CISA Zero Trust Maturity Model. Measured Progress Toward Zero Trust.

The CISA Zero Trust Maturity Model version 2.0, published in April 2023, provides a structured roadmap for organizations to implement zero trust architecture as defined by NIST 800-207. Zero trust is not a product or a single technology. It is an architectural approach that eliminates implicit trust from every network interaction. Every access request is verified regardless of its origin. Every session is authenticated, authorized, and continuously validated. The ZTMM translates these principles into measurable capabilities organized across five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar defines specific capabilities that an organization must implement to achieve zero trust within that domain. The model does not prescribe specific technologies or vendors. It defines functional outcomes: what must be true about your identity management, your device posture, your network architecture, your application security, and your data protection for zero trust to be operational. CISA developed the model to give federal agencies and critical infrastructure operators a concrete implementation path rather than a set of abstract principles.

The ZTMM defines four maturity levels that represent progressive stages of zero trust implementation. Traditional represents the starting state: perimeter-based security with static credentials, limited visibility into device health, flat network architectures, and coarse data protection policies. Initial marks the beginning of zero trust adoption: multi-factor authentication deployed for some systems, basic device inventory established, initial network segmentation implemented, and data classification policies defined. Advanced represents significant zero trust capability: continuous identity validation with risk-based access decisions, real-time device health assessment influencing access, microsegmentation enforced across network boundaries, and automated data protection based on classification. Optimal represents the target state: fully automated, context-aware access decisions across all pillars; real-time analytics driving policy enforcement; orchestrated responses to detected threats; and governance structures that ensure zero trust principles are maintained as the organization evolves. Each pillar can be at a different maturity level, and the model acknowledges that organizations will progress unevenly across pillars based on their risk profile, existing infrastructure, and resource constraints.

Federal agencies are required to progress toward zero trust implementation per Executive Order 14028 (Improving the Nation's Cybersecurity, May 2021) and OMB Memorandum M-22-09 (Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, January 2022). M-22-09 establishes specific zero trust goals that federal agencies must achieve, organized by the same five pillars as the ZTMM. These are not aspirational guidelines. They are mandated security outcomes with reporting requirements. Agency CISOs must report progress to OMB and CISA, demonstrating advancement across each pillar with evidence of implemented capabilities. The ZTMM serves as the measurement framework for that progress. Beyond federal agencies, the model has become a reference architecture for defense contractors, critical infrastructure operators, state and local governments, and private sector organizations that recognize perimeter-based security is insufficient against modern threats. The model's pillar structure provides a common vocabulary for discussing zero trust maturity with auditors, oversight bodies, and partner organizations.

Zero trust without a maturity model is directionless. Organizations adopt individual zero trust technologies (identity providers, microsegmentation appliances, endpoint detection platforms) without a coherent framework for measuring whether those investments are advancing their overall zero trust posture. A deployment of multi-factor authentication does not mean the Identity pillar is at Advanced maturity. A microsegmentation project does not mean the Networks pillar has progressed past Initial. Individual technology deployments satisfy individual capabilities within individual pillars at individual maturity levels. Without the ZTMM's structured measurement approach, organizations cannot determine which capabilities are missing, which pillars are lagging, or whether their investments are producing proportional security improvement. They report "we are implementing zero trust" without the ability to quantify what percentage of the model they have achieved, which gaps remain, or how long it will take to reach their target maturity level. Leadership receives progress narratives instead of progress data. Budget requests cite zero trust as a category without mapping specific expenditures to specific maturity level advancements across specific pillars.

Federal agencies face a more acute version of this problem: they have mandates with deadlines but lack practical mechanisms for measuring zero trust progress across all five pillars simultaneously. M-22-09 requires specific outcomes: enterprise-wide multi-factor authentication, device inventory and health assessment, encrypted DNS traffic, application security testing, and data categorization. Agency CISOs must report progress to OMB and CISA with evidence that these outcomes are being achieved. The reporting burden is substantial. Each pillar contains multiple capabilities at multiple maturity levels, and each capability requires different evidence types from different infrastructure components. Identity pillar evidence comes from identity providers and access management systems. Device pillar evidence comes from endpoint management platforms and asset inventories. Network pillar evidence comes from firewall configurations, DNS logs, and traffic analysis. Application pillar evidence comes from security testing results and deployment pipelines. Data pillar evidence comes from classification engines and encryption configurations. Aggregating this evidence into a coherent maturity assessment requires correlating data from dozens of systems, and doing it manually produces assessments that are outdated before they are submitted.

Each pillar can be at a different maturity level, and this unevenness creates exploitable gaps. An organization with Advanced identity management but Traditional network segmentation has strong authentication guarding flat network access. An adversary who compromises a single authorized session moves laterally without restriction because the network architecture provides no internal boundaries. An organization with Optimal data protection but Initial device management encrypts everything but cannot verify the health of devices accessing that encrypted data. The ZTMM's pillar structure makes these imbalances visible, but only if the organization measures each pillar independently and honestly. Organizations that report a single aggregate "zero trust score" obscure the pillar-level gaps that determine actual risk. A score of "65% zero trust" tells leadership nothing about whether the Identity pillar is at Optimal while the Networks pillar remains at Traditional. The pillar-level granularity is the model's primary value. Flattening it into a single number defeats the purpose. Redoubt Forge preserves pillar-level visibility because that is where the security decisions are made.

The Identity pillar governs how an organization authenticates users, services, and systems; how it manages access permissions; and how it continuously validates that access decisions remain appropriate throughout each session. Identity is the foundation of zero trust because every access decision begins with establishing who or what is requesting access. The ZTMM defines Identity capabilities across authentication strength, identity lifecycle management, access governance, and risk-based authorization. At the Traditional level, organizations rely on passwords with limited multi-factor authentication, static role assignments, and periodic access reviews. Identity stores may be fragmented across multiple directories with no centralized governance. Service accounts use long-lived credentials with broad permissions that are rarely rotated. Access reviews happen quarterly or annually, if at all, and the review process is a compliance exercise rather than a security operation. The gap between granted permissions and required permissions widens over time as roles change, projects end, and personnel transfer between teams without triggering access recertification.

Maturity progression through the Identity pillar follows a concrete path. At Initial, organizations deploy enterprise-wide multi-factor authentication and begin consolidating identity stores into a centralized provider. At Advanced, authentication becomes continuous rather than session-based: risk signals from device health, network location, access patterns, and behavioral analytics feed into real-time access decisions. A user authenticating from a new device, an unusual location, or outside normal working hours triggers step-up authentication or access restriction without manual intervention. Access governance shifts from periodic reviews to continuous evaluation: when a user's role changes, their permissions adjust automatically based on predefined role-to-permission mappings. At Optimal, identity decisions are fully context-aware and automated. Every access request evaluates the full context: user identity, device posture, network location, resource sensitivity, time of access, and behavioral baseline. Anomalous patterns trigger automated response: session termination, privilege reduction, or security team notification. Service accounts use short-lived, scoped credentials issued per-transaction rather than long-lived tokens stored in configuration files.

Sentinel monitors identity configurations across your connected infrastructure continuously. It evaluates MFA enforcement status across all identity providers, detects accounts without MFA enabled, identifies service accounts with long-lived credentials, monitors for excessive permission grants, and tracks credential rotation compliance. When an identity configuration drifts from the expected state (MFA disabled on an account, a new role created with overly broad permissions, a service account credential past its rotation deadline), Sentinel detects the change and maps the impact to the Identity pillar maturity score. For certain drift scenarios, Sentinel can auto-remediate after approval: disabling accounts that violate MFA policy, rotating credentials that exceed age thresholds, or revoking permissions that exceed the defined role boundaries. Rampart scores each Identity capability against the four maturity levels, tracking progression from Traditional through Optimal with evidence collected from your running identity infrastructure. The maturity score is not self-reported. It is computed from observed configurations, enforced policies, and collected evidence artifacts that demonstrate each capability is operational.

The Devices pillar addresses the security posture of every endpoint, server, and connected asset that accesses organizational resources. In a zero trust architecture, device identity and health are evaluated alongside user identity for every access decision. A legitimate user on a compromised device represents the same risk as an unauthorized user on a healthy device. The ZTMM defines Device capabilities across asset inventory, device compliance, endpoint protection, and device-based access control. At the Traditional level, organizations maintain incomplete asset inventories that are updated manually or quarterly. Device health is assessed periodically through scheduled scans rather than continuously. Endpoints run antivirus software but lack advanced detection capabilities. Device compliance is not factored into access decisions: a user with valid credentials receives the same access regardless of whether their device has current patches, active endpoint protection, or disk encryption enabled. Unmanaged devices (personal laptops, contractor machines, IoT sensors) access the same network segments as managed corporate devices.

Progression through the Devices pillar requires building layered capabilities. At Initial, organizations establish a comprehensive asset inventory and deploy endpoint management to all corporate devices. At Advanced, device health signals feed into access decisions in real time. A device that fails a compliance check (missing patch, disabled encryption, outdated endpoint protection signatures) is restricted to a remediation network segment until it returns to a compliant state. The inventory is continuously updated through automated discovery rather than manual registration. Unmanaged devices are identified and isolated or denied access entirely. At Optimal, device posture assessment is fully automated and integrated into every access decision. Every device presents an attestation of its health before receiving any network access. Device compliance is verified continuously throughout each session, not only at the point of initial authentication. Hardware-based attestation verifies firmware integrity. Software inventory is tracked and anomalies (unauthorized applications, modified system files) trigger immediate investigation. The organization can identify, classify, and control every device on its network within minutes of connection.

Sentinel runs continuous discovery across connected accounts and infrastructure, enumerating every compute instance, endpoint, and connected asset. It monitors device configurations for compliance with defined baselines: patch levels, encryption status, endpoint protection deployment, and security agent health. When a device drifts from its compliant baseline, Sentinel detects the change immediately and maps the impact to the Devices pillar maturity score. Garrison displays the discovered estate as a live inventory, showing every asset's compliance status, configuration state, and pillar contribution. Vanguard scans device configurations and operating system deployments against DISA STIG and CIS Benchmark baselines, producing findings that map directly to Device pillar capabilities. A failed STIG check on a server's audit configuration maps to a specific Device maturity capability. A CIS Benchmark deviation on an endpoint's encryption settings maps to another. Together, these capabilities produce a Device pillar maturity score derived from observed infrastructure state rather than self-reported compliance checklists.

The Networks pillar addresses how an organization segments, monitors, and controls network traffic. Traditional network security relies on a hardened perimeter with a trusted internal network. Zero trust eliminates the concept of a trusted internal network entirely. Every network segment is treated as potentially hostile. Every traffic flow is authenticated, authorized, and encrypted regardless of whether it crosses an external boundary or moves between internal systems. The ZTMM defines Network capabilities across network segmentation, traffic encryption, threat detection, and software-defined networking. At the Traditional level, organizations operate flat or minimally segmented networks with perimeter firewalls as the primary control. Internal traffic flows unencrypted between systems. DNS queries are unencrypted and unmonitored. Network architecture is static, defined by physical infrastructure and VLAN assignments rather than dynamic policies. Lateral movement after initial compromise is unrestricted because internal network boundaries do not exist or are too coarse to contain an adversary.

Network maturity progression requires fundamental architectural changes. At Initial, organizations implement basic network segmentation separating sensitive workloads from general-purpose networks and begin encrypting internal traffic on critical paths. At Advanced, microsegmentation restricts lateral movement to the minimum required traffic flows between services. Network policies are defined by application identity and data sensitivity rather than IP addresses and port numbers. Encrypted DNS (DoH or DoT) prevents DNS-based surveillance and exfiltration. Network detection capabilities identify anomalous traffic patterns within segments, not only at the perimeter. At Optimal, the network is fully software-defined with policies that adapt dynamically to threat intelligence, device posture, and user context. Every traffic flow is encrypted end-to-end. Network segmentation policies are enforced at the workload level, meaning two containers on the same host cannot communicate unless explicitly authorized. Traffic inspection occurs at every segment boundary. The network architecture itself becomes an active security control rather than a passive transport layer.

Armory provides hardened infrastructure-as-code modules that implement network segmentation patterns aligned to ZTMM maturity levels. VPC architectures with deny-by-default security groups, network ACLs that enforce segment isolation, transit gateway configurations that control inter-VPC routing, and DNS encryption configurations deploy zero trust network controls from the first deployment. These modules are not reference architectures. They are deployable Terraform configurations with parameters tuned to the target maturity level. Sentinel monitors every network configuration continuously: security group rules, network ACL entries, route table modifications, DNS configurations, and traffic encryption settings. When a network configuration drifts from the declared zero trust baseline (a security group rule widened, a route added bypassing inspection, encryption disabled on a traffic path), Sentinel detects the change, maps the impact to the Networks pillar maturity score, and surfaces the drift in Citadel's action queue. For approved auto-remediation scenarios, Sentinel restores compliant configurations within defined change windows, preventing network posture degradation between review cycles.

The Applications and Workloads pillar addresses the security of software, services, and compute workloads throughout their lifecycle. In a zero trust architecture, applications are not trusted by default simply because they run inside the network perimeter. Each application must authenticate to other services, authorize every request it receives, and be continuously tested for vulnerabilities. The ZTMM defines Application capabilities across application security testing, workload identity, secure deployment, and runtime protection. At the Traditional level, organizations perform security testing only before major releases, if at all. Applications authenticate to backend services using shared credentials or static API keys. Deployment processes lack security gates. Runtime monitoring is limited to availability metrics rather than security telemetry. Application vulnerabilities are discovered by external penetration tests months or years after introduction, and remediation timelines are measured in quarters rather than days.

Maturity progression requires integrating security into every phase of the application lifecycle. At Initial, organizations introduce static application security testing into their development pipeline and begin cataloging application dependencies for vulnerability tracking. At Advanced, security testing is integrated into every stage of the CI/CD pipeline: static analysis, dependency scanning, container image scanning, and dynamic testing run automatically on every commit. Applications use workload identity (service mesh, managed service accounts) rather than static credentials. Deployment pipelines enforce security gates that prevent vulnerable code from reaching production. Runtime protection detects anomalous application behavior: unexpected network connections, file system modifications, or privilege escalations. At Optimal, application security is fully automated and continuous. Every workload has a verifiable identity. Every deployment is immutable and signed. Security testing includes fuzzing, API security validation, and behavioral analysis. Runtime protection responds automatically to detected threats: isolating compromised workloads, rolling back unauthorized changes, and alerting security teams with full forensic context.

Vanguard provides the multi-language DevSecOps scanning that maps directly to Application pillar maturity capabilities. Static application security testing, secret scanning, dependency analysis, container image scanning, dynamic application security testing, and API security validation produce findings that advance or degrade the Application pillar maturity score based on coverage and severity. Sentinel schedules automated scans and monitors for new vulnerabilities in deployed applications, ensuring that security testing is continuous rather than periodic. When a new vulnerability is disclosed in a dependency used by a production application, Sentinel maps the finding to the Application pillar and surfaces it in Citadel's action queue with remediation priority. Rampart tracks Application pillar maturity by correlating scan coverage, finding remediation rates, deployment pipeline gate enforcement, and workload identity adoption across the organization's application portfolio. The maturity score reflects demonstrated security practices, not documented intentions.

The Data pillar is the reason zero trust exists. Every other pillar protects access to data. Identity verifies who requests it. Devices validate the health of systems that process it. Networks control the paths that carry it. Applications manage the logic that transforms it. Data protection ensures that the information itself is classified, encrypted, access-controlled, and monitored regardless of where it resides or how it moves. The ZTMM defines Data capabilities across data categorization, data protection, data access management, and data availability. At the Traditional level, organizations have limited data classification. Encryption is applied inconsistently: at rest in some storage systems but not others, in transit on external connections but not internal ones. Data access controls are coarse, often inheriting permissions from the network segment or application rather than enforcing data-level policies. Data loss prevention is reactive, detecting exfiltration after it occurs rather than preventing it structurally.

Data maturity progression builds toward automated, classification-driven protection. At Initial, organizations define data classification policies and begin labeling sensitive data stores. Encryption at rest and in transit is deployed across primary systems. At Advanced, data classification is automated: content inspection engines identify sensitive data (personally identifiable information, controlled unclassified information, financial records, health records) and apply classification labels without manual intervention. Encryption is universal. Access controls are data-centric: permissions are granted based on the classification of the data being accessed, not the system it resides in. Data loss prevention policies enforce classification-based restrictions on data movement, preventing sensitive data from leaving authorized boundaries. At Optimal, data protection is fully automated and context-aware. Access decisions consider data sensitivity, user clearance, device posture, and session context simultaneously. Data lineage tracking records every access, transformation, and movement. Encryption key management is automated with hardware security module integration. Data availability is protected through immutable backups with cryptographic integrity verification.

Sentinel monitors data protection controls across your connected infrastructure: encryption configurations on storage systems, access policies on data stores, key rotation compliance, backup integrity, and data transfer configurations. When a storage system's encryption is disabled, an access policy is widened beyond the classification level, or a key rotation deadline passes without action, Sentinel detects the change and maps the impact to the Data pillar maturity score. For approved scenarios, Sentinel auto-remediates data protection drift: re-enabling encryption on storage systems, restoring access policies to their compliant state, and triggering key rotation workflows. Rampart maps each Data pillar capability to the four maturity levels and scores your organization's current position based on evidence collected from running infrastructure. The Data pillar score reflects observed encryption coverage, access control granularity, classification implementation, and data lifecycle management practices. Artificer identifies the highest-impact gaps in your Data pillar maturity and recommends specific remediation actions that advance your maturity level with the least effort and greatest security improvement.

The ZTMM defines three cross-cutting capabilities that apply to every pillar: Visibility and Analytics, Automation and Orchestration, and Governance. These are not separate pillars. They are capabilities that determine how effectively an organization implements, monitors, and sustains zero trust across all five pillars simultaneously. Visibility and Analytics refers to the organization's ability to observe its security posture in real time across every pillar. This includes centralized logging, security event correlation, behavioral analytics, and dashboards that provide pillar-level and aggregate maturity views. At Traditional maturity, visibility is fragmented: identity logs in one system, network logs in another, device health in a third, with no correlation engine connecting them. At Optimal maturity, a unified analytics platform correlates events across all five pillars, identifies cross-pillar attack patterns (a compromised identity accessing data from a non-compliant device over an unusual network path), and surfaces threats that no single-pillar view would detect.

Automation and Orchestration determines how quickly and consistently the organization responds to security events detected through its visibility capabilities. At Traditional maturity, responses are manual: a security analyst reviews an alert, investigates the context, determines the appropriate response, and executes remediation steps individually. At Initial maturity, basic automation handles routine events: password reset after a compromise indicator, device quarantine after a failed compliance check. At Advanced maturity, orchestration connects automated responses across pillars: a compromised identity triggers device isolation, network segment restriction, application session termination, and data access revocation in a coordinated sequence. At Optimal maturity, the response is fully automated and adaptive: the orchestration engine evaluates the threat context, selects the appropriate response playbook, executes cross-pillar actions, and adjusts future detection thresholds based on the outcome. Manual intervention is required only for novel threats that fall outside established playbooks.

Governance encompasses the policies, processes, and oversight structures that ensure zero trust principles are maintained as the organization evolves. Governance determines who defines zero trust policy, how policy changes are approved and propagated, how exceptions are managed, and how compliance with zero trust principles is verified over time. Citadel provides the unified visibility layer that spans every pillar, aggregating maturity scores, drift events, and action items into a single dashboard with pillar-level drill-down capability. Sentinel delivers the automation and orchestration layer: continuous monitoring across all five pillars, automated drift detection, configurable auto-remediation, and orchestrated response workflows that execute cross-pillar actions. Rampart serves as the governance workspace: maturity assessments, control mappings, evidence management, policy documentation, and exception tracking are all managed within Rampart's compliance engine. Together, these three cross-cutting capabilities ensure that zero trust maturity is not only measured at a point in time but maintained and advanced continuously.

Implementing the ZTMM requires a phased approach that begins with an honest assessment of current maturity across all five pillars. Organizations cannot plan a migration without knowing their starting position. The initial assessment evaluates every pillar capability against the four maturity levels, producing a baseline maturity profile that shows where the organization stands. This baseline reveals the pillar-level imbalances that determine actual risk: which pillars are furthest behind, which capabilities within each pillar represent the largest gaps, and which gaps create the most exploitable attack surface. From this baseline, the organization defines a target maturity state for each pillar based on its risk profile, regulatory requirements, and resource constraints. Not every organization needs to reach Optimal across every pillar. The target state should reflect the organization's threat model, the sensitivity of its data, and the mandates it must satisfy. A federal agency subject to M-22-09 has different target state requirements than a critical infrastructure operator adopting zero trust voluntarily. The migration plan maps the gap between current and target state into prioritized implementation phases.

Zero trust implementation does not exist in isolation. Federal agencies already operate within the Risk Management Framework (RMF), maintain Authorization to Operate (ATO) packages, and comply with FISMA reporting requirements. Private sector organizations may be subject to CMMC, FedRAMP, SOC 2, or ISO 27001 requirements that overlap with ZTMM capabilities. Implementation must integrate with these existing processes rather than creating a parallel compliance track. The Identity pillar's capabilities map to NIST 800-53 access control (AC) and identification and authentication (IA) control families. The Networks pillar maps to system and communications protection (SC) controls. The Data pillar maps to system and information integrity (SI) and media protection (MP) controls. Organizations that treat ZTMM implementation as separate from their existing compliance programs duplicate effort, create inconsistent evidence, and fragment their security posture across multiple unconnected assessments. The implementation plan should identify these overlaps explicitly and ensure that zero trust maturity advancement simultaneously advances compliance posture across all applicable frameworks.

Citadel's action queue prioritizes ZTMM implementation tasks by posture impact: which actions advance maturity across the most pillars with the greatest security improvement. The queue accounts for cross-pillar dependencies: network microsegmentation (Networks pillar) may depend on workload identity (Applications pillar), which may depend on centralized identity management (Identity pillar). Artificer guides implementation planning by asking targeted questions about your current architecture, regulatory requirements, and resource constraints. It identifies quick wins (capabilities that can advance a maturity level with minimal infrastructure change) and strategic investments (capabilities that require significant architectural modification but deliver outsized maturity improvement). Armory provides infrastructure-as-code modules that implement ZTMM capabilities at specific maturity levels: network segmentation modules for Advanced maturity, encryption configurations for Optimal maturity, identity federation modules for Advanced and Optimal identity capabilities. Deploy the module, and the capability is implemented by design. The infrastructure IS the maturity evidence.

The ZTMM is architecturally grounded in NIST 800-207 (Zero Trust Architecture), which defines the conceptual framework that the maturity model operationalizes. Every ZTMM capability traces to specific NIST 800-207 tenets: all resources are secured regardless of network location, access is granted on a per-session basis, access is determined by dynamic policy, the enterprise monitors and measures the integrity of all owned and associated assets, and all resource authentication and authorization are dynamic and strictly enforced. These tenets map to NIST 800-53 controls through published relationships maintained by NIST. The Identity pillar maps to the AC (Access Control) and IA (Identification and Authentication) control families. The Devices pillar maps to CM (Configuration Management), SI (System and Information Integrity), and CA (Assessment, Authorization, and Monitoring) controls. The Networks pillar maps to SC (System and Communications Protection) controls. The Applications pillar maps to SA (System and Services Acquisition) and SI controls. The Data pillar maps to SC, MP (Media Protection), and AC controls. These mappings are deterministic. Work done to advance ZTMM maturity simultaneously satisfies NIST 800-53 controls.

The cross-framework leverage extends to every compliance framework that derives from NIST 800-53. FedRAMP baselines (Low, Moderate, High, LI-SaaS) are specific control selections from the NIST 800-53 catalog. Federal agencies pursuing both ZTMM maturity and FedRAMP authorization are satisfying overlapping control sets from the same NIST lineage. CMMC Level 2 maps to NIST 800-171 rev2, which derives from NIST 800-53 Moderate baseline controls. Defense contractors advancing their Identity pillar maturity are simultaneously satisfying CMMC access control practices. RMF (NIST 800-37) uses NIST 800-53 as its control catalog, meaning every ZTMM capability advancement contributes to the organization's ATO package. SOC 2 Trust Service Criteria map to 800-53 control families through published AICPA cross-walks. ISO 27001:2022 Annex A controls have NIST-published mappings to 800-53 through the NIST Cybersecurity Framework. An organization that advances its ZTMM maturity from Traditional to Advanced across all five pillars has simultaneously completed a substantial portion of the control implementation required for any framework that traces back to NIST 800-53.

Rampart maintains the cross-reference engine that resolves the derivation chains between ZTMM capabilities and every other supported framework. As you advance ZTMM pillar maturity, Rampart computes your readiness percentage for NIST 800-53, FedRAMP, CMMC, SOC 2, ISO 27001, HIPAA, PCI-DSS, and every other framework in the catalog. The computation is not approximate. It resolves each individual control relationship through the NIST derivation chain and accounts for framework-specific parameter differences. A ZTMM capability at Advanced maturity may satisfy the corresponding NIST 800-53 control at Moderate baseline but require additional parameter specificity for FedRAMP High. Rampart surfaces these differences explicitly. When you activate a new framework assessment, it arrives pre-populated from your existing ZTMM work. The marginal effort to add each subsequent framework decreases because the underlying security posture is the same. Zero trust maturity is not a parallel track to compliance. It is the security foundation from which compliance proofs are generated. Advance your zero trust posture once. Prove compliance to every framework that derives from it.