CISA zero trust maturity cost: Traditional to Optimal pricing
The CISA Zero Trust Maturity Model v2.0 defines four maturity tiers from Traditional through Initial, Advanced, and Optimal. This page costs the move through each tier for a mid-market organisation, lays out per-tier capability requirements across all five pillars, explains the federal-versus-commercial cost difference, and frames the strategic question of which tier to actually target.
What CISA ZTMM v2.0 actually defines
The CISA Zero Trust Maturity Model v2.0, published as the final version in April 2023, is the dominant US zero trust maturity framework. It defines four maturity tiers scored across all five pillars (identity, devices, networks, applications and workloads, and data) plus three cross-cutting capabilities (visibility and analytics, automation and orchestration, governance). The framework was originally published in 2021 as v1.0 alongside OMB M-22-09; v2.0 added the cross-cutting capabilities, refined the per-tier definitions, and incorporated lessons from the first wave of federal implementations.
The four tiers are Traditional (the baseline before zero trust adoption; perimeter trust, broad VPN, basic identity, limited device visibility), Initial (basic zero trust capabilities in place; SSO with universal MFA, baseline EDR on every endpoint, ZTNA pilot or production for VPN replacement, basic conditional access), Advanced(full coverage across the foundation pillars; identity fabric with PAM and IGA, comprehensive device management, ZTNA in production with microsegmentation pilot, applications-pillar baseline including CNAPP, data-pillar baseline including full DLP), and Optimal (the target end state; continuous risk-based evaluation on every request, full workload identity, comprehensive data controls including DSPM and encryption-in-use, automated response across the stack).
For zero trust budgeting purposes, the tiers translate roughly to phases of the implementation roadmap. Phase 1 of a zero trust rollout takes the organisation from Traditional to Initial. Phase 2 takes it from Initial to Advanced. Phase 3 and ongoing continuous improvement targets the Advanced-to-Optimal gap. The investment per tier scales steeply: the Optimal tier costs more than the Advanced tier, which costs more than the Initial tier. Most non-federal organisations should target Advanced as the practical destination.
What each tier requires across the five pillars
The CISA capabilities required at each tier, summarised across the five pillars. The cost line is for a 500-user mid-market organisation.
| Tier | Identity | Devices | Networks | Apps | Data | Cost increment |
|---|---|---|---|---|---|---|
| Traditional | Single-factor or basic MFA | Basic AV | Perimeter trust, broad VPN | Minimal app security | Encryption at rest only | Baseline (no ZT investment) |
| Initial | SSO + universal MFA + basic conditional access | EDR universal, MDM enrolment | ZTNA for VPN replacement, basic SWG | Basic CSPM, API gateway | Baseline DLP + classification starter | $800K - $1.2M Y1 for 500 users |
| Advanced | Full identity fabric, PAM, IGA, advanced conditional access (risk-based) | Full MDM, EDR P2, MTD, posture | Full ZTNA, microsegmentation production, SWG + CASB | CNAPP, API security platform, service mesh starting | Full DLP coverage, full classification, tokenisation if regulated | +$1.5M - $3.0M from Initial |
| Optimal | Continuous risk-based eval, workload identity universal, machine identity programme mature | Continuous posture, automated remediation, full BYOD coverage | Full microsegmentation, NDR, automated network response | Service mesh production, full workload identity, full CI/CD security | DSPM, encryption-in-use, full tokenisation, automated data governance | +$2M - $5M from Advanced |
The 30-50% cost difference for federal implementations
Federal zero trust implementations cost typically 30 to 50 percent more than commercial equivalents at the same maturity tier. The premium has structural drivers that are difficult to avoid in the federal context.
FedRAMP-authorised platform pricing. Cloud-delivered zero trust components must hold FedRAMP authorisation (typically Moderate, increasingly High for sensitive workloads). FedRAMP-authorised SKUs of major platforms cost 20 to 40 percent more than their commercial equivalents because the authorisation maintenance cost is amortised across fewer customers. Mandatory phishing-resistant MFA across the entire workforce. OMB M-22-09 requires phishing-resistant MFA for all federal employees and contractors, not just privileged accounts. This means FIDO2 hardware keys or platform-resident passkeys for every user, adding $25 to $50 one-time per user plus replacement cost over time. Stricter audit and evidence requirements. Federal audits expect more comprehensive evidence than commercial equivalents, which drives investment in IGA, SIEM retention, and PAM session recording that some commercial organisations defer. Dedicated GRC headcount. Federal organisations need GRC specialists familiar with NIST 800-53, FedRAMP, OMB guidance, and agency-specific frameworks. Commercial organisations often consolidate GRC across regulatory frameworks; federal organisations need specialist depth.
The federal premium is real but is also accepted as necessary in the federal context. OMB M-22-09 (September 2021) set explicit federal zero trust targets that the cost premium pays for. The targets were originally end of fiscal year 2024; subsequent guidance extended them through 2027 for some capabilities, but the direction is settled. Federal contractors, particularly defence contractors under CMMC Level 2 and above, face similar cost premiums for similar reasons.
Should you target Optimal tier?
The strategic question for most non-federal organisations is whether to target Optimal tier or to stop at Advanced. The financial case for stopping at Advanced is strong. The Advanced-to-Optimal increment is the most expensive step ($2M to $5M for a mid-market organisation), the longest (24 to 48 months), and produces the smallest marginal risk-reduction value per dollar. Advanced tier already delivers most of the practical security benefit of zero trust; Optimal tier adds polish (full continuous evaluation, full automation, comprehensive workload identity, encryption-in-use) that is genuinely valuable but rarely the highest-ROI use of incremental security budget.
Three scenarios justify targeting Optimal tier. Federal mandate. Federal organisations and contractors under OMB M-22-09 or CMMC Level 3 mandate must reach near-Optimal capability for compliance, regardless of marginal-cost economics. Regulated mandate. Some regulated industries (financial services subject to NYDFS Part 500, healthcare under some HIPAA risk frameworks) have regulator expectations approaching Optimal-tier zero trust, and the cost premium is justified by regulatory risk avoidance rather than pure security ROI. Very high cyber-loss exposure. Organisations with very high cyber-loss exposure (energy, manufacturing, critical infrastructure, high-profile consumer brands) may justify Optimal targeting on expected-loss reduction alone because their breach cost is multiples of typical IBM-report figures.
Outside those three scenarios, the practical recommendation is to reach Advanced over three to four years and then iterate continuously on the Advanced-to-Optimal gap as resources allow, without setting Optimal as a fixed timeline target. This approach captures most of the value of zero trust without committing to the expensive final increment.