CybersecuritySecurity Strategy — OMB M-22-09 Federal Zero Trust Mandate
OMB Memorandum M-22-09 set a 2024 deadline for U.S. federal zero-trust adoption, pushing agencies and contractors to deliver operational migrations, governance checkpoints, and sourcing for secure services.
Editorially reviewed for factual accuracy
On 26 January 2022 the U.S. Office of Management and Budget (OMB) released Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The memo requires civilian agencies to implement specific zero-trust capabilities by the end of Fiscal Year 2024, aligning with the Cybersecurity Executive Order 14028 and CISA’s Zero Trust Maturity Model. Agencies and their vendors must overhaul identity management, network segmentation, application security, and data governance while establishing oversight mechanisms and sourcing strategies that accelerate secure digital services.
Core requirements
M-22-09 establishes five pillars—Identity, Devices, Networks, Applications & Workloads, and Data—each with targeted goals. Key mandates include:
- Agency-wide phishing-resistant multi-factor authentication (MFA) for users, service accounts, and administrative access.
- centralized identity management integrated with ICAM (Identity, Credential, and Access Management) solutions and automated account lifecycle management.
- Enterprise inventory and continuous monitoring of all devices, including mobile and non-traditional endpoints.
- Encrypted DNS (DoH/DoT), application-layer proxies, and microsegmentation to limit lateral movement.
- Application security testing, software supply chain risk management, and automated vulnerability remediation via continuous integration pipelines.
- Data categorization, tagging, and least-privilege access enforced through attribute-based access control (ABAC).
Agencies must submit Zero Trust Implementation Plans (ZTIPs) to OMB and CISA, detailing milestones, resource needs, and dependencies. The memo also directs agencies to adopt cloud security logging (via CISA’s CDM program), participate in the Continuous Diagnostics and Mitigation (CDM) program, and integrate security orchestration with the Cybersecurity and Infrastructure Security Agency (CISA).
Operational priorities for agencies
Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and Chief Data Officers (CDOs) should coordinate:
- Implementation planning. Develop detailed roadmaps mapping M-22-09 requirements to existing capabilities, identifying gaps, prioritized initiatives, and budget allocations. Plans should include cross-agency dependencies (for example, shared services) and integration with Technology Modernization Fund (TMF) proposals.
- Identity modernization. Deploy phishing-resistant MFA (for example, PIV, FIDO2) across workforce, contractors, and privileged accounts. Consolidate identity stores, implement just-in-time access, and enforce conditional access policies based on device health and user risk.
- Network transformation. Replace legacy perimeter VPNs with application-centric access proxies, implement software-defined perimeters, and use automated policy engines to manage segmentation. Monitor east-west traffic through advanced analytics.
- Application security. Integrate secure development practices, code scanning, and SBOM generation into DevSecOps pipelines. Ensure that agencies adopt the NIST Secure Software Development Framework (SSDF) and require vendors to attest to compliance.
- Data protection. Implement data discovery, classification, and encryption strategies that support ABAC. Deploy data loss prevention (DLP) and audit logging across cloud and on-premises environments.
Operational readiness includes training, change management, and communications to workforce and mission partners.
Governance and oversight
M-22-09 emphasizes governance at multiple levels:
- Agency leadership. Agency heads must designate accountable executives for each zero-trust pillar, with CIOs overseeing setup. Governance boards should include mission teams to ensure alignment with business priorities.
- Reporting cadence. Agencies submit quarterly progress updates to OMB and CISA, including metrics on MFA adoption, logging coverage, and milestone achievement. Internal dashboards should track progress against ZTIPs and flag risks.
- Risk management. Integrate zero-trust initiatives into Enterprise Risk Management (ERM) frameworks, ensuring that delays or control gaps are escalated to senior leadership. Align with Federal Information Security Modernization Act (FISMA) reporting.
- Cross-agency collaboration. Participate in the Federal Chief Information Security Officer Council, CISA working groups, and shared services forums to share good practices and coordinate investments.
Internal audit and inspector general offices should plan assessments of zero-trust progress, focusing on control design, setup, and documentation.
Sourcing and industry engagement
Agencies depend on contractors, integrators, and cloud service providers to achieve zero trust. Procurement teams must:
- Update acquisition policies. Embed zero-trust requirements into solicitations, statements of work, and contract performance metrics. Reference NIST standards, CISA guidance, and FedRAMP baselines.
- Assess vendor capabilities. Require attestations for MFA support, device posture integrations, logging, and secure software development. Evaluate vendors’ ability to deliver automation, AI-driven detection, and compliance reporting.
- Use government-wide vehicles. Utilize GWACs such as GSA’s Enterprise Infrastructure Solutions (EIS) and STARS III for zero-trust technologies. Coordinate with the Department of Homeland Security’s CDM DEFEND task orders for sensor deployments.
- Manage contractor compliance. Monitor contractor adoption of zero-trust principles, including secure access for remote staff, supply chain risk management, and reporting obligations for cyber incidents under FISMA and FAR 52.204-21.
Agencies should also engage industry associations, such as ACT-IAC and AFCEA, to benchmark solutions and gather lessons learned.
Metrics and performance management
M-22-09 expects agencies to track progress through measurable metrics, such as:
- Percentage of users and privileged accounts enrolled in phishing-resistant MFA.
- Coverage of device inventory with continuous monitoring and compliance enforcement.
- Percentage of applications protected by application-layer proxies and secure access brokers.
- Proportion of critical data assets tagged with access policies and encrypted at rest/in transit.
- Mean time to detect and respond to security incidents using zero-trust telemetry.
These metrics should feed into CyberScope reporting, FISMA scorecards, and internal performance reviews.
Change management and workforce enablement
Zero trust transformation depends on workforce readiness:
- Training programs. Develop curricula for IT staff, mission owners, and contractors covering zero-trust concepts, new toolsets, and security responsibilities.
- Communication plans. Provide clear messaging on MFA enrollment, access changes, and expectations for remote work. Use change champions to support adoption.
- Talent acquisition. Address skills gaps by recruiting cybersecurity architects, cloud engineers, and data governance specialists. Consider re-skilling programs and partnerships with the Cybersecurity Talent Management System.
Agencies should document workforce plans within ZTIPs and coordinate with OPM for classification and pay flexibility.
Future outlook
OMB and CISA will update zero-trust guidance as technology evolves. Agencies should anticipate integration with initiatives such as the Joint Cyber Defense Collaborative (JCDC), CISA’s Protective DNS, and the Federal Secure Cloud Advisory Committee. Legislation like the Federal Information Security Modernization Act of 2022 may codify elements of zero trust, while the National Cybersecurity Strategy emphasizes secure-by-design principles that align with M-22-09. Maintaining disciplined governance, operational execution, and sourcing partnerships will ensure agencies meet the 2024 mandate and provide resilient digital services.
Key resources
This brief guides federal and contractor teams through zero-trust planning, tooling selection, and performance analytics to satisfy M-22-09 milestones.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 87/100 — high confidence
- Topics
- OMB M-22-09 · Zero trust · Federal cybersecurity · Identity security
- Sources cited
- 3 sources (hitehouse.gov, cisa.gov, iso.org)
- Reading time
- 5 min
Documentation
- OMB Memorandum M-22-09 — Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — whitehouse.gov
- CISA Zero Trust Maturity Model — cisa.gov
- ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.