How long does it take to reach optimal zero trust maturity?

It depends on your complexity and resources. However, it is possible to achieve significant progress in two to three years. The U.S. government, as complex as it gets, started theirs in 2022, and reported some gaps to close in CISA’s 2025 progress report. Surely yours can do the same, because progress is the point. Specific pillars, especially identity, can reach Advanced maturity within six to 12 months with focused effort.

Can small organizations implement the CISA zero trust maturity model?

Organizations of any size can use the framework. Smaller organizations often advance faster because they have less complexity. The model is fully scalable and adaptable to different organizational sizes and resources.

What is the difference between zero trust architecture and the zero trust maturity model?

Zero trust architecture (ZTA) is the technical framework and set of principles for implementing “never trust, always verify.” The zero trust maturity model is the roadmap that helps organizations assess and progressively implement ZTA across five pillars.

Which zero trust pillar should organizations prioritize first?

Most organizations benefit from prioritizing the identity pillar first. It provides immediate security improvements, supports every other pillar, and typically delivers the fastest return. Specific priorities may vary based on industry, risk profile, and existing security controls.

What is zero trust maturity? We explain the model.

Zero trust says: verify every user, every device, every session. But how do you measure progress toward that goal? CISA’s zero trust maturity model gives organizations a structured way to assess where they stand, identify gaps, and build a roadmap for improvement. Read on to understand how this framework helps you pinpoint your progress against specific security risks.

Start a free trial

Key takeaways

Zero trust is a posture you build over time. The CISA Zero Trust Maturity Model gives you a structured way to measure where you stand and decide what to do next.

The CISA model organizes zero trust implementation into five pillars—identity, devices, networks, applications and workloads, and data—each assessed independently across four maturity stages: Traditional, Initial, Advanced, and Optimal.
Identity is the highest-priority pillar for most organizations: it's where attackers focus, where quick wins are most available, and where improvements strengthen every other pillar.
Maturity advances pillar by pillar. You don't need to overhaul the entire enterprise at once. Instead, you prioritize based on risk, build incrementally, and use each stage's criteria to prove progress to leadership.
The model isn't a finish line. Even organizations at Optimal maturity continue adapting as their environments, threats, and teams change.

What is the CISA zero trust maturity model?

The zero trust maturity model structures security practices in progressive, measurable steps. Your security team knows they need zero trust principles to secure their systems. But where do you start? How do you measure whether your MFA rollout, your network segmentation project, and your device compliance policies add up to progress? And how do you explain to leadership what all of that work means in a way they'll understand? Use the maturity model to assess your security posture, spot gaps, and implement zero trust principles to address them.

The concept behind zero trust is “never trust, always verify.” Every user, device, and connection must be verified before gaining access, regardless of network location. The maturity model defines specific stages organizations move through as they strengthen security controls. The most widely recognized version is the CISA Zero Trust Maturity Model, published by the Cybersecurity and Infrastructure Security Agency (CISA).

So, you may have a laundry list of potential security risks, like sales reps logging in from personal devices, legacy applications that still accept passwords only, or a flat network where a compromised laptop can reach the finance database. You know that zero trust practices can address them.

Where to start? Use the model. It offers:

Step-by-step progression: Organizations advance through defined stages rather than attempting everything at once.
Systems-level clarity: The model addresses identity, devices, networks, applications and workloads, and data as interconnected areas, each assessed independently.

Zero trust architecture (ZTA) is the technical blueprint for implementing these principles. The maturity model is the roadmap that tells you how far along the blueprint you are and what to build next.

What are the five CISA zero trust pillars?

The CISA zero trust maturity model organizes implementation into five interconnected pillars. Version 2.0 includes more granular guidance and four maturity stages. Organizations assess their maturity separately for each pillar, which means you can target improvements where they matter most rather than trying to advance everything at once.

Identity
The identity pillar verifies users and manages who can access what. Core elements include multi-factor authentication (MFA), identity governance, and least-privilege access—granting users only the minimum permissions they need.
Identity is the most common starting point for zero trust maturity. In its 2024 review, Cisco Talos reported that 60% of Incident Response cases involved identity.
Devices
The devices pillar ensures only healthy, authorized devices access resources. It covers device inventory, health assessments, endpoint security, and compliance checks.
Device posture—whether patches are current and configurations meet standards—directly influences access decisions at higher maturity stages.
Networks and environment
The networks pillar focuses on segmentation and limiting lateral movement—preventing an attacker who compromises one system from moving freely to others. Core elements include microsegmentation (dividing the network into small, isolated zones), encrypted traffic, and network visibility. The goal is to stop treating everything inside the firewall as trusted.
Applications and workloads
The applications pillar secures how users access applications and how applications communicate with each other. It covers application-level access controls, API security (the interfaces applications use to exchange data), and workload isolation. This applies to both the tools users interact with directly and the backend services processing data behind the scenes.
Data
The data pillar protects information regardless of where it lives—cloud, on-premises, or hybrid. Core elements include data classification (categorizing data by sensitivity), encryption, and data loss prevention (DLP) tools that block unauthorized transfers. Data security must work consistently across every environment your organization uses.
Organizations typically do not advance all five pillars at the same pace. You prioritize based on risk and business needs. For a deeper look at how the pillars work together, including an expanded seven-pillar model from the National Institute of Standards and Technology (NIST) and Department of Defense (DoD), see our guide to the pillars of zero trust.

What are the zero trust maturity stages?

Within each pillar, organizations progress through four maturity stages. Advancement is incremental—you do not jump from Traditional to Optimal overnight. Each stage builds on the previous one with greater automation and cross-pillar coordination.

Traditional

The starting point for most organizations. Security relies on perimeter defenses and implicit trust—once inside the network, users and devices have broad access. Policies are static, enforcement is manual, and visibility is limited.

What Traditional looks like across pillars:

Identity: Passwords or basic MFA. Permanent access permissions reviewed infrequently.
Devices: Manual inventory tracking. Limited visibility into device health.
Networks: Broad firewall perimeters. Minimal internal encryption.
Applications: Apps only accessible behind the corporate network. Security testing is manual.
Data: Little or no classification. Static access controls. Minimal encryption.

Initial

Automation enters. Organizations begin building processes that adjust over time rather than treating security as a one-time setup. MFA expands, access permissions start expiring, and early cross-pillar coordination begins.

What Initial looks like across pillars:

Identity: MFA required for more systems. Access permissions start expiring. Risk assessments begin with manual methods.
Devices: Digital identifiers replace manual inventories. Basic compliance checks before access.
Networks: Critical workloads isolated from the broader network. Encryption expands internally.
Applications: Some apps open to authorized users outside the network. Code deployment becomes automated.
Data: Teams begin classifying and labeling sensitive data. Encryption covers data in transit.

Advanced

Security policies work across pillars, and automation handles decisions that used to require manual review. The system evaluates identity, device health, and behavior together rather than checking one factor at a time.

What Advanced looks like across pillars:

Identity: Phishing-resistant MFA enforced. Access decisions factor in context automatically.
Devices: Device health verified before every access request. Patching and updates automated.
Networks: Microsegmentation replaces broad perimeter zones. Traffic rules adapt based on risk.
Applications: Access controls check the user, the device, and what they are trying to do. Development and security teams work from shared processes.
Data: Automated categorization and labeling across the organization. DLP tools actively block unauthorized transfers.

Optimal

Everything is automated and continuously adapting. Security controls share context across pillars and respond together in real time.

What Optimal looks like across pillars:

Identity: Continuous session validation. Permissions granted only for the specific action being performed, then revoked.
Devices: Real-time analytics across all devices. Non-compliant devices lose access automatically.
Networks: Fully distributed microsegmentation. Connectivity adjusts dynamically in real time.
Applications: Every access request authorized continuously. Behavior analytics flag anomalies as they happen.
Data: Fully automated inventory and access controls. Unauthorized transfers blocked dynamically.

At the Optimal stage, a suspicious identity signal can automatically restrict device access, tighten network segmentation, and lock down data permissions at the same moment. The pillars operate as one system.

The Four Stages of the Zero Trust Maturity Model

How do IGA policies align with zero trust maturity?

Identity Governance and Administration (IGA) is the practice of managing access. It matters for zero trust because the identity pillar cannot advance without it. IGA covers creating accounts, giving users permission to use certain tools, and making sure these levels are appropriate. It also addresses removing access, whether someone leaves, or simply changes roles.

The maturity model requires that users have access only to what they need. Mature organizations review access regularly, and revoke it promptly. Does yours handle this manually? That ranks at Traditional. Deploy levels of automation to reach Advanced and Optimal.

Four IGA practices support zero trust maturity:

Automated access reviews: Confirm that each person’s permissions still match their role. When someone moves from engineering to sales, their access to the code repository should not follow them.
Least-privilege access: Give every user only the access they need to do their current job. This is one of the core zero trust principles and a requirement for advancing beyond Traditional.
Lifecycle management: Automate processes that create accounts when someone joins, adjusts permissions when they change roles, and removes access the day they leave.
Separation of duties: Prevent one person from holding conflicting permissions. For example, the same person should not be able to both approve and process a financial transaction.

Your organization can deploy every security tool on the market and still fail the identity pillar without IGA. This policy layer makes the technology work.

What capabilities enable zero trust maturity across pillars?

Beyond the five pillars, CISA identifies three capabilities that span the entire framework. These are not separate pillars, but functions that make maturity advancement possible across all five.

Visibility and analytics

You cannot secure what you cannot see. Visibility means collecting data across all pillars.

For each user session, you should be able to track:

Who they are

Their device

The network of origin

Which applications they access

Data they can see

Analytics turn that raw data into patterns: detecting anomalies, identifying trends, and surfacing the signals that matter. Duo’s identity intelligence capabilities provide visibility into authentication patterns and access anomalies, connecting identity signals to broader security context.

Automation and orchestration

Humans simply cannot review the thousands of access requests flowing through their platforms each day. Mature organizations use automation to handle routine decisions and grant access for low-risk requests. Their systems step up authentication for elevated risk and block high-risk attempts. Orchestration coordinates multiple security tools so they respond together to control the constant flow of access.

Governance

Who owns zero trust for each pillar? What standards will these people hold themselves to? How will they measure and report on buy-in and compliance? Governance assigns these responsibilities, relieving you of finger-pointing and confusion around what your team should focus on.

How do you implement zero trust maturity?

When establishing zero trust, embrace progress over perfection. You’ll find yourself on a multi-year journey, with visible improvements at every stage.

Follow these steps to get started:

1. Assess your current security posture

Review the CISA model outlined above and evaluate where you stand for each of the five pillars. Which stage best describes your current state for identity? For devices? For networks? Document your existing controls, like the type of MFA deployed, how devices are monitored, what segmentation exists, and where data is classified.

See any quick wins? Sometimes, relatively easy-to-implement changes yield significant maturity improvements. If your company lacks MFA, your Identity pillar could advance from Traditional to Initial in weeks by deploying it across your highest-risk applications.

2. Prioritize identity and access controls

Identity should be your first priority. Strong identity controls provide immediate security value and support every other pillar. Attackers used valid credentials for initial access in nearly 70% of ransomware cases (Cisco Talos Year in Review, 2025). Identity is where most breaches begin, and it is where most organizations can improve fastest.

Something as simple as Cisco Duo’s phishing-resistant authentication deploys quickly, helping organizations advance identity maturity in weeks rather than months. Add single sign-on (SSO) alongside MFA to improve both security and user experience. Then establish least-privilege access policies and regular access reviews.

3. Strengthen device security and visibility

How well do you know the devices that access your resources? Are they patched and current? Do users switch to personal devices? Would you recognize a breached one? Implement device inventory and health assessment capabilities so the system can verify that a device meets your security standards before granting access. Duo’s device trust features check device health as part of authentication, connecting the identity and device pillars in one step.

Start with managed corporate devices before expanding to BYOD (Bring Your Own Device) environments.

4. Implement network segmentation and monitoring

When someone accesses your network, can they access every part of it? Not in a zero trust environment. Move from flat networks, where all internal traffic is trusted, to segmented architecture that isolates high-value assets.

Start with microsegmentation for your most critical systems and expand from there. Encrypt internal communications and monitor traffic with the same scrutiny you apply to external traffic.

As you can see, the Networks pillar often requires more infrastructure changes than Identity, making for slower progress. That’s by design, and the groundwork you lay pays off at Advanced and Optimal stages.

5. Review progress, set new goals, and press on

Steps one through four set your zero trust program in motion. Now, make sure it doesn’t stall out by setting meetings at regular, predictable times. As apps come and go, threats evolve, and team members change, these checkpoints help you know where you stand and where to prioritize.

We will look more closely at measuring progress next.

Two men looking at a computer monitor, one standing beside the other one that is sitting

How do you measure zero trust maturity progress?

To see where you stand, and where to prioritize security next, use CISA’s maturity criteria. Each stage, in each pillar, gives you a clear benchmark to assess advancement and score your progress over time.

CISA’s model works so well because it reveals practical actions you can plan and take. No need to overhaul the entire enterprise. You can piece robust security together, pillar by pillar by creating your own roadmap.

How to create a zero trust maturity roadmap

Once you know where you stand, look for risk. What high-value assets, platforms, or workflows demand the highest levels of security? Is it R&D data or proprietary product designs living on a shared drive? A wire transfer portal secured by simple MFA?

Score security in these areas first, and aggregate the results to understand where you should advance in maturity first. Then, work backwards to the next risk tier. Identify which maturity steps would help.

This is the start of your roadmap. For more advice on this process, watch our video led by two senior advisors. We’ve introduced strategies for creating and managing this process throughout this article. Here is a brief digest:

Score each pillar against CISA's stages: Map your current controls to Traditional, Initial, Advanced, or Optimal for each of the five pillars. The stages section above gives you the criteria for each level.
Focus on your highest-value assets first: Score the areas that matter most, like your customer database or R&D environment, before attempting an enterprise-wide assessment.
Re-evaluate every six to 12 months: Your environment changes. New applications, new team members, new threats. Reassess each pillar regularly and adjust the roadmap based on what you find.
Communicate progress to leadership: When your team advances a pillar from Traditional to Initial or Initial to Advanced, that is a measurable improvement. Use it to justify the next phase of funding.
Expect your priorities to shift: The roadmap you build today will change as you learn what works, what takes longer than expected, and where new risks emerge. That is normal.

Even organizations at Optimal maturity must continue adapting. Use the maturity model as your compass as you maintain a zero trust environment.

How does Duo help advance zero trust maturity?

If you have read this far, you know that zero trust maturity starts with identity security. Attackers target this pillar most, it lends itself to quick improvements, and it forms the foundation that every other pillar builds on.

Cisco Duo helps you move through the maturity stages in that pillar — and several others — without ripping out what you already have.

Phishing-resistant MFA: The single biggest step most organizations can take to advance from Traditional toward Advanced. Duo's MFA uses cryptographic methods that cannot be intercepted through phishing, satisfying CISA's framework at higher maturity stages.
Device trust: When a user authenticates, Duo checks whether their device meets your security standards. It evaluates factors like current patches, approved configurations, and compliance status, connecting the identity and device pillars in one step. Nice work, advancing two pillars with one control.
Adaptive access policies: Not every login carries the same risk. Duo evaluates context signals like device, location, and behavior, adjusting what it requires. A familiar laptop on the corporate network passes through quickly. An unrecognized device from an unusual location gets stepped up. This is the kind of context-aware verification that CISA describes at the Advanced and Optimal stages.
Rapid deployment: You do not need a six-month implementation plan to see results. Organizations deploy Duo and begin advancing identity maturity in weeks.
Works with what you have: Duo integrates with your existing systems with the Cisco Duo Marketplace. You do not need to replace your identity infrastructure to start making progress.