OMB Memorandum M-22-09 Federal Zero Trust Strategy

December 1, 2022

The OMB Memorandum M-22-09 Federal Zero Trust Strategy focuses on application security, modern authentication, and web isolation. These technologies are essential to protect data and websites in the Federal sector. However, to effectively implement these strategies, agencies must be equipped with the right expertise and tools.

OMB Memorandum M-22-09 Federal Zero Trust Strategy

On January 26, 2022, the Office of Management and Budget (OMB) published OMB Memorandum M-22-09. The memo outlines the Federal Zero Trust Architecture strategy and requires federal agencies to meet certain cybersecurity standards by 2024. Agencies also required to upgrade their IT infrastructures and modernize their security controls. The zero-trust model refers to a system that does not rely on outside services.

The OMB Memorandum M-22-09 details the requirements for agencies to implement Zero Trust solutions and platforms. The demands are aggressive. The memo provides nearly three years for agencies to achieve Zero Trust postures, and it calls for most agencies to have a plan in place to achieve that goal by December 2024. However, the memo doesn’t specify metrics for success.

The Federal Zero Trust Architecture strategy establishes a new benchmark for access controls and requires agencies to meet cybersecurity standards by 2024. It’s based on the zero-trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA). The memo also highlights a critical MFA gap. Currently, many approaches to MFA aren’t sufficiently secure against sophisticated phishing attacks. It also highlights the need for agencies to implement phishing-resistant MFA approaches. Examples include personal identity verification (PIV) and multi-factor authentication.

Application Security

Federal agencies are already making the transition to zero trust. Invicti Federal Sales Manager, Ted Rutsch, spoke with Tony Plater, Chief Information Security Officer of the Navy, about the Navy’s experience in transitioning to zero trust and the cultural shift that take place in Federal agencies.

OMB Memo M-22-09 provides a framework for achieving zero trust security. This framework called the Zero Trust Maturity Model (ZTM). Agencies will expect to work towards securing five key pillars and three major themes. However, many federal agencies are still far from meeting the optimal maturity level.

The DoJ’s formal review highlights the importance of cross-agency collaboration and includes the private sector in knowledge sharing. It also states that there are upwards of 1.9 billion web applications in use today, many of which are used by the government. The federal government has a vital role to play in securing these systems.

Earlier this year, the White House released an Executive Order that aims to protect the public and private sectors from cyberattacks. The order specifies the steps agencies must take in order to create a zero trust national digital infrastructure. It also highlights the priorities of federal agencies and deadlines for meeting the new framework.

Using modern authentication tools is an important part of implementing a zero trust framework. However, M-22-09 does not go into detail about these tools. It does refer to the M-22-01 guidance. Using the proper multi-factor authentication tools will enable agencies to prevent malicious actors from exploiting critical data and systems.

Modern authentication

Federal IT administrators are replacing VPNs with advanced authentication and authorization solutions. These solutions designed to provide better security and simplify the user experience. They also help agencies establish a Zero Trust environment and tighten the security perimeter around sensitive applications. This is particularly important for federal agencies as they move to the cloud for more sensitive applications.

Zero trust architectures limit an attacker’s mobility across a network by requiring specific permission for each resource. This requires a specific policy defined by the agency. Using this approach, the Federal Government is focusing on five pillars of zero trust architecture: identity, device and network security, application and workload security, and data security. A centralized identity provider is essential for this strategy.

Zero trust will help agencies detect and respond to cyber threats more quickly. It will provide a comprehensive roadmap for a new change in basic assumptions in federal cybersecurity. The goal of zero trust is to protect public safety, privacy, and infrastructure. Federal employees have enterprise-managed accounts to help them protect their identities and information from targeted phishing attacks.

In addition to zero trust network access, the Federal Government has also mandated that all federal agencies implement modern authentication and access control solutions to protect sensitive data. This mandate is part of the White House’s strategy for cybersecurity, and is a key step in the government’s cloud migration strategy.

Zero trust security is a far cry from traditional network security. Traditionally, organizations built and managed their networks with a “trust but verify” approach, automatically trusting users and devices within a perimeter. However, this approach also puts organizations at risk from malicious actors stealing credentials from legitimate users. As the cloud and distributed work environments continue to grow, the old model is becoming obsolete.

Web isolation

The Office of Management and Budget published M-22-09 on January 26, 2022, outlining activities agencies must implement to comply with Executive Order 14028. The strategy emphasizes the need to secure the endpoints by delivering only safe content. Web isolation enables organizations to protect themselves from the threats of mobile devices.

The strategy is aimed at improving cybersecurity across Federal agencies. By 2024, federal agencies should have adopted a zero trust architecture, which will protect federal networks and databases from malicious actors. The memorandum also sets out specific cybersecurity standards and deadlines for implementation. This is a major step toward improving the cybersecurity posture of the federal government.

Zero trust security is a strategic priority for the federal government. The Office of Management and Budget issued M-22-09, which outlines the federal government’s goals for zero trust adoption. The goal is to protect government networks and IT infrastructures from malicious actors and other threats. However, zero trust does not mean that government applications are open to the internet.

The federal government is moving toward zero trust architectures and the use of endpoint detection and response to prevent cyberattacks. The Biden administration also issued Executive Order 14028, which directed federal agencies to develop a Zero Trust Architecture plan within 60 days. The memo, M-22-09, provides detailed information on how agencies will implement Zero Trust Architecture.

To support these Zero Trust initiatives, agencies are working to enhance their existing security programs and coordinate their deployment. For example, the Federal Government’s Protective DNS program will leverage by agencies. Additionally, existing large-scale CISA programs will enhance to support Federal cloud architectures and digital asset inventory management.

HEAT attacks

The White House recently released three draft guidance documents on Zero Trust security architecture. The documents are meant to provide roadmaps and resources to implement Zero Trust security solutions and address specific challenges that organizations face. In this session, subject matter experts will discuss the importance of Zero Trust Security and the challenges that organizations face when implementing the new security model.

The Executive Order on Improving the Nation’s Cybersecurity directed federal agencies to begin moving toward zero-trust architecture by mid-July 2021. The OMB required to publish security strategy guidance 90 days prior to that date. Unfortunately, that date has passed and the federal agencies are still struggling to meet the deadline.

Implementing an endpoint detection and response (EDR) tool is an essential part of implementing a zero-trust framework. Although the M-22-09 does not go into detail on the specifics of EDR tools, it does emphasize the importance of implementing this technology.

While Zero-Trust architecture may not be easy to implement, it can provide a powerful security platform. The goal of implementing this technology is to make federal agencies’ IT environments more secure and scalable, enabling frictionless and secure interactions between users. The Zero Trust framework requires a flexible and agile security framework that can adapt to rapidly changing environments and user behavior.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us