New CISA Zero Trust Updates Confirm Identity's Central Role

The Cybersecurity and Infrastructure Security Agency (CISA) updated its Zero Trust Maturity Model to reflect how organizations actually implement zero trust. The revision adds a new maturity stage, refines guidance across all five pillars, and reinforces what security teams have learned through experience: identity sits at the center of modern security architecture.

This isn't a theoretical shift. CISA's updated model responds to real implementation challenges federal agencies encountered when moving from perimeter-based security to zero trust. The lessons apply equally to private sector organizations navigating the same transition.

For security teams planning or refining their zero trust strategies, the updated model provides a practical framework. It acknowledges that zero trust happens incrementally, not all at once. And it makes clear why identity must be the foundation, not an afterthought.

Zero Trust Is a Framework, Not a Product

Zero trust describes an approach to security. It is not a product you purchase or a feature you enable. No single vendor delivers "zero trust" in a box, regardless of marketing claims.

The core principle is simple: never trust, always verify. Every access request gets evaluated based on identity, device posture, network context, and behavior patterns. Trust is never assumed based on network location or previous authentication.

Why Zero Trust Is a Journey, Not a One-Time Deployment

CISA Director Jen Easterly described zero trust implementation as a journey that "might take a while to get to an optimal architecture." This framing matters. Organizations that treat zero trust as a project with a completion date misunderstand what they're building.

Zero trust requires continuous adaptation. New applications get added. Workforce patterns change. Threat techniques evolve. The architecture must evolve alongside them.

The updated maturity model reflects this reality. It provides stages organizations can progress through over time rather than a binary state they either achieve or fail to reach.

How Misunderstanding Zero Trust Slows Security Maturity

When organizations treat zero trust as a product purchase, they often:

• Deploy point solutions without integrating them into a coherent architecture
• Focus on network segmentation while neglecting identity controls
• Implement MFA as a checkbox exercise without addressing credential theft
• Declare success after initial deployment without building operational processes

These approaches create security gaps. An organization might segment its network effectively but lack visibility into identity-based attacks that bypass network controls entirely.

The CISA model corrects this by treating zero trust as an operational capability that matures over time across multiple dimensions simultaneously.

What Changed in the Updated CISA Zero Trust Maturity Model

CISA released version 2.0 of the Zero Trust Maturity Model to address implementation challenges agencies encountered with the original framework. The update aligns with OMB Memorandum M-22-09, which directed federal agencies to meet specific zero trust objectives.

Overview of the Updated Zero Trust Maturity Model

The updated model organizes zero trust capabilities across five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Three cross-cutting capabilities span all pillars: Visibility and Analytics, Automation and Orchestration, and Governance.

Each pillar includes specific functions with detailed guidance for achieving different maturity levels. The model describes what "good" looks like at each stage, giving organizations concrete targets rather than abstract principles.

Why the Model Emphasizes Incremental Progress Over Perfection

CISA found that many organizations struggled to move from traditional security architectures directly to advanced zero trust implementations. The gap was too large to cross in a single step.

The updated model adds an "Initial" maturity stage between Traditional and Advanced. This change acknowledges that organizations start from different places and need intermediate milestones to track progress.

As CISA's Sean Connelly explained, the updated model provides a "crawl-walk-run approach" based on feedback from agencies, commercial industry, academia, and international partners.

Traditional vs Advanced vs Optimal Maturity Levels Explained

The model defines four maturity stages for each pillar:

Traditional: Organizations rely on static credentials, perimeter defenses, and manual processes. Trust is often implicit based on network location. This describes most organizations before they begin zero trust adoption.

Initial: Organizations implement foundational controls like MFA and begin inventorying assets. Authentication improves but may still include password-based factors. This stage represents the first concrete steps toward zero trust.

Advanced: Organizations implement phishing-resistant MFA, automate security responses, and correlate signals across pillars. Identity verification becomes continuous rather than point-in-time. Most organizations target this stage for near-term maturity.

Optimal: Organizations achieve full automation, real-time risk assessment, and dynamic policy enforcement across all pillars. Trust decisions happen continuously based on comprehensive context. This represents the long-term target state.

Why Identity Is Now the First Pillar of Zero Trust

Identity appears first in the CISA model for a reason. In environments where perimeters have dissolved and data lives everywhere, identity is the only consistent control point. Every access request, whether from a human or machine, involves an identity assertion that can be verified.

How Modern Attacks Bypass Perimeters and Exploit Identity

Attackers rarely breach modern organizations by exploiting network vulnerabilities. They log in using stolen credentials, compromised sessions, or manipulated identity systems.

The numbers confirm this shift. Verizon's 2025 Data Breach Investigations Report found that credential abuse remains the leading initial access vector, with 88% of attacks against web applications involving stolen credentials. The human element factored into 60% of all breaches.

Infostealers now harvest credentials at industrial scale. In 2024 alone, attackers stole over 17 billion browser cookies, including authentication tokens that bypass MFA entirely. Session hijacking has become a preferred method for account takeover because it sidesteps traditional authentication controls.

Why Static Authentication and One-Time Access Are No Longer Enough

Traditional authentication verifies identity at login and grants access for the session duration. This model fails against modern threats.

An attacker who steals a session cookie gains access without ever authenticating. An insider who passes authentication can still exfiltrate data if their behavior goes unmonitored. A compromised service account can access resources indefinitely if no one reviews its activity.

Static authentication treats identity as a gate to pass through once. Zero trust treats identity as a signal to evaluate continuously.

Identity as Both a Preventive and Continuous Control

In the CISA model, identity serves two functions. It prevents unauthorized access through strong authentication. It also enables continuous monitoring through behavioral analysis and anomaly detection.

Preventive controls include phishing-resistant MFA, just-in-time access provisioning, and least-privilege enforcement. These stop unauthorized access before it occurs.

Continuous controls include session monitoring, behavioral baselining, and real-time risk scoring. These detect compromised accounts and anomalous activity after authentication succeeds.

Effective identity security requires both. Prevention without monitoring misses compromised legitimate accounts. Monitoring without prevention creates too much noise to investigate effectively.

The Five Pillars of Zero Trust Explained

CISA's model organizes zero trust capabilities into five pillars. Each represents a domain where implicit trust must be eliminated and explicit verification must be established.

Identity: Continuous Verification for Human and Machine Access

The identity pillar covers authentication, authorization, and lifecycle management for all entities accessing organizational resources. This includes employees, contractors, partners, customers, and non-human identities like service accounts and API keys.

Key functions include:

• Authentication that resists phishing and credential theft
• Authorization based on least-privilege principles
• Identity lifecycle management from provisioning through deprovisioning
• Risk-based access decisions that consider context
• Continuous validation throughout sessions

Organizations with mature identity capabilities integrate managed IAM solutions that enforce consistent policies across cloud and on-premises environments.

Device: Posture, Inventory, and Trust Signals

The device pillar addresses the security state of endpoints accessing organizational resources. Zero trust requires knowing what devices exist, understanding their security posture, and incorporating that posture into access decisions.

Key functions include:

• Asset inventory covering all device types
• Compliance and configuration monitoring
• Threat protection and vulnerability management
• Device trust signals integrated into access decisions

A device that fails health checks should face restricted access regardless of the user's identity. This creates defense in depth where device and identity controls reinforce each other.

Network Environment: Removing Implicit Trust from Connectivity

The network pillar eliminates the assumption that internal network location implies trustworthiness. Traditional networks granted broad access to anyone who reached the internal segment. Zero trust networks verify every connection.

Key functions include:

• Network segmentation and micro-segmentation
• Traffic encryption in transit
• Visibility into network flows
• Dynamic access control based on identity and context

Managed network security services help organizations implement segmentation and monitoring without building specialized expertise internally.

Application and Workload: Securing Execution Across Environments

The application pillar covers how software runs, communicates, and gets secured across cloud, on-premises, and hybrid environments. Applications must authenticate to each other, not just to users.

Key functions include:

• Secure development and deployment practices
• Application-layer access controls
• Workload identity and authentication
• API security and service mesh protection

Modern applications consist of distributed microservices that communicate constantly. Each communication channel requires authentication and authorization.

Data: Conditional Access and Protection Everywhere

The data pillar addresses how organizations classify, protect, and control access to information. Data protection must follow the data regardless of where it resides or how it moves.

Key functions include:

• Data categorization and classification
• Data protection mechanisms including encryption
• Data access management aligned with classification
• Data loss prevention and monitoring

Zero trust data protection moves beyond perimeter-based controls to persistent protection that travels with the data itself.

Zero Trust Maturity Levels in Practice

Abstract maturity levels become meaningful when mapped to real organizational capabilities. The following describes what each stage typically looks like in practice.

What "Traditional" Zero Trust Looks Like in Real Organizations

Organizations at traditional maturity rely on perimeter security as their primary defense. Firewalls protect network boundaries. VPNs provide remote access. Once authenticated, users access broad resource sets based on network segment.

Common characteristics include:

• Password-based authentication, possibly with SMS or app-based MFA
• Network access controls but limited microsegmentation
• Manual provisioning and deprovisioning of access
• Limited visibility into user behavior after authentication
• Siloed security tools without integrated signals

Most organizations begin their zero trust journey from this baseline.

Characteristics of Advanced Zero Trust Environments

Organizations at advanced maturity implement controls that significantly reduce implicit trust. Authentication becomes phishing-resistant. Access decisions incorporate multiple signals. Automation handles routine security tasks.

Common characteristics include:

• Phishing-resistant MFA using FIDO2 or equivalent standards
• Initial passwordless authentication for some use cases
• Identity governance with regular access reviews
• Microsegmentation based on application requirements
• Automated response to common security events
• Integrated visibility across identity, device, and network

Advanced maturity represents a significant security improvement over traditional approaches while remaining achievable for most organizations.

What Defines an Optimal Zero Trust Implementation

Organizations at optimal maturity achieve continuous, automated security operations across all pillars. Policy enforcement happens in real time based on comprehensive risk signals.

Common characteristics include:

• Fully passwordless authentication
• Continuous risk assessment and adaptive access
• Automated remediation of policy violations
• Complete visibility across all pillars with correlated analytics
• Dynamic policy enforcement that adapts to changing conditions
• Governance integrated into security operations

Few organizations achieve optimal maturity across all pillars simultaneously. The model encourages pursuing optimal capabilities in high-risk areas while maintaining advanced capabilities elsewhere.

‍

Visibility, Analytics, and Automation as Zero Trust Enablers

The five pillars describe what to secure. The cross-cutting capabilities describe how to secure it at scale. Without these enablers, zero trust becomes a manual effort that cannot keep pace with threats.

Why Visibility Alone Is Not Enough

Security teams often prioritize log collection and dashboard creation. These provide visibility into activity. They do not provide security by themselves.

Visibility without analysis creates data lakes that no one reviews. Security teams drown in alerts they cannot investigate. Attackers hide in the noise because no one connects their activities into coherent patterns.

Effective visibility requires selective focus on security-relevant signals, not comprehensive collection of everything that happens.

The Role of Analytics and Threat Intelligence

Analytics transforms raw visibility into actionable signals. Machine learning establishes behavioral baselines. Anomaly detection identifies deviations worth investigating. Correlation connects events across systems into attack narratives.

Threat intelligence adds external context. Known malicious indicators get flagged automatically. Attack patterns from other organizations inform local detection rules. Emerging techniques get incorporated into monitoring before they're used against the organization.

Together, analytics and intelligence turn logs into leads.

Automation and Orchestration Across Identity, Devices, and Cloud

Manual security processes cannot operate at the speed modern attacks require. Automation handles routine responses so analysts focus on complex investigations.

Common automation scenarios include:

• Forcing reauthentication when device posture changes
• Blocking access from anomalous locations
• Triggering password resets when credentials appear in breach data
• Isolating endpoints showing compromise indicators
• Provisioning and deprovisioning access based on HR system changes

Orchestration connects these automated responses across tools. A signal from the identity system triggers a response in the network system. Correlation happens automatically rather than requiring analyst intervention.

For organizations implementing zero trust alongside other security capabilities, see how SASE implementation integrates with zero trust principles.

Identity-Centric Zero Trust in Real-World Environments

Theory must translate into operational practice. Identity-centric zero trust requires ongoing management, not just initial deployment.

Managing Identity Across Endpoints, Directories, and Cloud Platforms

Modern organizations maintain identities across multiple systems. On-premises Active Directory coexists with cloud identity providers. SaaS applications maintain their own user stores. Service accounts exist across cloud platforms.

Effective identity management requires:

• Unified visibility across all identity sources
• Consistent policy enforcement regardless of where identity originates
• Federation that enables single sign-on without creating gaps
• Privileged access management for high-risk accounts

Fragmented identity management creates gaps attackers exploit. A disabled account in the corporate directory may remain active in a SaaS application.

Detecting Policy Drift, Over-privilege, and Abnormal Behavior

Zero trust policies degrade over time without active management. Temporary access grants become permanent. Exceptions accumulate. Privileged accounts multiply.

Security teams must continuously monitor for:

• Access that exceeds role requirements
• Dormant accounts that retain active privileges
• Deviations from behavioral baselines
• Policy exceptions that no longer have valid justification

Research from Tenable shows 90% of cloud identities use less than 5% of their granted permissions. This gap between granted and used permissions represents exploitable attack surface.

Identity Monitoring as an Ongoing Operational Requirement

Identity security is not a project with a completion date. It requires continuous operational attention.

This includes regular access reviews, authentication event monitoring, credential exposure scanning, and incident response when anomalies occur. Organizations that treat identity as a "set and forget" deployment eventually discover compromised accounts that operated undetected for months.

Why Identity-Based Attacks Are Hard to Detect Without Zero Trust

Traditional security tools struggle with identity-based attacks because these attacks use legitimate access paths. The attacker isn't exploiting a vulnerability. They're logging in with valid credentials.

How Credential Abuse Mimics Legitimate Activity

An attacker using stolen credentials performs the same actions as the legitimate user. They authenticate successfully. They access authorized resources. They operate within defined permissions.

From a traditional security perspective, nothing unusual happens. The firewall sees authorized traffic. The application logs show successful authentication. The data leaves through normal channels.

Detection requires understanding whether the legitimate user actually initiated the activity. This demands behavioral context that traditional tools don't provide.

Why Logs Exist but Signals Are Missed

Organizations collect authentication logs, access logs, and activity logs. The evidence of compromise often exists in these logs. It goes undetected because:

• Log volume makes manual review impossible
• Events appear legitimate in isolation
• Correlation across systems doesn't happen
• Behavioral baselines don't exist for comparison
• Alert thresholds trigger too many false positives

The Microsoft breach in 2024 illustrates this pattern. Attackers used password spray attacks against a non-production tenant lacking MFA. They then leveraged a test OAuth application with elevated access to reach corporate email. The individual events appeared unremarkable. The attack chain went undetected until significant damage occurred.

Reducing Blast Radius Through Continuous Validation

Zero trust limits damage from compromised accounts through continuous validation and least-privilege access. Even when attackers gain initial access, their ability to expand that access gets constrained.

Continuous validation means:

• Session duration limits that force reauthentication
• Step-up authentication for sensitive actions
• Behavioral monitoring that detects anomalies
• Automatic access revocation when risk signals elevate

Least privilege means:

• Access grants match actual job requirements
• Temporary elevation instead of permanent privileges
• Regular reviews that remove unnecessary access
• Just-in-time provisioning for high-risk resources

Together, these controls ensure that initial compromise doesn't automatically become full network access.

Implementing Identity-First Zero Trust Without Disrupting Operations

Zero trust implementation fails when security improvements break business processes. Successful implementations balance security gains against operational impact.

Starting with Visibility Before Enforcement

Organizations should understand their current identity landscape before implementing restrictive controls. This means:

• Inventorying all identity sources and stores
• Mapping access patterns across applications
• Identifying privileged accounts and their usage
• Establishing behavioral baselines for normal activity

This visibility phase reveals gaps that enforcement would expose disruptively. It also identifies quick wins where controls can tighten without operational impact.

Incremental Least-Privilege Adoption

Sudden permission removal breaks applications and frustrates users. Incremental adoption works better.

Start by identifying permissions that are clearly unnecessary. Focus on accounts with broad access that rarely exercise it. Monitor for access attempts that would fail under stricter policies. Use this data to phase in restrictions gradually.

For privileged access, implement just-in-time elevation before removing standing privileges. Users request elevated access when needed. Access expires automatically after a defined period. This maintains productivity while eliminating persistent privilege.

Aligning Zero Trust Controls with Business Workflows

Security controls must fit how people actually work. Controls that fight the business get circumvented or disabled.

This requires:

• Understanding critical business processes before designing controls
• Involving business stakeholders in policy development
• Creating exception processes for legitimate edge cases
• Measuring user experience alongside security metrics

Zero trust succeeds when it makes secure behavior the easy path, not the obstacle to getting work done.

What the CISA Zero Trust Update Means for Security Teams in 2026

The updated CISA model provides practical guidance for organizations at any stage of zero trust maturity. It reflects lessons learned from early implementations and sets direction for future development.

Why Identity Must Be Treated as Foundational, Not Supplemental

Security teams often add identity controls on top of existing perimeter defenses. This approach treats identity as a supplement rather than a foundation.

The CISA model positions identity as the first pillar for a reason. Modern attacks target identity because it provides access that bypasses other controls. Organizations that strengthen network security while neglecting identity controls miss the primary attack vector.

In 2026, identity-based attacks will continue accelerating. Infostealers will harvest more credentials. Session hijacking will bypass more MFA implementations. Social engineering will compromise more accounts. Security strategies must address these realities directly.

How the Updated Model Helps Benchmark Zero Trust Progress

The maturity model provides a consistent framework for measuring progress. Organizations can assess their current state against defined criteria, identify gaps, and track improvements over time.

This benchmarking helps in several ways:

• Prioritizing investments based on current maturity gaps
• Communicating progress to leadership and boards
• Comparing capabilities against industry peers
• Setting realistic timelines for capability development

The model's incremental stages make progress visible. Organizations can demonstrate advancement from traditional to initial to advanced, showing concrete security improvements along the way.

Preparing for the Next Phase of Identity-Driven Threats

Threat actors adapt to defenses. As organizations implement MFA, attackers developed MFA bypass techniques. As organizations deploy endpoint detection, attackers shifted to identity-based access that doesn't touch endpoints in detectable ways.

Future identity threats will likely include:

• More sophisticated session hijacking and token theft
• Attacks targeting machine identities and service accounts
• AI-enhanced social engineering that defeats awareness training
• Exploitation of identity federation and SSO trust relationships

Organizations implementing identity-first zero trust today build the foundation to address these emerging threats. Those that delay will find themselves perpetually behind the threat curve.

Conclusion: Identity Is the Foundation of the Zero Trust Journey

The CISA Zero Trust Maturity Model update confirms what security practitioners have learned through experience. Zero trust is a journey, not a destination. Identity sits at the center of that journey. Progress happens incrementally across multiple dimensions simultaneously.

Why Zero Trust Success Depends on Continuous Identity Assurance

Zero trust cannot succeed without strong identity controls. Every access decision depends on knowing who or what requests access. Every behavioral detection depends on understanding what normal looks like for that identity. Every least-privilege implementation depends on mapping identities to appropriate access.

Organizations that treat identity as one checkbox among many will find their zero trust implementations hollow. Attackers will simply log in using compromised credentials and operate freely within whatever network segments they reach.

Continuous identity assurance means:

• Authentication that resists modern attack techniques
• Authorization that enforces least privilege consistently
• Monitoring that detects anomalous identity behavior
• Response that contains compromised accounts quickly

Using the CISA Model as a Practical Roadmap, Not a Checklist

The CISA model works best as a planning tool, not a compliance checklist. It helps organizations understand where they are, define where they want to be, and chart a realistic path between those points.

Use the model to:

• Assess current maturity across all five pillars
• Identify the pillars where gaps create the most risk
• Plan incremental improvements that build toward advanced maturity
• Track progress over time with consistent metrics

Zero trust implementation takes years, not months. The organizations that succeed treat it as an ongoing program with continuous improvement, not a project with a defined end date.

The attackers aren't waiting. Neither should your zero trust journey.

‍