/> Update cookies preferences
Skip to main content
Meet Abstract at Fal.Con 2025!

C2 Corner: From Mandate to Maturity

From Mandate to Maturity: How CISA’s Zero Trust Maturity Model 2.0 and CSA Methodologies Advance Enterprise Cyber Resilience

Joe Kim
C2 Corner
September 10, 2025

More Than a Federal Compliance Exercise

Zero Trust has evolved well past the buzzword stage. For U.S. federal civilian agencies, it’s a legal requirement: Executive Order 14028 (2021) directed agencies to adopt Zero Trust by 2024 as a way to harden defenses against nation-state and criminal actors. The Cybersecurity and Infrastructure Security Agency (CISA) translated this mandate into its Zero Trust Maturity Model (ZTMM)—a practical framework for agencies to follow.

For commercial enterprises, there’s no such mandate, but there is pressure. Regulators, partners, and boards are increasingly expecting Zero Trust maturity as a baseline, not just a “nice to have.” For those organizations, adopting CISA’s ZTMM as a strategic benchmark and pairing it with the Cloud Security Alliance (CSA)’s Certificate of Competence in Zero Trust (CCZT) methodologies—offers both the measurement system and the playbook needed to turn Zero Trust into a driver of resilience and trust.

This edition of C2 Corner features Joe Kim, CTO at Squadra Solutions. Joe supports federal and large enterprises and holds multi-vendor certifications including the Cloud Security Alliance Certificate of Competence in Zero Trust (CSA CCZT), Zero Trust solutions such as Palo Alto Networks, Zscaler, and Netskope. His focus is on translating frameworks into results.

CISA’s ZTMM 2.0 — The Federal Blueprint

CISA’s updated model (released in April 2023) breaks Zero Trust into five foundational pillars:

  • Identity – verifying that every user is who they claim to be (e.g., phishing-resistant MFA).
  • Devices – ensuring endpoints meet security posture requirements before connecting.
  • Networks – segmenting and monitoring traffic to minimize lateral movement.
  • Applications & Workloads – securing code, APIs, and cloud-native workloads.
  • Data – protecting sensitive information wherever it resides or moves.

These are reinforced by three cross-cutting capabilities:

  • Visibility & Analytics – making threats and anomalies observable.
  • Automation & Orchestration – responding quickly and consistently at scale.
  • Governance – aligning policies, compliance, and accountability.

Each pillar moves through four maturity stages:

  • Traditional (legacy, perimeter-based trust)
  • Initial (basic Zero Trust controls in place)
  • Advanced (integrated, risk-informed controls)
  • Optimal (dynamic, adaptive, continuous Zero Trust)

This tiered approach acknowledges that no agency (or enterprise) can achieve “Optimal” overnight. Instead, progress comes through incremental adoption, policy refinement, and cultural alignment.

For federal agencies, ZTMM 2.0 is the north star. For enterprises, it’s a market signal: regulatory expectations are converging, and customers, partners, and boards increasingly expect ZT maturity as table stakes.

Why Enterprises Should Pay Attention

Even without federal mandates, enterprises face parallel challenges:

  • Hybrid complexity: Identities, devices, and workloads span on-prem, multi-cloud, and SaaS.
  • Escalating threats: Lateral movement and supply chain exploits thrive in environments with implicit trust.
  • Board-level pressure: Cybersecurity is now a fiduciary priority; resilience and continuity drive investment.

By adopting ZTMM 2.0, enterprises can measure where they stand, prioritize investments, and demonstrate tangible progress to stakeholders. But ZTMM explains what maturity looks like—not how to get there. That’s where CSA’s methodology adds depth.

CSA’s CCZT Methodologies — Turning Maturity Into Execution

While CISA’s ZTMM provides a blueprint for what maturity looks like, it stops short of prescribing how to get there. That’s where the Cloud Security Alliance (CSA) steps in. Through its Certificate of Competence in Zero Trust (CCZT) program and companion methodologies, CSA offers organizations a repeatable, actionable framework for operationalizing Zero Trust.

Zero Trust as a Business Strategy

One of CSA’s most important messages is that Zero Trust isn’t an IT project but rather an organizational strategy. To succeed, it must align with business priorities and risk appetite. That means:

  • Start with risk management: Protect the most critical assets first (your “High Value Assets” or HVAs).
  • Secure executive buy-in: Link Zero Trust initiatives directly to outcomes the C-suite cares about—reduced breach impact, compliance wins, and stronger customer trust.
  • Avoid silos: Make sure ZTMM’s pillars (identity, devices, networks, etc.) are tied back to overarching business goals, not treated as isolated technical efforts.

Planning: Five-Step Discipline

CSA’s methodology emphasizes disciplined, repeatable planning:

  1. Define the protect surface – Narrow scope to what matters most (DAAS: Data, Applications, Assets, Services).
  1. Example: Begin with your crown-jewel application containing sensitive customer records.
  1. Map transaction flows – Understand how identities, devices, and workloads interact with that protect surface.
  1. Example: Who accesses the app, from where, and under what conditions?
  1. Build a target Zero Trust architecture – Design controls tailored to those flows, not a generic “one-size-fits-all” model.
  1. Create enforceable policies – Use the Kipling Method (who, what, when, where, why, how) to make policies precise.
  1. Example: Who: finance admins; What: payroll app; Where: corporate network only; When: business hours; How: phishing-resistant MFA.
  1. Monitor and maintain continuously – Visibility and analytics ensure policies adapt to changes in users, devices, and threats.

This cycle neatly aligns with ZTMM’s maturity stages: start at “Traditional,” iterate with each protect surface, and climb toward “Optimal” with measurable milestones.

Implementation: Incremental and Iterative

CSA also provides a practical playbook for execution:

  • Run a gap analysis against ZTMM pillars.
  • Update policies to reflect Zero Trust principles (e.g., phishing-resistant MFA, device health checks, continuous monitoring).
  • Pilot one protect surface at a time—such as privileged identity management or your most sensitive cloud workload.
  • Maintain a living checklist across governance, compliance, analytics, and disaster recovery to track progress.

This approach makes Zero Trust fundable, measurable, and resilient—avoiding the trap of a “big bang” project that stalls out under complexity or cost.

ZTMM vs. CSA: From Benchmark to Playbook

ZTMM Pillar / Stage What Maturity Means (CISA) How to Execute (CSA)
Identity (Initial → Advanced) Stronger identity verification (e.g., MFA, role-based access) Define protect surface (e.g., privileged accounts), then enforce phishing-resistant MFA and session-based access policies.
Devices (Traditional → Initial) Device posture awareness; only “known” devices can connect Map transaction flows: track which devices interact with sensitive data. Require endpoint health checks before granting access.
Networks (Advanced) Segmented networks, minimized lateral movement Build a target ZT architecture with microsegmentation around HVAs. Pilot by isolating one critical workload or application.
Applications & Workloads (Initial → Advanced) Applications verified, workloads protected across cloud/on-prem Apply Kipling Method policies: e.g., “Finance admins (who) access payroll app (what) via corporate network (where) during work hours (when).”
Data (Advanced → Optimal) Continuous monitoring of sensitive data, encryption everywhere Prioritize data as protect surface. Monitor flows, enforce encryption at rest/in motion, and log access continuously.
Cross-Cutting (Visibility & Analytics, Automation, Governance) Continuous feedback, orchestration, policy enforcement Monitor and maintain: Use automation to enforce policies, track metrics for board reporting, and adjust governance as maturity grows.

Key Takeaway

  • ZTMM = defines the destination and maturity levels.
  • CSA = provides the roadmap and actionable steps to get there.
  • Together, they make Zero Trust measurable, fundable, and achievable.

Reducing Attack Surface Through Integration

By integrating CISA’s maturity model with CSA’s methodologies, enterprises gain both a benchmark and a playbook:

  • Attack surface reduction: Micro-segmentation, least privilege, and continuous validation minimize lateral movement.
  • Measurable maturity: ZTMM tiers provide a yardstick for executives and auditors.
  • Operational sustainability: Strategy, planning, and implementation practices ensure zero trust isn’t a one-time project but a culture shift.

From Vision to Practice

Zero Trust adoption is an enterprise-wide cultural and technical shift. Federal agencies may be mandated to comply, but enterprises that unify these frameworks gain strategic advantage:

  • Faster board approval for cybersecurity investments.
  • Stronger credibility with regulators, auditors, and partners.
  • A sustainable architecture that scales across cloud, on-prem, and hybrid environments.

Conclusion: Start Small, Scale Smart

Zero Trust isn’t achieved in a single sprint; it matures through disciplined, incremental steps.

  • Use CISA’s ZTMM 2.0 to baseline and measure your current state.
  • Apply CSA’s five-step methodology to plan and execute with precision.
  • Reduce your attack surface—starting with the assets that matter most.

By integrating ZTMM’s benchmark with CSA’s playbook, enterprises not only reduce risk but also build a culture of resilience, operational discipline, and measurable cybersecurity maturity. This combination transforms Zero Trust from a compliance exercise into a strategic advantage—winning faster board approval, strengthening credibility with partners and regulators, and ensuring security scales alongside the business.

Beyond CISA and CSA

For organizations operating in high-assurance environments—such as defense, finance, or critical infrastructure—the Department of Defense Zero Trust Reference Architecture provides even deeper technical guidance. Its focus on mission threads, segmentation, and real-time risk assessment can help enterprises design controls that stand up to the most demanding adversaries.

Abstract’s Perspective: Zero Trust as a Measurable Journey

By Chris Camacho, Co-Founder and COO, Abstract Security

Joe is right: Zero Trust maturity takes more than good intentions. You need a benchmark to measure progress and a playbook to drive execution. That’s where CISA’s ZTMM 2.0 and CSA’s methodology complement each other so well—one defines what maturity looks like, the other provides how to get there.

Where most organizations stumble is in execution at scale. Policies may be well-designed, but in practice the signals are noisy, context is fragmented, and security teams drown in data. That’s why Zero Trust is as much about operational discipline as it is about architecture.

From my perspective, the lesson is clear:

  • Start small by protecting your crown-jewel assets.
  • Measure consistently against recognized models like ZTMM.
  • Iterate quickly by embedding Zero Trust into day-to-day processes, not just strategy documents.

At Abstract, we think a lot about how execution really happens—inside the data pipeline where policies meet signals. When context and control are applied there, organizations can make Zero Trust not just aspirational, but operational.

When enterprises treat Zero Trust as a living, measurable journey, not a one-off compliance project, they build resilience that scales with the business. That’s the maturity curve we should all be aiming for.

Show Transcript
Get In Touch