Federal agencies must implement a zero trust architecture by fiscal year 2024


On January 26, the White House issued a federal zero trust architecture (ZTA) strategy, setting cybersecurity objectives and standards that will enhance the federal government’s cyber defenses.

What's in the memo?

The Office of Management and Budget (OMB) Memo (M-22-09) lays out requirements and deadlines for federal agencies to transition to a zero trust architecture. The document is another step toward enhancing the federal government’s cybersecurity posture as outlined in President Biden’s May 2021 Executive Order (EO) 14028 Improving the Nation’s Cybersecurity

The memo gives agency leaders timelines to meet on the way to full ZTA implementation by FY24. Within 30 days, agencies must identify a ZTA strategy implementation lead. Agency leaders have 60 days to begin incorporating the requirements into their ZTA strategies and provide them to OMB and the Cybersecurity and Infrastructure Security Agency (CISA).

OMB states that agencies will need to internally resource funding in FY22 and FY23 to meet the requirements and identify funding needs for the FY24 budget request. This means agencies will need to reprogram funding and prioritize zero trust efforts within their current funding levels for the next two fiscal years. 

What is zero trust?

The conventional approach to a perimeter-focused cybersecurity posture is no longer sufficient to defend against new and evolving threats, OMB says, and a “transition to a zero trust approach to security provides a defensible architecture for this new environment.” 

A zero trust model assumes “that no actor, system, network, or service operating outside or within the security perimeter is trusted.” Verifying every connection and device is critical to meeting this requirement. 

Key efforts

To achieve a zero trust security architecture, the memo identifies five top-level lines of effort.

"This strategy envisions a federal government where:

  • Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks. 
  • The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources. 
  • Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted. 
  • Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet. 
  • Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information."

In particular, the strategy emphasizes the need for multi-factor authentication (MFA), encrypting domain name system (DNS) requests and HTTP traffic within agency environments, maintaining a comprehensive device inventory and system isolation.

As the lead agency responsible for federal cybersecurity, CISA will support agencies with capabilities and guidance during their transitions. CISA, in conjunction with OMB, will also review agency implementation plans.

The strategic goals align with the five pillars of CISA’s zero trust maturity model:

"1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.

2. Devices: The federal government has a complete inventory of every device it operates and authorizes for government use, and can prevent, detect, and respond to incidents on those devices.

3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.

4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.

5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing."

CISA’s many existing security programs will serve as key enablers to meet zero trust requirements. Agencies will also work with CISA to ensure their tools meet the proper specifications and coordinate deployment.

For example, the memo directs agencies to leverage CISA’s Protective DNS program and work with CISA to preload their “.gov” domains as only accessible of HTTPS. Large-scale CISA programs like Continuous Diagnostics and Mitigation (CDM), will be enhanced to “better support cloud-oriented Federal architecture” to manage digital asset inventory.

CISA, along with GSA, will also work to provide agencies with rapid procurement options as well as access to valuable historical data.

This strategy to implement a zero trust approach is a key part of the government’s overall efforts to bolster its cybersecurity posture. As OMB notes, “the Federal Government executes unique and deeply challenging missions” and cyberattacks against government networks can impact many facets of our daily lives.

To learn how to implement zero trust browsing isolation, check out Silo for Safe Access on our website.

About the Author

Abel Vandegrift
Abel Vandegrift
Washington, D.C.

As Director of Government Strategy at Authentic8, Abel advises the federal business team on policy development and budget trends to identify growth opportunities and shape customer engagement.

Related Resources


New White House action improves security of nation’s most sensitive systems

Presidential action expands the oversight role for the NSA regarding national security systems

Data Sheet
Data Sheet

Zero-trust application access

Securely grant access to your most valuable applications through a locked-down, fully isolated cloud environment that centralizes visibility and gives IT fine-tuned control.

Data Sheet
Data Sheet

Secure web access

Take control of the web access. Securely enable browsing and email link access through an isolated, cloud-delivered web browsing environment that gives IT centralized visibility and fine-tuned policy control.