Cybersecurity Retrospective Briefing — March 15, 2022

Why it matters: From late 2020 through March 2022, the federal government published the playbooks that continue to govern enterprise cyber resilience. Zero trust architecture moved from NIST guidance to White House mandates, CISA tightened vulnerability remediation expectations, and Congress handed CISA new reporting authorities.

September 2020 — NIST Special Publication 800-207 on Zero Trust Architecture. NIST finalised the reference architecture that federal and private-sector defenders use to modernise identity, network, and data protections. SP 800-207 sets the vocabulary and deployment patterns for zero trust programmes.

• The guidance outlines policy decision points, continuous diagnostics, and micro-segmentation controls needed to defend hybrid environments.
• It emphasises strong identity governance, device health checks, and data-level access enforcement that agencies now map into OMB targets.

December 2020 — CISA Emergency Directive 21-01 on SolarWinds Orion. Federal agencies were ordered to disconnect compromised SolarWinds Orion assets and follow immediate forensic guidance. The directive codified incident response actions for the supply-chain compromise.

• Agencies had to forensically image affected servers, harden authentication, and report compromise indicators within 12 hours.
• The directive remained active until CISA validated upgraded Orion code and required ongoing incident response plans.

May 2021 — Executive Order 14028 on improving the nation’s cybersecurity. The EO mandated federal zero-trust adoption, software supply chain reporting, and CISA cloud logging pilots. The order still drives procurement requirements for software bills of materials and secure development attestations.

• It required agencies to adopt multi-factor authentication, encryption, and endpoint detection within 180 days.
• Commerce and NIST were tasked with drafting software supply chain guidance and critical software definitions adopted across industry.

November 2021 — CISA Binding Operational Directive 22-01. CISA created the Known Exploited Vulnerabilities (KEV) catalog and set aggressive remediation timelines for federal agencies. The directive remains the benchmark for vulnerability prioritisation across government and industry.

• Agencies must remediate KEV-listed flaws within two weeks (or sooner for some entries) and report completion through CyberScope.
• The directive obligates asset inventories and vulnerability management processes that mirror best practices for critical infrastructure owners.

January 2022 — OMB Memorandum M-22-09 (Federal Zero Trust Strategy). OMB operationalised the EO 14028 mandates by requiring agencies to hit zero trust maturity targets by the end of fiscal year 2024. The memo sets concrete milestones for identity, device, network, application, and data security pillars.

• Agencies must deploy phishing-resistant multi-factor authentication, endpoint detection and response, and encrypted DNS within specific deadlines.
• The strategy mandates enterprise logging architectures and cloud security posture management that agencies document in zero trust implementation plans.

March 2022 — Cyber Incident Reporting for Critical Infrastructure Act. Congress granted CISA authority to mandate 72-hour incident reports and 24-hour ransom payment notices for covered entities. Division Y of Public Law 117-103 established the reporting framework and rulemaking timeline.

• CISA must propose implementing regulations within 24 months and finalise them within 18 months of the proposal.
• Covered entities face subpoena-backed reporting obligations, preservation requirements, and liability protections once the final rule takes effect.

Action for operators: Align zero trust roadmaps, vulnerability remediation SLAs, and incident reporting drills with these mandates—the documents still underpin every major federal cyber performance review.