networks, and cross-cutting capabilities also expect. Programmes serving the federal market operate FedRAMP as the authorisation and ZTMM as the maturity scorecard.

ZTMM vs CISA CPGs

The CISA Cybersecurity Performance Goals (CPGs) are the voluntary, prioritised baseline CISA recommends for critical infrastructure operators. ZTMM is the Zero-Trust-specific maturity model. CPGs cover the broad cybersecurity baseline; ZTMM covers the Zero-Trust-specific progression. Programmes operating both adopt CPGs as the prioritised first-wave baseline and ZTMM as the Zero-Trust scorecard once the CPG foundations are in place.

ZTMM vs SEC cybersecurity disclosure rules

The SEC cybersecurity disclosure rules apply to public-company registrants and require Item 1.05 incident disclosures and Item 106 risk-management and governance disclosures. ZTMM is a voluntary maturity model. Public-company registrants frequently adopt ZTMM because the Item 106 governance and risk-management disclosure benefits from a published maturity scorecard, and the Item 1.05 incident pack benefits from the cross-pillar telemetry the ZTMM Visibility and Analytics capability expects.

Who reads against ZTMM

ZTMM has more than one audience inside an organisation, and each one reads the scorecard from a different angle. The audience lens below is the one we see most often when ZTMM is the Zero Trust reporting frame.

CISOs and security leaders

Hold the Zero Trust strategy, the scorecard refresh cadence, the leadership reporting rhythm, and the executive sponsor narrative. The CISO read on ZTMM is the per-pillar maturity, the cross-cutting capability maturity, the gap to the next stage per pillar, and the budget implications per pillar. The scorecard is the artefact the board and audit committee read against; the per-pillar evidence pack is the artefact the auditors read against.

Federal civilian CISOs and federal programme owners

Operate ZTMM against the OMB M-22-09 strategy memo, the agency-specific Zero Trust implementation plan, and the CISA reporting cadence. The federal read on ZTMM is the published scorecard format, the OMB milestone alignment, and the cross-agency comparability the ZTMM structure enables. The DoD Zero Trust Reference Architecture sits next to ZTMM for defence-side reads.

Security architects and Zero Trust programme owners

Own the architecture mapping between SP 800-207 (what the architecture is) and ZTMM (where the programme is). The architect read is the per-pillar deployment approach, the trust algorithm input coverage per pillar, the PEP placement against the resource catalogue, and the gap between the architectural design and the current maturity stage.

GRC and compliance teams

Hold the evidence pack across ZTMM, NIST SP 800-207, NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, FedRAMP, CIS Controls, DORA, and NIS2 reads. The GRC read on ZTMM is the per-pillar evidence completeness, the audit-trail integrity per evidence item, the cross-framework footprint reconciliation, and the scorecard refresh record that supports the maturity claim.

Internal security teams, AppSec teams, security engineering teams, and vulnerability management teams

Produce the pillar-side operating evidence the scorecard reads against. AppSec carries Applications and Workloads pillar evidence (SAST/DAST/SCA cadence, blocking gate configuration); security engineering carries Networks and Devices pillar evidence (segmentation, posture telemetry); vulnerability management carries the cross-pillar finding intake, prioritisation, and remediation evidence that feeds the asset posture the trust algorithm reads against.

Security operations leaders and detection engineering teams

Own the cross-cutting Visibility and Analytics capability per pillar. The SecOps read on ZTMM is the per-pillar telemetry coverage, the correlated analytics surface, the anomaly detection coverage, and the integration of the analytics output into the Policy Decision Point. Detection engineering owns the rule catalogue mapped to the ATT&CK techniques the cross-pillar telemetry surfaces.

Where SecPortal fits in a ZTMM programme

SecPortal is the operating record layer for the ZTMM scorecard cycle, not a replacement for CISA, OMB, NIST, or the underlying identity, device, network, application, and data control planes a Zero Trust programme needs. The platform handles the ZTMM-side workstreams (engagement structure per pillar, finding intake, scorecard refresh cadence, evidence-pack assembly, leadership reporting, framework crosswalks) so the inputs the scorecard refresh reads against are produced as structured records rather than reconstructed at the maturity-review meeting.

Engagement management dedicated to the Zero Trust programme, with workstreams per pillar (Identity, Devices, Networks, Applications and Workloads, Data) and per cross-cutting capability (Visibility and Analytics, Automation and Orchestration, Governance) tracked as recurring engagements rather than one-off projects stitched together at scorecard refresh time
Findings management with CVSS 3.1 scoring, CWE tagging, and structured fields so the asset posture issues (unpatched devices, missing security agents, configuration drift, vulnerable dependencies, exposed services) that feed the trust algorithm have named owners, target dates, severity bands, and verification evidence
Compliance tracking that maps the same evidence pack across CISA ZTMM, NIST SP 800-207, NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, FedRAMP, CIS Controls, DORA, and NIS2, so the cross-framework footprint reads from a single source rather than being reconciled per audit cycle
External, authenticated, and code scanning across the resource catalogue the ZTMM Identity, Devices, Applications and Workloads, and Data pillars depend on, with continuous monitoring schedules establishing the cadence the scorecard refresh reads against
Encrypted credential storage (AES-256-GCM) for authenticated-scan credentials, supporting the Identity-pillar credential-handling discipline at the platform layer
MFA enforcement on the SecPortal workspace itself and team management with role-based access (owner, admin, member, viewer, billing), so the Identity-pillar discipline applies at the platform that holds the evidence
Activity log that captures every state change to a finding, an asset record, a credential, a policy review item, or a scorecard refresh with timestamp and named user, supporting the cross-cutting Visibility and Analytics capability at the operating-record layer
Document management for the strategy document, the per-pillar policy hierarchy, the exception register, the per-pillar scorecard refresh record, and the leadership reporting pack, so the Governance capability has a single source of truth
AI report generation that turns the engagement evidence and the scorecard refresh output into a ZTMM-shaped leadership report, an executive sponsor narrative, and a board-ready summary without manual rewriting per audience
Retesting workflows so the closed-loop validation per remediated finding feeds the maturity-stage evidence base for the Devices, Networks, Applications and Workloads, and Data pillars

Honest scope: what SecPortal is and is not

ZTMM expects the underlying identity, device, network, application, and data control planes to do the enforcement work. SecPortal sits next to those control planes as the operating record. The scope statements below clarify the line.

SecPortal is not a Policy Engine, Policy Administrator, or Policy Enforcement Point. The platform does not host the trust algorithm, evaluate access decisions in real time, or sit in the data path between subjects and resources. ZTA implementations need dedicated identity, device, network, application, and data control planes; SecPortal sits next to them as the operating record.
SecPortal does not ship packaged push connectors into identity providers, EDR consoles, network policy engines, application gateways, data loss prevention platforms, SIEM, SOAR, GRC platforms, CMDB, ticket systems, or Slack/Teams/PagerDuty channels. The platform exposes the evidence; the integration into adjacent control planes is the customer-side responsibility.
SecPortal does not certify, attest, or audit ZTMM maturity claims. The scorecard refresh is the programme self-assessment; SecPortal holds the structure, the supporting evidence, the change history, and the leadership reporting artefacts. Third-party reads against ZTMM remain the customer-side or examiner-side process.
SecPortal does not auto-classify findings into ZTMM pillars. The mapping between a finding and the pillar it informs is a programme decision recorded on the engagement, with the maturity claim that the finding evidence supports recorded on the scorecard refresh artefact.
SecPortal is not the federal authorisation boundary. FedRAMP authorisation and federal continuous monitoring sit with the agency or the cloud service provider; SecPortal holds the engagement evidence the programme produces against ZTMM in parallel.

The asset posture inputs the Devices, Networks, Applications and Workloads, and Data pillars depend on are produced through the day-to-day vulnerability management work the same workspace already runs. The vulnerability prioritisation workflow keeps the highest-risk asset posture findings at the top of the queue feeding the pillar evidence. The asset criticality scoring workflow carries the resource classification the ZTMM Data pillar expects to underpin per-class access policy. The control-mapping cross-framework crosswalk workflow carries the same evidence pack across ZTMM, NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, and the broader audit footprint. The audit fieldwork evidence request fulfillment workflow carries the evidence-pack assembly cadence the maturity review and the audit cycle both read against. The security leadership reporting workflow rolls the scorecard refresh and the per-pillar evidence into the leadership cadence the Governance capability expects.

For internal security teams running the programme, the internal security teams workspace bundles the platform with the engagement structure the scorecard refresh cadence reads against. For the AppSec function carrying Applications and Workloads pillar evidence, the AppSec teams workspace covers the development-adjacent angle. For the vulnerability management function feeding cross-pillar asset posture evidence, the vulnerability management teams workspace covers the operating cadence that produces the underlying findings. For the security engineering function owning Networks and Devices pillar evidence, the security engineering teams workspace covers the build-side mechanics. For the security architecture function holding the SP 800-207-to-ZTMM mapping, the security architects workspace carries the design-side angle. For the GRC function holding the cross-framework evidence pack, the GRC and compliance teams workspace covers the audit footprint. For security leaders carrying the scorecard cadence and the executive reporting rhythm, the CISOs and security leaders workspace covers the programme-level reporting model.

For deeper reading on the disciplines this scorecard reads against, the Zero Trust Architecture implementation guide covers the practitioner-side rollout against SP 800-207. The NIST CSF 2.0 framework page covers the broader cybersecurity outcome framework the Zero Trust programme sits inside. The NIST SP 800-53 framework page covers the control catalogue the pillar-side evidence reads against. The FedRAMP framework page covers the cloud authorisation programme that pairs with ZTMM in the federal context. The CIS Controls framework page covers the prioritised practice set that produces most of the pillar-side evidence ZTMM reads against.

For analytical context on how the maturity model evolves across cycles, the continuous control monitoring cadence research covers the operating discipline that pairs with the scorecard refresh, and the security control drift research covers the erosion patterns the maturity model is designed to surface between scorecard refreshes when the review cadence relaxes.

Key control areas

SecPortal helps you track and manage compliance across these domains.

Identity pillar (authentication, identity stores, risk assessments, access management, visibility)

Carries the identity-side maturity inventory. Traditional means password-based authentication with manual identity governance. Initial means MFA on most accounts and partially automated joiner-mover-leaver. Advanced means phishing-resistant MFA, dynamic risk-based access decisions, and centralised identity governance. Optimal means continuous identity validation, real-time risk-based access, and automated joiner-mover-leaver across the identity catalogue.

Devices pillar (policy enforcement, asset and supply chain risk, resource access, device threat protection, visibility)

Carries the device-side maturity inventory. Traditional means manual asset inventory and limited device-posture awareness. Initial means partial automated inventory, basic device-posture checks at access time, and selective resource-access gating on device state. Advanced means continuous device-posture verification feeding access decisions and integrated device threat protection. Optimal means real-time device-posture telemetry feeding the trust algorithm and automated remediation of device drift.

Networks pillar (network segmentation, network traffic management, traffic encryption, network resilience)

Carries the network-side maturity inventory. Traditional means a flat network with VLAN-based macro-segmentation. Initial means defined network segmentation with some micro-segmentation in critical zones. Advanced means dynamic, identity-aware network segmentation with encrypted east-west traffic. Optimal means fully software-defined segmentation, application-aware traffic management, and machine-readable network policies refreshed against the asset catalogue.

Applications and Workloads pillar (application access, application threat protections, accessible applications, secure application development and deployment, application security testing)

Carries the application-side maturity inventory. Traditional means perimeter-protected applications and ad hoc security testing. Initial means MFA-protected applications, defined SAST and DAST cadence, and named accessible-application list. Advanced means identity- and context-aware application access, continuous application security testing in CI, and protected workload runtime. Optimal means application-level policy enforcement, fully automated CI security testing with blocking gates, and continuous workload posture verification.

Data pillar (data inventory management, data categorization, data availability, data access, data encryption)

Carries the data-side maturity inventory. Traditional means manual data inventory and broad role-based access. Initial means defined data categorisation, basic data-loss telemetry, and per-classification access policy. Advanced means dynamic data-aware access decisions, continuous data-loss prevention, and encryption tied to data classification. Optimal means fully automated data inventory and categorisation, real-time data-aware access decisions, and end-to-end data lifecycle protection.

Cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, Governance

The three capabilities ZTMM names as pillars-spanning rather than pillar-specific. Visibility and Analytics covers the telemetry collection, correlation, and analytical posture every pillar reads against. Automation and Orchestration covers the workflow automation, response orchestration, and policy refresh discipline that compounds across the pillars. Governance covers the strategy ownership, policy hierarchy, exception handling, and reporting cadence the maturity model expects at every stage.

Four maturity stages per pillar and per capability: Traditional, Initial, Advanced, Optimal

The maturity stages are not aspirational labels; they describe the operating posture, the evidence the programme produces, and the integration depth across pillars. Traditional means siloed manual processes. Initial means foundational automation and named controls. Advanced means continuous, integrated, identity- and context-aware operations across pillars. Optimal means fully automated, machine-readable policy, and real-time enforcement with continuous improvement. Maturity is per pillar; a programme can sit at Advanced on Identity and Initial on Data without contradiction.

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

Compliance tracking without a full GRC platform

AI-powered reports in seconds, not days

Vulnerability scanning tools that map your attack surface

Test web apps behind the login

Find vulnerabilities before they ship

Monitor continuously catch regressions early

Every action recorded across the workspace

Document management for every security engagement

Multi-factor authentication on every workspace

Collaborate across your entire team

Finding overrides that survive every scan cycle

Verify fixes and track reopens on the same finding record

Run the ZTMM scorecard cadence on one workspace

Hold the ZTMM scorecard per pillar and per cross-cutting capability, the supporting evidence per maturity stage, the asset posture findings from scanning, the policy review record, and the leadership reporting cadence as one engagement record. Carry the same evidence pack across NIST SP 800-207, NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, FedRAMP, CIS Controls, DORA, and NIS2 without rebuilding it per audit. Start free.