CISA’s new Zero Trust Maturity Model gives MFA a push – Yubico

The long-awaited second version of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) is here after more than a year of public comments and agency responses.

The latest model points federal agencies, and all organizations that work with them, toward a Zero Trust security architecture. The White House laid the groundwork for zero trust in May 2021 with Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which led to OMB’s January 2022 Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The target date for federal agencies to reach specific Zero Trust goals, including requiring phishing-resistant MFA, is the end of FY2024. 

Identity is one of the key pillars in the ZTMM, and the government categorizes identity through four stages of maturity including Traditional, Initial, Advanced and Optimal. Authentication is front and center in this memo, and CISA offered additional details on specific authentication requirements for each of the four phases:

  • Traditional: Agency authenticates identity using either passwords or MFA with static access for entity identity.
  • Initial: Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes.
  • Advanced: Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV.
  • Optimal: Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.

With the critical need to take a more secure approach to cybersecurity health, Yubico encourages every agency to move quickly toward the advanced and optimal stages where SMS one-time passcodes and push-based applications become a thing of the past. It’s an exciting time for security, because we now have official recognition from the government that not all MFA is created equal — phishing-resistant features are key to fully protecting federal agencies, and that’s now in print.

What are the barriers to Zero Trust adoption? 

ZTMM contains some interesting acknowledgments that the road to Zero Trust will have a few bumps. Among the road to Zero Trust adoption, the memo cited: 

  • Legacy systems rely on “implicit trust,” meaning access and authorization are infrequently assessed and based on fixed attributes. That principle doesn’t align with zero trust’s core assumption of adaptive evaluation. 
  • Buy-in is required agency-wide, but especially from senior leadership. The memo is honest about the transition needing a collective effort to “transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy.” 
  • Agencies are beginning their journeys to Zero Trust from different starting points. Some agencies may be further along or better positioned to make these advancements than others. 

Regardless of this, the second version of the ZTMM is a signal to agencies that there is no U-turn possible on the transition to zero trust — it’s full steam ahead, and agencies will need to get on board if they haven’t already. 

——

Read more about Zero Trust architectures in our white paper, “Accelerate your Zero Trust strategy with phishing-resistant MFA.”

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey