Case Study

Modernizing Zero Trust Maturity Reporting Across HHS With the ZTMF Scoring Tool

We partnered with the Centers for Medicare and Medicaid Services (CMS) to replace manual, spreadsheet-based zero trust maturity tracking with a custom-built scoring application, giving security teams in-depth, system-level visibility into their zero trust posture. The tool proved so effective at CMS that the Department of Health and Human Services (HHS) is now rolling it out department-wide across HHS operating divisions (OpDivs), including the U.S. Food and Drug Administration (FDA) and Centers for Disease Control and Prevention (CDC).

The Challenge

Under the Office of Management and Budget (OMB) Memorandum M-22-09, M-24-14, and Executive Order 14028, every federal civilian executive branch agency must adopt a zero trust architecture and report its progress against the Cybersecurity and Infrastructure Security Agency’s (CISA's) Zero Trust Maturity Model (ZTMM). For CMS- an agency whose systems serve more than 160 million Americans across roughly 240 FISMA-reportable systems- that mandate created a recurring, high-stakes obligation: an annual zero trust data call in which the information system security officer (ISSO) or business owner (BO) for each system assesses its maturity across the five ZTMM pillars and three cross-cutting capabilities.

Across CMS, reporting lived in spreadsheets, and the process carried gaps that undermined both compliance and security:

  • Spreadsheets at enterprise scale. For many, maturity reporting ran on manually maintained files. Aggregating, version-controlling, and analyzing hundreds of disconnected spreadsheets was slow, error-prone, and left leadership with no reliable single source of truth.

  • No historical context. Spreadsheets captured a single point in time. When a system or application assignment changed hands, institutional knowledge and the prior responses associated with it were routinely lost due to staff turnover.

  • Inconsistent, subjective scoring. ISSOs and BOs interpreted the CISA ZTMM differently. Without guided, standardized questions, two comparably mature systems could score very differently, making cross-system comparison and roadmap prioritization unreliable.

  • Self-attestation only. Scores were often self-reported, with nothing connecting a claimed maturity level to the security telemetry that could actually confirm it.

  • A gap between compliance and security. CMS systems were already governed by the Acceptable Risk Safeguards (ARS), the CMS implementation of the National Institute of Standards and Technology (NIST) 800-53 Rev. 5, but ARS compliance work and zero trust maturity work ran on separate tracks, with no direct line connecting a satisfied control to the maturity it supported.

Underneath all of this was a language and interpretation problem. CISA published the ZTMM as a general federal model, not an operational scoring instrument tuned to specific agency environments, control baselines, or risk tolerances. Generic maturity assessments didn't reflect how CMS teams actually talked about their systems, tools, and environments, which meant ISSOs spent as much time interpreting questions as answering them, and answers varied based on interpretation rather than actual posture.

"We were asking people to tell us how they felt about their system’s maturity without giving them a way to back it up with evidence,” said Elizabeth Schweinsberg, senior technical advisor and Zero Trust Program Lead, Centers for Medicare and Medicaid Services. “A self-reported score in a spreadsheet tells you what the system was believed to be at one moment, not whether that maturity is actually there in the environment. We wanted a system that could close that gap."

Our Approach

Supporting the CMS zero trust team in the Information Security and Privacy Group (ISPG), Aquia built the Zero Trust Maturity Framework (ZTMF) Scoring Tool: a web-based application that digitizes the entire zero trust maturity reporting workflow, from assessment through scoring and visualization. The work combined zero trust domain expertise, custom framework development, and Agile software engineering.

Creating a CMS-Specific Interpretation of the CISA ZTMM

CMS set out to transform the CISA ZTMMv2 into a tool its team and ISSOs could actually use, starting by reframing it around a single system rather than the entire enterprise. Leveraging the pillars and functions outlined in the ZTMM, we evaluated several systems for zero trust maturity. In interviews, ISSOs raised many of the same questions about what each pillar-function pair meant, so we built tailored versions for our main hosting platforms, AWS and MAG. Grounding the maturity levels in examples of the tools teams were already using made it far easier for them to select the right level. We also created custom versions for teams at CMS who manage SaaS instances.

This work evolved into a 40-question instrument spanning the five pillars (Identity; Devices; Networks; Applications and Workloads; and Data) and the cross-cutting capabilities (Visibility and Analytics; Automation and Orchestration; and Governance), which the model treats as a sixth scored area. Each question maps to a specific ZTMM function, and its multiple-choice answers correspond to one of the four maturity levels: Traditional, Initial, Advanced, and Optimal.

Because the questions are rooted in CMS's own systems and tools, ISSOs and application development organizations (ADOs) answer about the environments they actually operate in. Clear questions drive consistent answers, and consistent answers make scores comparable across hundreds of systems. Responses are stored and pre-populated from prior data calls, so each system can track how its maturity changes over time.

"Our ISSOs needed questions they could answer without having to learn all of zero trust, not general framework language left up to interpretation," added Elizabeth. "That's why we adapted the ZTMM to how CMS operates."

Connecting Compliance to Security

To close the gap between compliance and zero trust, we mapped the CMS ARS to the CMS ZTMM, establishing a direct correlation between a system's existing FISMA compliance posture and its zero trust maturity. Satisfying a control becomes a measurable contribution to maturity rather than a checkbox exercise divorced from security outcomes. This mapping is grounded in authoritative work: CMS representatives contributed to the CISA federal NIST × Zero Trust mapping effort — mapping between NIST 800-53 Rev. 5 and CISA ZTMM v2.0 — and that output underpins the application's scoring logic.

Looking to the Future: Introducing Evidence-Based Scoring

As CMS continues to advance its zero trust maturity, the ZTMF tool will apply zero trust to the scoring process itself. Rather than relying on self-attestation alone, the application ingests CMS security data lake telemetry from across the environment, the identity provider (IdP), cloud service provider (CSP), and security tooling, and maps those signals to ZTMM functions to produce verified, CMS-specific insight into a system's maturity. It draws on existing APIs and data sources, including:

  • Kion compliance checks — cloud governance checks (IAM, password policy, access keys), evaluated maturity level by level

  • AWS Security Hub/ AWS Config — control failures mapped to maturity levels (e.g., IAM.10, Cognito.2, KMS.1) and configuration-drift signals

  • ARS controls — the count of applicable NIST/ARS controls satisfied for each function

  • CFACTS — identity-management posture, such as IdM type and multi-factor authentication (MFA) enforcement

  • Hardenize — external network and encryption checks across public domains

  • GuardDuty / AWS Config — threat-detection signals where applicable

Each source is scored against the same four-stage scale, and the suggested maturity is set by the lowest-scoring source: a system's true maturity is only as strong as its weakest verified control. Each question will now open with a suggested level, the supporting evidence attached, a pre-populated justification, and a clear flag of whether the evidence is lower than, higher than, or confirms the prior self-score. The result moves CMS from self-attestation toward objective, evidence-based scoring. The ZTMF tool also includes a free-text field for ISSO notes, ensuring contextual parity between datacalls and continuity during contract and leadership changes.

Engineered as a Production Platform

A lean team of two engineers delivered the initial release in just four months.

The application is a high-availability production system, not a prototype. The team built a React/TypeScript single-page front end and a Go REST API, deployed on AWS ECS Fargate and backed by Aurora Serverless v2 (PostgreSQL), with all infrastructure defined in Terraform and shipped via fully automated GitHub Actions CI/CD pipelines. Access is protected end-to-end by Okta (OIDC), with no VPN and no in-app username/password, and the application is Section 508-compliant. Security is built into delivery through Snyk scanning, secret-scanning git hooks, least-privilege deployment, and TLS end-to-end. Pillar dashboards, radar charts that overlay current versus historical performance, and a quarterly Snowflake data sync provide security and roadmapping teams with enterprise-wide trend visibility.

The Impact

What was once a static, error-prone spreadsheet exercise is now a unified, auditable, and dynamic reporting environment. ISSOs complete standardized assessments in the application; scores are calculated consistently and automatically; and leadership sees real-time progress tracking, historical score comparisons, and exportable assessment data across every FISMA system.

For CMS, the impact goes beyond efficiency. Standardized responses drive accuracy in federal data calls. Historical scoring preserves continuity when system or OpDiv assignments change hands. And because the tool aligns maturity measurement with evolving federal requirements, improving zero trust posture and meeting compliance obligations are now a single, unified workstream, with a path toward automated verification of zero trust maturity.

The ZTMF Scoring Tool has proven its value at CMS, and now HHS is adopting it as the department-wide standard for zero trust maturity reporting, extending consistent, system-level visibility across agencies, including the NIH and CDC.

By the Numbers

  • ~240 FISMA systems across CMS can now report zero trust maturity through one centralized platform instead of disconnected spreadsheets

  • A 40-question, six-area assessment gives every system a granular, function-by-function maturity profile instead of a single rolled-up score

  • 300+ ISSOs and ADOs are served, with role-scoped access (ADMIN, READONLY_ADMIN, ISSO, ISSM)

  • 6+ security data sources (Kion Compliance, AWS Security Hub, ARS, CFACTS, Hardenize, GuardDuty) feed the automated verification engine, mapped to ZTMM functions

  • The FY 2025 annual data call was completed on the platform, and the previous year’s answers were added to provide comparison across cycles

From CMS to the Federal Health Enterprise

The impact of the ZTMF Scoring Tool extends beyond CMS, with the platform serving as the reference model for an HHS-wide rollout. This positions a CMS-built tool to standardize zero trust maturity reporting across HHS operating divisions in alignment with OMB M-22-09.

Aquia partnered with the Centers for Medicare and Medicaid Services to design, build, and deploy the ZTMF Scoring Tool under the Program and Project Management Support (PPMS) and CMS Cybersecurity Integration Center (CCIC) contracts, and is now partnering with HHS to deploy the tool across the entire enterprise.

Request a Consultation

We’re in good company.

Work With Us

GSA Schedule and SINS

  • GSA Schedule 47QTCA23D000H

  • SIN 518210C Cloud Computing and Cloud

  • SIN 54151HACS Highly Adaptive Cybersecurity Services (HACS)

  • SIN 54151S Information Technology Professional Services

Federal Contract Vehicles

  • USDA STRATUS Cloud BOA

  • VA SPRUCE IDIQ

Company Profile

  • CAGE Code: 8XPQ4

  • DUNS: 117948867

  • Unique Entity ID: RGMQQK1DLAN9

NAICS Codes

  • 541511 Custom Computer Programming Services (primary)

  • 334111 Electronic Computer Manufacturing

  • 334112 Computer Storage Device Manufacturing

  • 334310 Audio And Video Equipment Manufacturing

  • 334419 Other Electronic Component Manufacturing

  • 518210 Data Processing, Hosting, And Related Services

  • 519130 Internet Publishing And Broadcasting And Web Search Portals

  • 519190 All Other Information Services

  • 541430 Graphic Design Services

  • 541512 Computer Systems Design Services

  • 541513 Computer Facilities Management Services

  • 541519 Other Computer Related Services

  • 541611 Administrative Management And General Management Consulting Services

  • 541614 Process, Physical Distribution, And Logistics Consulting Services

  • 541618 Other Management Consulting Services

  • 541715 Research And Development In The Physical, Engineering, And Life Sciences (Except Nanotechnology And Biotechnology)

  • 561110 Office Administrative Services

  • 561320 Temporary Help Services

  • 561439 Other Business Service Centers (Including Copy Shops)

  • 611420 Computer Training

Partnerships

  • AWS Advanced Tier Services Partner

  • AWS Public Sector Partner

  • AWS Global Security and Compliance Acceleration program (ATO on AWS)

  • AWS Security Partner

  • GCP Partner

Membership

  • Digital Services Coalition

  • National Veteran Small Business Coalition (NVSBC)