Framework deep dive

CISA Zero Trust Maturity Model 2.0 — Identity

This page follows CISA Table 2 (Identity pillar): seven functions, each progressing through Traditional, Initial, Advanced, and Optimal—with Okta called out as a practical mapping, not a government endorsement.

Source: CISA ZTMM v2.0 (April 2023), §5.1 Identity, pp. 13–15.

Assess my ZTMM stage

Authentication

Traditional

Identity is verified with passwords or MFA; access is largely static after sign-on.

Okta capability

Directory + password; optional basic MFA

Initial

MFA (password may be one factor) with validation of multiple entity attributes (e.g., locale or activity).

Okta capability

Okta MFA, contextual sign-on policies

Advanced

Phishing-resistant MFA and attributes for all identities; initial passwordless via FIDO2 / WebAuthn or PIV-class factors.

Okta capability

WebAuthn, Okta Verify, PIV/smart card, FastPass

Optimal

Continuous validation with phishing-resistant MFA—not only at initial access.

Okta capability

Continuous access evaluation, risk-based step-up, ThreatInsight

Identity stores

Traditional

Identity lives only in self-managed, on-premises directories and stores.

Okta capability

LDAP/AD agent, on-prem mastering

Initial

Mix of self-managed and hosted stores (e.g., cloud) with minimal integration (e.g., SSO).

Okta capability

Universal Directory + hybrid SSO

Advanced

Secure consolidation and integration of some self-managed and hosted stores.

Okta capability

HR-driven mastering, multi-source aggregation

Optimal

Secure integration of identity stores across partners and environments as appropriate.

Okta capability

B2B orgs, delegated auth, unified directory fabric

Risk assessments

Traditional

Limited determinations of identity compromise risk.

Okta capability

Manual reviews, coarse lockout rules

Initial

Identity risk via manual methods and static rules for visibility.

Okta capability

Static sign-on rules, admin dashboards

Advanced

Some automated analysis and dynamic rules informing access and response.

Okta capability

Behavior signals, dynamic policy, ITP patterns

Optimal

Real-time identity risk from continuous analysis and dynamic rules for ongoing protection.

Okta capability

Real-time risk scoring, automated response playbooks

Access management

Traditional

Permanent access with periodic review for privileged and unprivileged accounts.

Okta capability

Long-lived group memberships, periodic audits

Initial

Access—including privileged—that expires with automated review.

Okta capability

Time-bound access, access certifications

Advanced

Need-based and session-based access tailored to actions and resources (including privileged).

Okta capability

Session policies, app-specific entitlements, PAM partners

Optimal

Automated just-in-time and just-enough access per action and resource.

Okta capability

JIT provisioning, entitlement automation, IGA

Visibility and analytics

Traditional

User and entity activity logs (especially privileged); some routine manual analysis.

Okta capability

System Log, basic reports

Initial

Logs with routine manual analysis and some automation; limited correlation across log types.

Okta capability

Log streaming to SIEM, scheduled reports

Advanced

Automated analysis across some activity log types; collection expanded to close visibility gaps.

Okta capability

Cross-system dashboards, workflow-driven alerts

Optimal

Comprehensive visibility and automated analysis, including behavior-based analytics.

Okta capability

UEBA integrations, SOC-ready telemetry

Automation and orchestration

Traditional

Manual onboarding, offboarding, and disablement for self-managed identities; little integration; regular review.

Okta capability

Admin-driven assignments, CSV imports

Initial

Manual orchestration for privileged and external identities; automation for non-privileged and self-managed entities.

Okta capability

Group rules, lifecycle for standard workers

Advanced

Manual privileged-user orchestration; automation for all identities with integration across environments.

Okta capability

Lifecycle Automation, cross-app provisioning

Optimal

Full orchestration automation integrated everywhere, driven by behavior, enrollment, and deployment signals.

Okta capability

Okta Workflows, event-driven lifecycle at scale

Governance

Traditional

Identity policies enforced via static technical controls and manual review.

Okta capability

Manual policy changes, ticket-driven exceptions

Initial

Identity policies defined and partially implemented enterprise-wide with minimal automation.

Okta capability

Policy API, phased policy rollout

Advanced

Enterprise-wide identity policy enforcement with automation; policies updated periodically.

Okta capability

Automated policy sync, governance workflows

Optimal

Fully automated enterprise-wide identity policies for all users and entities—continuous enforcement and dynamic updates.

Okta capability

Policy-as-code patterns, continuous governance with IGA

Find your stage across Identity functions

Take the free 7-question assessment and get a personalized roadmap.

Take the assessment