npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Overview
The CISA Zero Trust Maturity Model (ZTMM) Version 2.0, released in April 2023, provides federal agencies and organizations with a structured roadmap for adopting zero trust architecture. The model defines five core pillars -- Identity, Devices, Networks, Applications & Workloads, and Data -- each progressing through four maturity stages: Traditional, Initial, Advanced, and Optimal. Three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance) span all pillars. This skill covers assessment, gap analysis, and progressive implementation across all pillars and maturity levels.
When to Use
- When deploying or configuring implementing cisa zero trust maturity model capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with NIST SP 800-207 Zero Trust Architecture
- Understanding of federal cybersecurity mandates (EO 14028, OMB M-22-09)
- Access to organizational IT asset inventory and network architecture documentation
- Knowledge of identity and access management (IAM) fundamentals
- Understanding of network segmentation and microsegmentation concepts
CISA ZTMM Five Pillars
Pillar 1: Identity
Identity refers to attributes that uniquely describe an agency user or entity, including non-person entities (NPEs) such as service accounts and machine identities.
Traditional Stage:
- Password-based authentication
- Limited identity validation
- Manual provisioning and deprovisioning
Initial Stage:
- MFA deployed for privileged users
- Identity governance initiated
- Basic identity lifecycle management
Advanced Stage:
- Phishing-resistant MFA for all users (FIDO2/WebAuthn)
- Continuous identity validation
- Automated provisioning tied to HR systems
- Identity threat detection and response (ITDR)
Optimal Stage:
- Continuous, real-time identity verification
- Passwordless authentication across all systems
- AI-driven anomaly detection for identity behaviors
- Full integration of identity signals into access decisions
Pillar 2: Devices
Devices include any hardware, software, or firmware asset that connects to a network -- servers, laptops, mobile phones, IoT devices, and network equipment.
Traditional Stage:
- Limited device inventory
- Basic endpoint protection (antivirus)
- No device compliance checks
Initial Stage:
- Comprehensive device inventory
- Endpoint Detection and Response (EDR) deployment
- Basic device health checks before network access
Advanced Stage:
- Real-time device posture assessment
- Automated compliance enforcement
- Device certificates for machine identity
- Vulnerability scanning integrated into access decisions
Optimal Stage:
- Continuous device trust scoring
- Automated remediation of non-compliant devices
- Full device lifecycle management integrated with zero trust policies
- Firmware integrity verification
Pillar 3: Networks
Networks encompass all communications media including internal networks, wireless, and the internet.
Traditional Stage:
- Perimeter-based security (firewalls, VPNs)
- Flat internal networks
- Minimal east-west traffic inspection
Initial Stage:
- Initial network segmentation
- Encrypted DNS and internal traffic
- Basic network monitoring and logging
Advanced Stage:
- Microsegmentation of critical assets
- Software-defined networking (SDN) for dynamic policy enforcement
- Full TLS encryption for all internal communications
- Network Detection and Response (NDR)
Optimal Stage:
- Fully software-defined, policy-driven network
- Zero implicit trust zones
- AI-driven network anomaly detection
- Automated threat response integrated with network controls
Pillar 4: Applications and Workloads
Applications and workloads include agency systems, programs, and services running on-premises, on mobile devices, and in cloud environments.
Traditional Stage:
- Perimeter-protected applications
- Manual vulnerability patching
- Limited application-level logging
Initial Stage:
- Application-level access controls
- Web Application Firewalls (WAF)
- Regular vulnerability scanning
- Application inventory established
Advanced Stage:
- Continuous integration of security testing (SAST/DAST)
- Application-aware microsegmentation
- API security gateways
- Immutable infrastructure patterns
Optimal Stage:
- Runtime application self-protection (RASP)
- Automated application security orchestration
- Full DevSecOps pipeline integration
- Zero-standing privileges for application access
Pillar 5: Data
Data encompasses all structured and unstructured information, at rest, in transit, and in use.
Traditional Stage:
- Basic encryption for data at rest
- Limited data classification
- No data loss prevention
Initial Stage:
- Data classification scheme implemented
- DLP policies for sensitive data
- Encryption for data in transit (TLS 1.2+)
- Basic data inventory
Advanced Stage:
- Automated data classification
- Fine-grained data access controls
- Data activity monitoring
- Rights management for sensitive documents
Optimal Stage:
- Real-time data flow analytics
- AI-driven data classification and protection
- Automated response to data exfiltration attempts
- Full data lifecycle governance with zero trust principles
Cross-Cutting Capabilities
Visibility and Analytics
Maturity Progression:
Traditional -> Manual log review, limited SIEM
Initial -> Centralized logging, basic SIEM correlation
Advanced -> UEBA, automated threat detection, data lake analytics
Optimal -> AI/ML-driven continuous monitoring, predictive analyticsAutomation and Orchestration
Maturity Progression:
Traditional -> Manual incident response, ad-hoc scripts
Initial -> Basic SOAR playbooks, automated alerting
Advanced -> Integrated SOAR with multi-pillar orchestration
Optimal -> Fully autonomous response, self-healing infrastructureGovernance
Maturity Progression:
Traditional -> Ad-hoc policies, manual compliance checks
Initial -> Documented zero trust strategy, basic policy framework
Advanced -> Policy-as-code, continuous compliance monitoring
Optimal -> Dynamic policy engine, real-time governance decisionsImplementation Process
Phase 1: Assessment and Baseline
- Inventory all assets across the five pillars
- Map current capabilities to ZTMM maturity stages
- Conduct gap analysis between current and target states
- Identify quick wins that move from Traditional to Initial stage
- Document dependencies between pillars
# Example: CISA ZTMM Maturity Assessment Scoring
class ZTMMAssessment:
PILLARS = ['Identity', 'Devices', 'Networks', 'Applications', 'Data']
STAGES = ['Traditional', 'Initial', 'Advanced', 'Optimal']
CROSS_CUTTING = ['Visibility_Analytics', 'Automation_Orchestration', 'Governance']
def __init__(self):
self.scores = {}
def assess_pillar(self, pillar, capabilities):
"""
Assess a pillar against ZTMM criteria.
capabilities: dict of capability_name -> maturity_stage
"""
stage_values = {stage: i for i, stage in enumerate(self.STAGES)}
scores = [stage_values.get(stage, 0) for stage in capabilities.values()]
avg_score = sum(scores) / len(scores) if scores else 0
overall_stage = self.STAGES[int(avg_score)]
self.scores[pillar] = {
'capabilities': capabilities,
'average_score': avg_score,
'overall_stage': overall_stage
}
return self.scores[pillar]
def generate_roadmap(self):
"""Generate prioritized improvement roadmap."""
roadmap = []
for pillar, data in self.scores.items():
for capability, stage in data['capabilities'].items():
stage_idx = self.STAGES.index(stage)
if stage_idx < 3: # Not yet Optimal
next_stage = self.STAGES[stage_idx + 1]
roadmap.append({
'pillar': pillar,
'capability': capability,
'current': stage,
'target': next_stage,
'priority': 3 - stage_idx # Higher priority for lower maturity
})
return sorted(roadmap, key=lambda x: x['priority'], reverse=True)Phase 2: Identity Foundation
- Deploy phishing-resistant MFA (FIDO2/WebAuthn)
- Implement identity governance and administration (IGA)
- Establish continuous identity verification
- Integrate identity providers with all applications
- Deploy identity threat detection and response
Phase 3: Device Trust
- Complete asset inventory with automated discovery
- Deploy EDR across all endpoints
- Implement device compliance checking
- Establish device certificate infrastructure
- Create device trust scoring mechanism
Phase 4: Network Transformation
- Implement network segmentation strategy
- Deploy microsegmentation for critical assets
- Enable encrypted DNS (DoH/DoT)
- Enforce TLS 1.3 for all internal communications
- Deploy NDR capabilities
Phase 5: Application Security
- Implement application-level access controls
- Deploy WAF and API security gateways
- Integrate security testing into CI/CD pipelines
- Establish application inventory and classification
- Implement runtime protection
Phase 6: Data Protection
- Implement data classification framework
- Deploy DLP across endpoints and network
- Enable data activity monitoring
- Implement rights management
- Establish data lifecycle governance
Compliance Mapping
| CISA ZTMM Pillar | OMB M-22-09 Requirement | NIST 800-207 Section |
|---|---|---|
| Identity | MFA for agency staff | 3.1.1 |
| Devices | EDR for federal endpoints | 3.1.2 |
| Networks | Encrypt DNS traffic | 3.1.3 |
| Applications | Application security testing | 3.1.4 |
| Data | Data categorization | 3.1.5 |
Metrics and KPIs
- Identity Pillar: Percentage of users with phishing-resistant MFA
- Device Pillar: Percentage of devices with real-time posture assessment
- Network Pillar: Percentage of network segments microsegmented
- Application Pillar: Percentage of applications with zero trust access controls
- Data Pillar: Percentage of sensitive data classified and protected
- Overall: ZTMM stage achieved per pillar (target: Advanced minimum)
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.9 KB
API Reference: CISA Zero Trust Maturity Model Assessment Agent
Dependencies
| Library | Version | Purpose |
|---|---|---|
| (stdlib only) | Python 3.8+ | JSON processing, assessment logic |
CLI Usage
python scripts/agent.py \
--data /assessments/zt_responses.json \
--output-dir /reports/ \
--output ztmm_report.jsonFunctions
assess_control(control, implemented, maturity) -> dict
Scores a single control: 0 (Traditional) to 3 (Optimal).
assess_pillar(pillar, responses) -> dict
Evaluates all controls within a CISA ZT pillar. Returns score, percentage, and maturity level.
compute_overall_maturity(pillar_results) -> dict
Aggregates pillar scores into overall maturity: Traditional/Initial/Advanced/Optimal.
generate_recommendations(pillar_results) -> list
Identifies unimplemented controls, prioritizes by pillar weakness.
generate_report(data_path) -> dict
Full assessment pipeline: load data, assess 5 pillars, compute maturity, generate recommendations.
CISA ZT Pillars
| Pillar | Controls Assessed |
|---|---|
| Identity | MFA, phishing-resistant MFA, JIT access, PAM |
| Devices | Inventory, EDR, health attestation, posture |
| Networks | Microsegmentation, encrypted DNS, SDP |
| Applications | Inventory, access controls, API security |
| Data | Classification, DLP, encryption at rest |
Input Data Format
{
"Identity": {
"MFA enforced for all users": {"implemented": true, "maturity": "Advanced"},
"Phishing-resistant MFA (FIDO2/PIV)": {"implemented": false, "maturity": "Traditional"}
}
}Output Schema
{
"overall_maturity": {"percentage": 52.3, "maturity_level": "Advanced"},
"pillars": [{"pillar": "Identity", "percentage": 66.7, "maturity_level": "Advanced"}],
"recommendations": [{"pillar": "Devices", "control": "EDR deployed", "priority": "HIGH"}]
}standards.md2.1 KB
Standards Reference: CISA Zero Trust Maturity Model
Primary Standards
CISA Zero Trust Maturity Model v2.0 (April 2023)
- Source: Cybersecurity and Infrastructure Security Agency
- Scope: Federal agencies and organizations implementing zero trust
- Five Pillars: Identity, Devices, Networks, Applications & Workloads, Data
- Four Maturity Stages: Traditional, Initial, Advanced, Optimal
- Cross-Cutting: Visibility & Analytics, Automation & Orchestration, Governance
NIST SP 800-207: Zero Trust Architecture
- Published: August 2020
- Tenets: Never trust, always verify; assume breach; least privilege access
- Deployment Models: Device agent/gateway, enclave, resource portal
- Key Requirement: Policy decision point (PDP) and policy enforcement point (PEP)
Executive Order 14028: Improving the Nation's Cybersecurity
- Signed: May 12, 2021
- Mandate: Federal agencies must adopt zero trust architecture
- Timeline: Agencies required to develop zero trust implementation plans
OMB Memorandum M-22-09: Federal Zero Trust Strategy
- Published: January 2022
- Requirements per pillar:
- Identity: Phishing-resistant MFA for all staff
- Devices: EDR deployed across federal endpoints
- Networks: DNS traffic encrypted, HTTP traffic encrypted
- Applications: Application security testing in CI/CD
- Data: Data categorization and automated classification
Supporting Standards
NSA Zero Trust Pillar Guidance Series (2024)
- User Pillar (February 2024)
- Device Pillar (March 2024)
- Data Pillar (April 2024)
- Application & Workload Pillar (April 2024)
- Network & Environment Pillar (May 2024)
- Visibility & Analytics Pillar (May 2024)
- Automation & Orchestration Pillar (June 2024)
DISA Zero Trust Reference Architecture
- Department of Defense specific implementation
- Aligns with NIST 800-207 and CISA ZTMM
- Covers DoD-specific compliance requirements
FedRAMP Zero Trust Requirements
- Cloud service providers must support zero trust
- Continuous monitoring requirements
- Identity federation standards
workflows.md3.7 KB
Workflows: CISA Zero Trust Maturity Model Implementation
Workflow 1: Initial Maturity Assessment
Step 1: Establish Assessment Team
- Identify stakeholders from IT, security, compliance, and business units
- Assign pillar owners for each of the five ZTMM pillars
- Define assessment timeline and reporting cadence
Step 2: Inventory Current Capabilities
- Identity: Catalog authentication methods, identity providers, MFA coverage
- Devices: Enumerate all endpoints, document endpoint security tools
- Networks: Map network architecture, segmentation, encryption status
- Applications: List all applications, classify access controls
- Data: Identify data repositories, classification, DLP status
Step 3: Map to ZTMM Stages
- For each pillar, evaluate each function against the four maturity stages
- Document evidence for current stage determination
- Identify gaps between current and target maturity
- Rate cross-cutting capabilities (visibility, automation, governance)
Step 4: Produce Assessment Report
- Pillar-by-pillar maturity scores
- Gap analysis with prioritized recommendations
- Quick wins vs. long-term transformation items
- Resource requirements and estimated timelinesWorkflow 2: Identity Pillar Advancement (Traditional to Advanced)
Phase A: MFA Deployment
1. Inventory all user accounts (privileged, standard, service)
2. Select phishing-resistant MFA solution (FIDO2/WebAuthn)
3. Deploy MFA for privileged accounts first
4. Extend MFA to all user accounts
5. Implement MFA for service accounts and APIs
6. Configure conditional access policies
Phase B: Identity Governance
1. Implement identity lifecycle management
2. Connect IAM to HR system for automated provisioning
3. Establish access certification reviews
4. Deploy identity threat detection
5. Implement just-in-time access for elevated privileges
Phase C: Continuous Verification
1. Integrate identity signals into access decisions
2. Deploy risk-based authentication
3. Implement session-level re-authentication for sensitive actions
4. Enable behavioral analytics for identity anomaliesWorkflow 3: Cross-Pillar Integration
Step 1: Establish Unified Policy Engine
- Define access policies that incorporate all five pillars
- Implement Policy Decision Point (PDP) per NIST 800-207
- Deploy Policy Enforcement Points (PEP) at all access boundaries
Step 2: Integrate Signal Sources
- Identity signals -> trust score component
- Device posture -> trust score component
- Network context -> trust score component
- Application risk -> trust score component
- Data sensitivity -> access control component
Step 3: Implement Continuous Evaluation
- Real-time trust scoring engine
- Dynamic policy adjustment based on risk
- Automated access revocation on policy violation
- Audit logging for all access decisions
Step 4: Measure and Report
- Track maturity progression per pillar quarterly
- Report to leadership with ZTMM scorecard
- Adjust roadmap based on threat landscape changes
- Document lessons learned for continuous improvementWorkflow 4: Governance and Compliance Reporting
Step 1: Establish Zero Trust Governance Board
- Executive sponsor, CISO, pillar owners, compliance
- Monthly review of zero trust maturity progress
- Annual strategic review and roadmap adjustment
Step 2: Continuous Compliance Monitoring
- Map ZTMM controls to OMB M-22-09 requirements
- Automate evidence collection for each pillar
- Generate compliance dashboards
- Prepare for FISMA and other audit requirements
Step 3: Reporting to CISA
- Submit agency zero trust implementation plan
- Provide quarterly progress updates
- Document deviations and remediation plansScripts 2
agent.py6.1 KB
#!/usr/bin/env python3
"""CISA Zero Trust Maturity Model assessment agent for organizational ZT posture evaluation."""
import argparse
import json
import logging
import os
from datetime import datetime
from typing import Dict, List
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
PILLARS = ["Identity", "Devices", "Networks", "Applications", "Data"]
MATURITY_LEVELS = ["Traditional", "Initial", "Advanced", "Optimal"]
CROSS_CUTTING = ["Visibility & Analytics", "Automation & Orchestration", "Governance"]
PILLAR_CONTROLS = {
"Identity": [
"MFA enforced for all users",
"Phishing-resistant MFA (FIDO2/PIV)",
"Continuous identity validation",
"Identity lifecycle management",
"Privileged access management",
"Just-in-time access provisioning",
],
"Devices": [
"Device inventory and compliance",
"EDR deployed on all endpoints",
"Device health attestation",
"Real-time posture assessment",
"Automated remediation for non-compliant devices",
],
"Networks": [
"Microsegmentation implemented",
"Encrypted DNS (DoH/DoT)",
"Network traffic encrypted in transit",
"Software-defined perimeter",
"Network access based on identity",
],
"Applications": [
"Application inventory maintained",
"Application-level access controls",
"Continuous application security testing",
"Secure API gateway",
"Application isolation and sandboxing",
],
"Data": [
"Data classification implemented",
"Data loss prevention controls",
"Encryption at rest for sensitive data",
"Data access logging and monitoring",
"Automated data lifecycle management",
],
}
def assess_control(control: str, implemented: bool, maturity: str) -> dict:
"""Assess a single control's implementation status and maturity."""
level_scores = {"Traditional": 0, "Initial": 1, "Advanced": 2, "Optimal": 3}
return {
"control": control,
"implemented": implemented,
"maturity_level": maturity,
"score": level_scores.get(maturity, 0) if implemented else 0,
}
def assess_pillar(pillar: str, responses: Dict[str, dict]) -> dict:
"""Assess a single CISA ZT pillar based on control responses."""
controls = PILLAR_CONTROLS.get(pillar, [])
assessed = []
for control in controls:
resp = responses.get(control, {"implemented": False, "maturity": "Traditional"})
assessed.append(assess_control(control, resp["implemented"], resp["maturity"]))
max_score = len(controls) * 3
actual_score = sum(c["score"] for c in assessed)
pct = (actual_score / max_score * 100) if max_score else 0
implemented_count = sum(1 for c in assessed if c["implemented"])
if pct >= 75:
level = "Optimal"
elif pct >= 50:
level = "Advanced"
elif pct >= 25:
level = "Initial"
else:
level = "Traditional"
return {
"pillar": pillar,
"controls_assessed": len(assessed),
"controls_implemented": implemented_count,
"score": actual_score,
"max_score": max_score,
"percentage": round(pct, 1),
"maturity_level": level,
"controls": assessed,
}
def load_assessment_data(data_path: str) -> dict:
"""Load assessment responses from JSON file."""
with open(data_path, "r") as f:
return json.load(f)
def compute_overall_maturity(pillar_results: List[dict]) -> dict:
"""Compute overall zero trust maturity from pillar assessments."""
total_score = sum(p["score"] for p in pillar_results)
total_max = sum(p["max_score"] for p in pillar_results)
pct = (total_score / total_max * 100) if total_max else 0
if pct >= 75:
level = "Optimal"
elif pct >= 50:
level = "Advanced"
elif pct >= 25:
level = "Initial"
else:
level = "Traditional"
return {"overall_score": total_score, "max_score": total_max,
"percentage": round(pct, 1), "maturity_level": level}
def generate_recommendations(pillar_results: List[dict]) -> List[dict]:
"""Generate prioritized recommendations based on assessment gaps."""
recs = []
for pillar in pillar_results:
for control in pillar["controls"]:
if not control["implemented"]:
recs.append({
"pillar": pillar["pillar"],
"control": control["control"],
"priority": "HIGH" if pillar["percentage"] < 50 else "MEDIUM",
"action": f"Implement: {control['control']}",
})
recs.sort(key=lambda r: 0 if r["priority"] == "HIGH" else 1)
return recs
def generate_report(data_path: str) -> dict:
"""Generate CISA Zero Trust Maturity assessment report."""
data = load_assessment_data(data_path)
pillar_results = []
for pillar in PILLARS:
responses = data.get(pillar, {})
pillar_results.append(assess_pillar(pillar, responses))
overall = compute_overall_maturity(pillar_results)
recs = generate_recommendations(pillar_results)
return {
"analysis_date": datetime.utcnow().isoformat(),
"framework": "CISA Zero Trust Maturity Model v2.0",
"overall_maturity": overall,
"pillars": pillar_results,
"recommendations": recs[:20],
"recommendation_count": len(recs),
}
def main():
parser = argparse.ArgumentParser(description="CISA Zero Trust Maturity Model Assessment")
parser.add_argument("--data", required=True, help="Path to assessment data JSON")
parser.add_argument("--output-dir", default=".")
parser.add_argument("--output", default="ztmm_report.json")
args = parser.parse_args()
os.makedirs(args.output_dir, exist_ok=True)
report = generate_report(args.data)
out_path = os.path.join(args.output_dir, args.output)
with open(out_path, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", out_path)
print(json.dumps(report["overall_maturity"], indent=2))
if __name__ == "__main__":
main()
process.py15.7 KB
#!/usr/bin/env python3
"""
CISA Zero Trust Maturity Model Assessment and Roadmap Generator.
Evaluates organizational zero trust maturity across the five CISA ZTMM pillars
(Identity, Devices, Networks, Applications, Data) and three cross-cutting
capabilities (Visibility & Analytics, Automation & Orchestration, Governance).
Generates gap analysis, prioritized roadmap, and compliance mapping.
"""
import json
import csv
import datetime
from dataclasses import dataclass, field
from enum import IntEnum
from typing import Optional
from pathlib import Path
class MaturityStage(IntEnum):
TRADITIONAL = 0
INITIAL = 1
ADVANCED = 2
OPTIMAL = 3
PILLAR_FUNCTIONS = {
"Identity": [
"authentication",
"identity_stores",
"risk_assessment",
"access_management",
"identity_lifecycle",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Devices": [
"policy_enforcement",
"asset_management",
"device_compliance",
"device_threat_protection",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Networks": [
"network_segmentation",
"threat_protection",
"encryption",
"network_resilience",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Applications": [
"access_authorization",
"threat_protection",
"accessibility",
"application_security",
"visibility_analytics",
"automation_orchestration",
"governance",
],
"Data": [
"data_inventory",
"data_categorization",
"data_availability",
"data_access",
"data_encryption",
"visibility_analytics",
"automation_orchestration",
"governance",
],
}
OMB_M2209_REQUIREMENTS = {
"Identity": {
"requirement": "Agency staff use enterprise-managed identities with phishing-resistant MFA",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Deploy FIDO2/WebAuthn for all users",
"Integrate identity provider with all applications",
"Implement authorization based on user attributes",
],
},
"Devices": {
"requirement": "Federal government has a complete inventory of authorized devices and can prevent/detect/respond to incidents",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Deploy EDR on all endpoints",
"Maintain real-time asset inventory",
"Enforce device compliance before access",
],
},
"Networks": {
"requirement": "Agencies encrypt all DNS and HTTP traffic within their environment",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Encrypt all DNS traffic (DoH/DoT)",
"Enforce HTTPS for all web traffic",
"Implement network microsegmentation",
],
},
"Applications": {
"requirement": "Agencies treat all applications as internet-connected and routinely test them",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Integrate SAST/DAST into CI/CD",
"Remove application access from VPN dependencies",
"Implement application-level access policies",
],
},
"Data": {
"requirement": "Agencies have thorough data categorization and employ automated tools",
"target_stage": MaturityStage.ADVANCED,
"key_actions": [
"Implement data classification scheme",
"Deploy automated data tagging",
"Enable DLP across all data channels",
],
},
}
@dataclass
class FunctionAssessment:
function_name: str
current_stage: MaturityStage
target_stage: MaturityStage
evidence: str = ""
gaps: list = field(default_factory=list)
recommendations: list = field(default_factory=list)
@dataclass
class PillarAssessment:
pillar_name: str
functions: list = field(default_factory=list)
overall_stage: MaturityStage = MaturityStage.TRADITIONAL
compliance_gap: bool = False
def calculate_overall(self):
if not self.functions:
return
scores = [f.current_stage.value for f in self.functions]
avg = sum(scores) / len(scores)
self.overall_stage = MaturityStage(int(avg))
def check_compliance(self):
req = OMB_M2209_REQUIREMENTS.get(self.pillar_name)
if req:
self.compliance_gap = self.overall_stage < req["target_stage"]
@dataclass
class RoadmapItem:
pillar: str
function_name: str
current_stage: str
target_stage: str
priority: int # 1=highest, 4=lowest
effort: str # low, medium, high
recommendations: list = field(default_factory=list)
dependencies: list = field(default_factory=list)
class ZTMMAssessment:
"""Full CISA Zero Trust Maturity Model assessment engine."""
def __init__(self, organization_name: str):
self.organization = organization_name
self.assessment_date = datetime.datetime.now().isoformat()
self.pillar_assessments: dict[str, PillarAssessment] = {}
self.roadmap: list[RoadmapItem] = []
def assess_function(
self,
pillar: str,
function_name: str,
current_stage: int,
target_stage: int = 3,
evidence: str = "",
gaps: Optional[list] = None,
) -> FunctionAssessment:
current = MaturityStage(current_stage)
target = MaturityStage(target_stage)
fa = FunctionAssessment(
function_name=function_name,
current_stage=current,
target_stage=target,
evidence=evidence,
gaps=gaps or [],
)
if pillar not in self.pillar_assessments:
self.pillar_assessments[pillar] = PillarAssessment(pillar_name=pillar)
self.pillar_assessments[pillar].functions.append(fa)
return fa
def calculate_maturity(self):
for pa in self.pillar_assessments.values():
pa.calculate_overall()
pa.check_compliance()
def generate_roadmap(self) -> list[RoadmapItem]:
self.roadmap = []
effort_map = {0: "high", 1: "medium", 2: "low", 3: "low"}
for pillar_name, pa in self.pillar_assessments.items():
for func in pa.functions:
if func.current_stage < func.target_stage:
gap = func.target_stage.value - func.current_stage.value
next_stage = MaturityStage(func.current_stage.value + 1)
item = RoadmapItem(
pillar=pillar_name,
function_name=func.function_name,
current_stage=func.current_stage.name,
target_stage=next_stage.name,
priority=max(1, 4 - gap),
effort=effort_map.get(func.current_stage.value, "high"),
recommendations=func.recommendations,
)
self.roadmap.append(item)
self.roadmap.sort(key=lambda x: (x.priority, x.effort != "low"))
return self.roadmap
def get_compliance_status(self) -> dict:
status = {}
for pillar_name, pa in self.pillar_assessments.items():
req = OMB_M2209_REQUIREMENTS.get(pillar_name, {})
status[pillar_name] = {
"current_stage": pa.overall_stage.name,
"required_stage": req.get("target_stage", MaturityStage.ADVANCED).name,
"compliant": not pa.compliance_gap,
"requirement": req.get("requirement", "N/A"),
"key_actions": req.get("key_actions", []),
}
return status
def get_summary(self) -> dict:
summary = {
"organization": self.organization,
"assessment_date": self.assessment_date,
"pillars": {},
"overall_maturity": "TRADITIONAL",
}
stages = []
for name, pa in self.pillar_assessments.items():
summary["pillars"][name] = {
"stage": pa.overall_stage.name,
"score": pa.overall_stage.value,
"functions_assessed": len(pa.functions),
"compliance_gap": pa.compliance_gap,
}
stages.append(pa.overall_stage.value)
if stages:
avg = sum(stages) / len(stages)
summary["overall_maturity"] = MaturityStage(int(avg)).name
summary["overall_score"] = round(avg, 2)
return summary
def export_report(self, output_path: str):
report = {
"summary": self.get_summary(),
"compliance_status": self.get_compliance_status(),
"roadmap": [
{
"pillar": r.pillar,
"function": r.function_name,
"current": r.current_stage,
"target": r.target_stage,
"priority": r.priority,
"effort": r.effort,
}
for r in self.roadmap
],
"detailed_assessments": {},
}
for name, pa in self.pillar_assessments.items():
report["detailed_assessments"][name] = {
"overall_stage": pa.overall_stage.name,
"functions": [
{
"name": f.function_name,
"current": f.current_stage.name,
"target": f.target_stage.name,
"evidence": f.evidence,
"gaps": f.gaps,
}
for f in pa.functions
],
}
path = Path(output_path)
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w") as f:
json.dump(report, f, indent=2)
return report
def export_csv(self, output_path: str):
path = Path(output_path)
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w", newline="") as f:
writer = csv.writer(f)
writer.writerow([
"Pillar", "Function", "Current Stage", "Target Stage",
"Gap", "Priority", "Effort", "Evidence"
])
for name, pa in self.pillar_assessments.items():
for func in pa.functions:
gap = func.target_stage.value - func.current_stage.value
writer.writerow([
name, func.function_name,
func.current_stage.name, func.target_stage.name,
gap, max(1, 4 - gap),
"high" if func.current_stage == MaturityStage.TRADITIONAL else "medium",
func.evidence,
])
def run_sample_assessment():
"""Run a sample assessment demonstrating the ZTMM assessment process."""
assessment = ZTMMAssessment("Example Federal Agency")
# Identity Pillar Assessment
assessment.assess_function("Identity", "authentication", 1, 3,
evidence="MFA deployed for 60% of users, not phishing-resistant",
gaps=["No FIDO2/WebAuthn deployment", "Service accounts lack MFA"])
assessment.assess_function("Identity", "identity_stores", 1, 3,
evidence="Centralized AD, partial cloud identity integration")
assessment.assess_function("Identity", "risk_assessment", 0, 3,
evidence="No risk-based authentication in place")
assessment.assess_function("Identity", "access_management", 1, 3,
evidence="Basic RBAC, no attribute-based access control")
assessment.assess_function("Identity", "identity_lifecycle", 1, 3,
evidence="Manual provisioning, no HR integration")
# Devices Pillar Assessment
assessment.assess_function("Devices", "policy_enforcement", 1, 3,
evidence="MDM deployed, basic compliance checks")
assessment.assess_function("Devices", "asset_management", 1, 3,
evidence="Partial inventory, no IoT coverage")
assessment.assess_function("Devices", "device_compliance", 0, 3,
evidence="No real-time compliance checking")
assessment.assess_function("Devices", "device_threat_protection", 1, 3,
evidence="EDR on 70% of endpoints")
# Networks Pillar Assessment
assessment.assess_function("Networks", "network_segmentation", 0, 3,
evidence="Flat network, basic VLAN segmentation only")
assessment.assess_function("Networks", "threat_protection", 1, 3,
evidence="Perimeter firewall, no NDR")
assessment.assess_function("Networks", "encryption", 1, 3,
evidence="TLS for external, plaintext internal")
assessment.assess_function("Networks", "network_resilience", 1, 3,
evidence="Basic redundancy, no SD-WAN")
# Applications Pillar Assessment
assessment.assess_function("Applications", "access_authorization", 1, 3,
evidence="VPN-based access for internal apps")
assessment.assess_function("Applications", "threat_protection", 1, 3,
evidence="WAF for public apps only")
assessment.assess_function("Applications", "application_security", 0, 3,
evidence="Annual pen tests, no CI/CD security integration")
# Data Pillar Assessment
assessment.assess_function("Data", "data_inventory", 0, 3,
evidence="No comprehensive data inventory")
assessment.assess_function("Data", "data_categorization", 1, 3,
evidence="Basic classification, manual process")
assessment.assess_function("Data", "data_access", 1, 3,
evidence="Role-based access, no fine-grained controls")
assessment.assess_function("Data", "data_encryption", 1, 3,
evidence="Encryption at rest for databases, not all storage")
# Calculate and report
assessment.calculate_maturity()
roadmap = assessment.generate_roadmap()
print("=" * 70)
print(f"CISA ZTMM Assessment: {assessment.organization}")
print(f"Date: {assessment.assessment_date}")
print("=" * 70)
summary = assessment.get_summary()
print(f"\nOverall Maturity: {summary['overall_maturity']} (Score: {summary.get('overall_score', 'N/A')})")
print("\nPillar Maturity Scores:")
for pillar, data in summary["pillars"].items():
compliance = " [COMPLIANCE GAP]" if data["compliance_gap"] else " [COMPLIANT]"
print(f" {pillar:20s}: {data['stage']:12s} (Score: {data['score']}){compliance}")
print("\nOMB M-22-09 Compliance Status:")
compliance = assessment.get_compliance_status()
for pillar, status in compliance.items():
icon = "PASS" if status["compliant"] else "FAIL"
print(f" [{icon}] {pillar}: {status['current_stage']} / Required: {status['required_stage']}")
print(f"\nPrioritized Roadmap ({len(roadmap)} items):")
for i, item in enumerate(roadmap[:10], 1):
print(f" {i}. [{item.pillar}] {item.function_name}: "
f"{item.current_stage} -> {item.target_stage} "
f"(Priority: {item.priority}, Effort: {item.effort})")
# Export reports
assessment.export_report("ztmm_assessment_report.json")
assessment.export_csv("ztmm_assessment_report.csv")
print("\nReports exported: ztmm_assessment_report.json, ztmm_assessment_report.csv")
if __name__ == "__main__":
run_sample_assessment()