← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 87/100

Security Strategy Briefing — OMB M-22-09 Federal Zero Trust Mandate

OMB Memorandum M-22-09 set a 2024 deadline for U.S. federal zero-trust adoption, pushing agencies and contractors to deliver operational migrations, governance checkpoints, and sourcing for secure services.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 26 January 2022 the U.S. Office of Management and Budget (OMB) released Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The memo requires civilian agencies to implement specific zero-trust capabilities by the end of Fiscal Year 2024, aligning with the Cybersecurity Executive Order 14028 and CISA’s Zero Trust Maturity Model. Agencies and their vendors must overhaul identity management, network segmentation, application security, and data governance while establishing oversight mechanisms and sourcing strategies that accelerate secure digital services.

Core requirements

M-22-09 establishes five pillars—Identity, Devices, Networks, Applications & Workloads, and Data—each with targeted goals. Key mandates include:

  • Agency-wide phishing-resistant multi-factor authentication (MFA) for users, service accounts, and administrative access.
  • Centralised identity management integrated with ICAM (Identity, Credential, and Access Management) solutions and automated account lifecycle management.
  • Enterprise inventory and continuous monitoring of all devices, including mobile and non-traditional endpoints.
  • Encrypted DNS (DoH/DoT), application-layer proxies, and microsegmentation to limit lateral movement.
  • Application security testing, software supply chain risk management, and automated vulnerability remediation via continuous integration pipelines.
  • Data categorisation, tagging, and least-privilege access enforced through attribute-based access control (ABAC).

Agencies must submit Zero Trust Implementation Plans (ZTIPs) to OMB and CISA, detailing milestones, resource needs, and dependencies. The memo also directs agencies to adopt cloud security logging (via CISA’s CDM programme), participate in the Continuous Diagnostics and Mitigation (CDM) programme, and integrate security orchestration with the Cybersecurity and Infrastructure Security Agency (CISA).

Operational priorities for agencies

Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and Chief Data Officers (CDOs) should coordinate:

  • Implementation planning. Develop detailed roadmaps mapping M-22-09 requirements to existing capabilities, identifying gaps, prioritised initiatives, and budget allocations. Plans should include cross-agency dependencies (e.g., shared services) and integration with Technology Modernization Fund (TMF) proposals.
  • Identity modernisation. Deploy phishing-resistant MFA (e.g., PIV, FIDO2) across workforce, contractors, and privileged accounts. Consolidate identity stores, implement just-in-time access, and enforce conditional access policies based on device health and user risk.
  • Network transformation. Replace legacy perimeter VPNs with application-centric access proxies, implement software-defined perimeters, and use automated policy engines to manage segmentation. Monitor east-west traffic through advanced analytics.
  • Application security. Integrate secure development practices, code scanning, and SBOM generation into DevSecOps pipelines. Ensure that agencies adopt the NIST Secure Software Development Framework (SSDF) and require vendors to attest to compliance.
  • Data protection. Implement data discovery, classification, and encryption strategies that support ABAC. Deploy data loss prevention (DLP) and audit logging across cloud and on-premises environments.

Operational readiness includes training, change management, and communications to workforce and mission partners.

Governance and oversight

M-22-09 emphasises governance at multiple levels:

  • Agency leadership. Agency heads must designate accountable executives for each zero-trust pillar, with CIOs overseeing implementation. Governance boards should include mission stakeholders to ensure alignment with business priorities.
  • Reporting cadence. Agencies submit quarterly progress updates to OMB and CISA, including metrics on MFA adoption, logging coverage, and milestone attainment. Internal dashboards should track progress against ZTIPs and flag risks.
  • Risk management. Integrate zero-trust initiatives into Enterprise Risk Management (ERM) frameworks, ensuring that delays or control gaps are escalated to senior leadership. Align with Federal Information Security Modernization Act (FISMA) reporting.
  • Cross-agency collaboration. Participate in the Federal Chief Information Security Officer Council, CISA working groups, and shared services forums to share best practices and coordinate investments.

Internal audit and inspector general offices should plan assessments of zero-trust progress, focusing on control design, implementation, and documentation.

Sourcing and industry engagement

Agencies depend on contractors, integrators, and cloud service providers to achieve zero trust. Procurement teams must:

  • Update acquisition policies. Embed zero-trust requirements into solicitations, statements of work, and contract performance metrics. Reference NIST standards, CISA guidance, and FedRAMP baselines.
  • Assess vendor capabilities. Require attestations for MFA support, device posture integrations, logging, and secure software development. Evaluate vendors’ ability to deliver automation, AI-driven detection, and compliance reporting.
  • Leverage government-wide vehicles. Utilize GWACs such as GSA’s Enterprise Infrastructure Solutions (EIS) and STARS III for zero-trust technologies. Coordinate with the Department of Homeland Security’s CDM DEFEND task orders for sensor deployments.
  • Manage contractor compliance. Monitor contractor adoption of zero-trust principles, including secure access for remote staff, supply chain risk management, and reporting obligations for cyber incidents under FISMA and FAR 52.204-21.

Agencies should also engage industry associations, such as ACT-IAC and AFCEA, to benchmark solutions and gather lessons learned.

Metrics and performance management

M-22-09 expects agencies to track progress through measurable metrics, such as:

  • Percentage of users and privileged accounts enrolled in phishing-resistant MFA.
  • Coverage of device inventory with continuous monitoring and compliance enforcement.
  • Percentage of applications protected by application-layer proxies and secure access brokers.
  • Proportion of critical data assets tagged with access policies and encrypted at rest/in transit.
  • Mean time to detect and respond to security incidents leveraging zero-trust telemetry.

These metrics should feed into CyberScope reporting, FISMA scorecards, and internal performance reviews.

Change management and workforce enablement

Zero trust transformation depends on workforce readiness:

  • Training programmes. Develop curricula for IT staff, mission owners, and contractors covering zero-trust concepts, new toolsets, and security responsibilities.
  • Communication plans. Provide clear messaging on MFA enrollment, access changes, and expectations for remote work. Use change champions to support adoption.
  • Talent acquisition. Address skills gaps by recruiting cybersecurity architects, cloud engineers, and data governance specialists. Consider re-skilling programmes and partnerships with the Cybersecurity Talent Management System.

Agencies should document workforce plans within ZTIPs and coordinate with OPM for classification and pay flexibility.

Future outlook

OMB and CISA will update zero-trust guidance as technology evolves. Agencies should anticipate integration with initiatives such as the Joint Cyber Defense Collaborative (JCDC), CISA’s Protective DNS, and the Federal Secure Cloud Advisory Committee. Legislation like the Federal Information Security Modernization Act of 2022 may codify elements of zero trust, while the National Cybersecurity Strategy emphasizes secure-by-design principles that align with M-22-09. Maintaining disciplined governance, operational execution, and sourcing partnerships will ensure agencies meet the 2024 mandate and provide resilient digital services.

Key resources

Zeph Tech guides federal and contractor teams through zero-trust planning, tooling selection, and performance analytics to satisfy M-22-09 milestones.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • OMB M-22-09
  • Zero trust
  • Federal cybersecurity
  • Identity security
Back to curated briefings