Zero Trust, unpacked for the people who have to implement it Monday

Most Zero Trust project plans we review are architecture decks. The ones that actually move the score are operating-cadence plans. Here is what to budget, what to sequence, and what to ignore.

January 30, 2026 By Rohit Khirapate

Zero Trust, unpacked for the people who have to implement it Monday

Every federal and state programme we support has a Zero Trust plan. Most of those plans are architecture decks. Pillars, maturity stages, vendor logos. The plans that actually move the CISA Zero Trust Maturity Model score are the ones written by people who have to operate the environment on Monday morning.

This piece is for those people. No architecture diagrams. A sequencing perspective from practitioners who've implemented the controls in federal, SLED, and healthcare environments.

The five CISA pillars, ranked by implementation ROI

Identity. Highest ROI by a wide margin. Most agencies score a 2 (Initial) here and can reach a 3 (Advanced) in a single quarter by rationalising the IdP, enforcing phishing-resistant MFA, and cleaning the non-human identity inventory. Do this first. Every other pillar depends on it.

Devices. Second highest ROI. Endpoint posture has matured as a product category. The gap is usually enrollment coverage and conditional-access enforcement, not tooling. Budget two sprints.

Networks. Middle. The pillar that consumes the most vendor dollars and produces the least score improvement in the first twelve months. Micro-seg is a three-year programme, not a quarterly win. Sequence this behind identity and device.

Applications and workloads. Hardest, slowest, most expensive — and where the residual risk lives. Most of the real compromise blast-radius sits in applications that assume the network is trusted. Plan for a multi-year investment with a clear per-app backlog.

Data. The pillar most agencies plan last and need first. Data classification and data flow are prerequisites to meaningful policy in every other pillar. We typically recommend starting a data-classification stream in parallel with identity, so that when network and application policy matures, it has a data taxonomy to operate against.

The three things that actually appear on the project plan

1. A named pillar owner for each of the five. Not a steering committee. One person with calendar authority and a reporting line to the executive sponsor.

1. A quarterly ZTMM self-score with evidence. The CISA ZTMM self-assessment, scored quarterly, with the evidence link attached to each score. Anyone can draw a heat map. The evidence link is the work.

1. A thirty-minute weekly cross-pillar review. Identity, devices, network, application, and data owners in one recurring meeting. Thirty minutes, no slides, standing agenda: new policy, new evidence, new blockers, decisions.

What to ignore (for now)

— Any vendor pitch that promises to "deliver Zero Trust." Zero Trust is not a product.

— Any internal plan that measures Zero Trust progress in dollars spent. It is measured in CISA ZTMM movement and audit-evidence volume.

— Any argument about whether the organization is "at the Initial stage or the Advanced stage." The honest answer is usually "both, in different pillars." The score is per-pillar for a reason.

OMB M-22-09 set a target architecture for federal agencies and a schedule that has largely slipped across the federal enterprise. That is not a failure of technology. It is the predictable result of treating a five-year architecture transition as a set of annual procurement events.

The agencies we've watched move the score are the ones that picked the identity pillar, named an owner, sequenced the other four behind it, and measured quarterly. Same playbook — different dates.

Next step. A Zero Trust scoping call walks through your current CISA ZTMM self-score and the two sequencing changes most likely to pull the next maturity level into this fiscal year. Forty-five minutes, senior practitioner, no proposal unless you ask.