This work package provides organisations with expert guidance, assessment, and implementation support to adopt the CISA Zero Trust Maturity Model (ZTMM) and CISA Zero Trust Reference Architecture (ZTRA). It covers identity, devices, networks, applications, workloads, and data — integrating continuous verification, least‑privilege access, and adaptive policy enforcement across hybrid and multi‑cloud environments.
The service helps clients transition from traditional perimeter‑based security to a federated, risk‑adaptive Zero Trust model aligned with CISA’s five pillars and maturity stages (Traditional → Initial → Advanced → Optimal).
Assess current security posture against the CISA Zero Trust Maturity Model.
Design a Zero Trust architecture aligned to CISA ZTRA components and principles.
Implement identity‑centric, policy‑driven access controls across the enterprise.
Reduce attack surface, lateral movement, and implicit trust.
Improve visibility, monitoring, and automated response capabilities.
Enable a phased, realistic Zero Trust transformation roadmap.
A complete CISA Zero Trust maturity assessment and gap analysis.
A CISA‑aligned Zero Trust architecture blueprint.
Hardened identity, device, network, application, and data controls.
Policy enforcement and continuous verification embedded across systems.
Improved detection, response, and automation capabilities.
Clear governance, operating model, and transformation roadmap.
Assessment across CISA’s five pillars:
Identity
Devices
Networks
Applications & Workloads
Data
Activities include:
Review of current architecture, controls, and governance.
Mapping capabilities to CISA maturity stages.
Gap analysis and prioritised recommendations.
Threat‑informed assessment using CISA guidance.
Enterprise Zero Trust architecture blueprint aligned to CISA ZTRA.
Definition of key ZT components:
Identity Provider (IdP)
Policy Decision Point (PDP)
Policy Enforcement Point (PEP)
Continuous Diagnostics & Mitigation (CDM)
Security Information & Event Management (SIEM)
Threat Intelligence & Analytics
Integration with cloud platforms (Azure, AWS, GCP, OCI).
Micro‑segmentation and network isolation strategy.
Data protection and classification model.
Identity governance aligned to CISA ZTMM.
MFA, passwordless, and continuous authentication strategy.
Conditional access and risk‑based access policies.
Privileged access management (PAM) design.
Service account and machine identity governance.
Device trust and posture assessment.
Integration with EDR/XDR platforms.
BYOD and corporate device governance.
Continuous device compliance monitoring.
Automated enforcement of device‑based access policies.
Zero Trust network segmentation design.
East‑west traffic control and inspection.
Software‑defined perimeter (SDP) architecture.
Secure remote access and VPN modernisation.
Integration with firewalls, SD‑WAN, and SASE.
Application identity and workload trust.
API security and gateway integration.
Container and Kubernetes Zero Trust patterns.
Secure DevOps and CI/CD pipeline controls.
Runtime protection and workload isolation.
Data classification and sensitivity‑based access.
Encryption, key management, and tokenisation.
Data loss prevention (DLP) strategy.
Zero Trust data access policies.
Monitoring of data flows and exfiltration risks.
Centralised logging and telemetry strategy.
Behavioural analytics and anomaly detection.
Integration with SIEM, SOAR, and XDR.
Automated policy enforcement and remediation.
Continuous verification and adaptive access.
Zero Trust governance framework aligned to CISA.
Roles, responsibilities, and decision‑making workflows.
Policy lifecycle management.
Compliance mapping (ISO, NIS2, GDPR, sector‑specific).
Zero Trust transformation roadmap (12–36 months).
CISA Zero Trust Maturity Assessment Report
CISA‑Aligned Zero Trust Architecture Blueprint
Identity & Access Modernisation Pack
Network Micro‑Segmentation Design
Data Protection & Governance Framework
Policy Decision & Enforcement Design Pack
Visibility & Automation Integration Guide
Executive Summary & Board‑Level Presentation
Zero Trust Landing Zone (cloud or hybrid)
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Initiation & Discovery (1–2 weeks)
CISA Zero Trust Maturity Assessment (2–4 weeks)
Architecture & Policy Design (4–8 weeks)
Identity, Network & Data Hardening (variable)
Monitoring & Automation Integration (2–4 weeks)
Governance & Capability Uplift (ongoing)
Optional: Continuous Zero Trust Assurance (subscription)
Lead Zero Trust Architect
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Cloud Security Architect
Governance & Compliance Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to identity, network, cloud, and security platforms.
Engagement with IT, security, and architecture teams.
Availability of existing architecture diagrams and policies.
Client commitment to governance and operational adoption.
Legacy systems incompatible with ZT → mitigated through compensating controls and phased migration.
Identity sprawl → mitigated through governance and rationalisation.
Operational resistance → mitigated through training and clear operating models.
Tool sprawl → mitigated through consolidation and integration planning.