Security Strategy Briefing — OMB M-22-09 Federal Zero Trust Mandate
The White House Office of Management and Budget issued Memorandum M-22-09 on January 26, 2022, directing U.S. federal agencies to meet zero trust cybersecurity goals by FY 2024 across identity, device, network, application, and data pillars.
Executive briefing: The Office of Management and Budget released Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” on . The strategy mandates governmentwide adoption of zero trust architectures with measurable outcomes due by the end of FY 2024.
Key requirements
- Identity. Agencies must implement phishing-resistant multi-factor authentication for users and machine identities.
- Devices and networks. Continuous asset inventories and encrypted DNS/HTTP traffic are required, alongside enterprise-wide logging and EDR coverage.
- Applications and data. Agencies must authorize access through application-level security, deploy automated CI/CD security testing, and classify data with access controls and audit trails.
Implementation guidance
- Roadmap alignment. Map agency zero trust plans to the five OMB pillars and align with CISA's Zero Trust Maturity Model milestones.
- Technology selection. Prioritize identity providers, EDR platforms, cloud security gateways, and data tagging tools that satisfy memorandum objectives.
- Budgeting. Update capital planning and investment control submissions to fund FY 2024 zero trust deliverables.
Enablement moves
- Coordinate with CISA on implementation playbooks and shared services supporting zero trust adoption.
- Integrate logging and telemetry requirements with the Continuous Diagnostics and Mitigation (CDM) program.
- Publish agency progress dashboards to communicate milestone status to OMB and congressional stakeholders.