The federal government’s cybersecurity landscape has undergone a fundamental transformation. Executive Order 14028, signed in May 2021, alongside OMB Memorandum M-22-09, has mandated a comprehensive shift toward Zero Trust Architecture (ZTA) across all federal civilian agencies. This guide provides federal IT leaders, CISOs, and security architects with a strategic roadmap for achieving compliance while building genuinely resilient security infrastructure.

In fiscal year 2023, the number of cybersecurity incident reports by federal agencies in the United States exceeded 32,000 – approximately a 5% increase from the previous year. Traditional perimeter-based defenses have proven inadequate against sophisticated threat actors, including nation-state adversaries who continue to target government systems with increasing frequency and sophistication.

This comprehensive guide explores the regulatory requirements, implementation strategies, and technology solutions – including TerraZone’s truePass Zero Trust Network Access (ZTNA), identity-based segmentation, and microsegmentation capabilities – that enable federal agencies to meet mandated requirements while establishing security postures capable of defending against modern threats.

Understanding the Regulatory Framework

Executive Order 14028: The Foundation of Federal Zero Trust

President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) requires federal civilian agencies to establish plans to drive adoption of Zero Trust Architecture. This landmark directive acknowledged that traditional perimeter-based security models are no longer sufficient in an era of cloud computing, distributed workforces, and sophisticated cyber threats.

The Executive Order established several critical mandates:

• Zero Trust Architecture adoption across all federal civilian executive branch (FCEB) agencies
• Multi-factor authentication (MFA) deployment within specific timeframes
• Encryption requirements for data at rest and in transit
• Software supply chain security improvements, including Software Bill of Materials (SBOM) requirements
• Enhanced logging and visibility capabilities for threat detection and incident response

Building on EO 14028, a subsequent executive order in January 2025 directed additional actions to improve the nation’s cybersecurity, focusing on defending digital infrastructure, securing vital services, and addressing threats from nation-state actors including the People’s Republic of China.

OMB M-22-09: The Federal Zero Trust Strategy

OMB Memorandum M-22-09 requires agencies to achieve specific zero trust security goals by the end of Fiscal Year 2024. These goals are organized using the zero trust maturity model developed by CISA.

The memorandum establishes concrete objectives across five complementary pillars:

1. Identity Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant Multi-Factor Authentication (MFA) protects personnel from sophisticated online attacks.
2. Devices The Federal Government maintains a complete inventory of every device it operates and authorizes for government use, with capabilities to prevent, detect, and respond to incidents on those devices.
3. Networks Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing plans to break down perimeters into isolated environments.
4. Applications and Workloads Enterprise applications are tested internally and externally, with secure internet accessibility for authorized staff.
5. Data Federal security teams and data teams work together to develop data categories and security rules to automatically detect and block unauthorized access to sensitive information.

The CISA Zero Trust Maturity Model

CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition toward a zero trust architecture. The maturity model aims to assist agencies in the development of zero trust strategies and implementation plans.

Maturity Stages

The updated CISA Zero Trust Maturity Model Version 2.0 defines four progressive stages:

Traditional: The starting point for many government organizations, where assessment and identification of gaps helps determine security priorities.

Initial: Organizations have begun implementing automation in areas such as attribute assignment, lifecycle management, and initial cross-pillar solutions including integration of external systems, least privilege strategies, and aggregated visibility.

Advanced: Organizations have progressed toward more sophisticated implementations with enhanced automation and integration.

Optimal: The target state featuring dynamic updates, automated processes, and fully integrated capabilities across all pillars.

CISA Director Jen Easterly explained that the agency found many organizations struggling to make the shift from traditional, perimeter-defense approaches to more advanced zero trust architecture, noting “it was too high a leap to go from traditional to advanced,” which led to adding the Initial stage.

Current Progress and Challenges

Federal Agency Progress

During the Billington Cyber Summit in September 2024, federal Chief Information Officer Clare Martorana noted that the 24 large Chief Financial Officers (CFO) Act agencies “are all in the high 90 percent range” when it comes to meeting the initial goals of the zero trust strategy.

The 2024 Report on the Cybersecurity Posture of the United States highlights that multiple CFO-Act agencies increased their encrypted data by at least 10%, and 92% of federal endpoints are covered by at least one endpoint detection and response (EDR) solution.

Persistent Challenges

Despite significant progress, federal agencies continue to face substantial obstacles:

Legacy System Integration Federal agencies often operate on a massive scale, and their networks have evolved over time, resulting in layers of legacy architecture and technical debt. As agencies seek to transition to zero trust architecture, they are confronted with the monumental task of reconfiguring their digital foundations while simultaneously ensuring seamless operations.

Data Governance Complexity Many agency officials point toward the “data” pillar of the strategy as a key long-term challenge. The goal is to deploy protections that make use of thorough data categorization, but agencies face the challenge of organizing loosely structured and dispersed data throughout their enterprises.

Legacy Data Management “One of the core challenges is dealing with legacy data – how do we apply modern security frameworks and technologies to these entrenched systems and data sets that may be decades old? It’s a persistent issue that will require ongoing effort and strategic innovation.”

Organizational Silos One of the challenges agencies often face in adopting zero trust is the federated nature of their organizations. “It’s really difficult to provide zero trust protection across the business when you’re deploying capabilities in silos.”

Confidence Gaps A survey by Merlin Cyber found that approximately 70% of federal IT leaders acknowledge that zero trust has become a higher priority as the number of applications and devices accessing agency resources increases, yet only 55% express strong confidence in their agency’s ability to implement a zero-trust framework effectively.

Phishing-Resistant MFA: A Critical Requirement

OMB M-22-09 sets the groundwork for creating a zero trust architecture for federal agencies, with the goal of meeting objectives by the end of 2024. The basic tenet of zero trust is “never trust, always verify.”

Why Traditional MFA Falls Short

Phishing-resistant versions of MFA are key as threat actors routinely evade MFA that relies on text or email-based one-time passcodes. Phishing-resistant MFA relies on cryptographic techniques such as passkeys, biometrics, the WebAuthn specification, and the FIDO2 standard.

Approved Phishing-Resistant Methods

Agencies are permitted under current guidance to use phishing-resistant authenticators that do not yet support PIV or Derived PIV (such as FIDO2 and Web Authentication-based authenticators) to meet the requirements of this strategy.

The primary approved methods include:

• Personal Identity Verification (PIV) Cards – The traditional gold standard for federal authentication
• FIDO2/WebAuthn Security Keys – Hardware tokens providing cryptographic authentication
• Platform Authenticators – Built-in biometric capabilities on laptops and mobile devices

While OMB M-22-09 does not explicitly override HSPD-12, it sets a path forward for ongoing guidance and compliance for logical authentication. It modernizes the HSPD-12 intent to be flexible through adopting new technologies, meeting changing needs, and shifting focus from the credential lifecycle to the identity lifecycle.

Microsegmentation: Stopping Lateral Movement

The Critical Role of Network Segmentation

Microsegmentation is a critical component of Zero Trust Architecture that reduces the attack surface, limits lateral movement, and enhances visibility for monitoring smaller, isolated groups of resources.

EO 14028 and OMB M-22-09 require agencies to “meaningfully isolate environments” to stop lateral movement and contain threats, outlining three enforcement points: device/user, SASE, and microsegmentation.

Benefits for Federal Agencies

Micro-segmentation addresses gaps directly by isolating workloads, applications, and endpoints, ensuring that even if attackers breach one segment, they will be detected and contained before they can move across the network.

Key benefits include:

Reduced Attack Surface: The principal value of microsegmentation lies in its ability to remove unnecessary connection points, particularly to external entry points, and isolate breaches in segmented zones.

Simplified Compliance: Microsegmentation simplifies complying with regulations and best practices, whether FISMA, HIPAA, or region-specific requirements like GDPR. Microsegmentation’s ability to define the scope of and prevent lateral movement helps organizations meet an array of compliance standards.

Enhanced Visibility: With microsegmentation, it is possible to secure access to applications – enabling a process of relevant access to relevant functions or resources based on trust dimensions.

Implementation Approach

Transitioning an organization from existing traditional segmentation, which relied on large-scale perimeters with limited technical capabilities, to fine-tuned microsegmentation requires a paradigm shift that leaders must champion. Successful adoption of microsegmentation will improve enterprise cybersecurity and availability.

At the National Transportation Safety Board (NTSB), the security team found that “traditional security measures protect north-south movement; it’s easy to monitor traffic going in and out of the system. Preventing the lateral movement – the east-west movement – that is much more valuable.”

TerraZone Solutions for Federal Zero Trust

TerraZone provides comprehensive Zero Trust solutions specifically designed to address federal compliance requirements while delivering enterprise-grade security capabilities.

truePass: Zero Trust Network Access

TerraZone’s truePass platform delivers Secure Application Access built on Zero Trust principles. The platform enables organizations to achieve true Zero Trust strategy across network applications by providing access to resources only after identity has been established – preventing insider threats and minimizing data exposure.

Key Capabilities:

• Patented Reverse Access Technology: Eliminates the need for open firewall ports while allowing secured application access between networks. This technology keeps your network hidden from the outside at all times – if you can’t be seen, you can’t be hacked.

   

• Identity-Based Access Control: Users are granted access only after authentication, with no client software or VPN required. Unlike VPNs that grant access before authentication (exposing services to the internet and making them accessible to attackers), truePass enforces authentication before any access is granted.

   

• Flexible Deployment Options: Choose from on-premises, cloud, or hybrid deployment to best fit your organization’s needs – with no infrastructure changes required.

   

• Behavioral Analytics: The proprietary Telepath Behavioral Analytics tool detects malicious insiders and bots, catching them before they can do harm.

   

Identity-Based Segmentation

TerraZone’s identity-based segmentation approach provides:

• Identity-Based Firewall (IDFW): Firewall capabilities embedded directly into endpoints ensure only authenticated and authorized users can access sensitive data and systems, preventing unauthorized access even if credentials are stolen.

   

• Micro-Segmentation: Network segments are isolated to reduce the attack surface and contain potential breaches. Each endpoint acts as its own segment, ensuring that even if one is compromised, the breach does not spread across the network.

   

• Device and System Checks: Continuous evaluation of device security posture ensures compliance with security policies, including checks on firewall status, running processes, services, and geolocation.

   

Secure Data Exchange

TerraZone’s Secure Data Exchange (SDE) platform addresses the critical challenge of securing data in motion – a key requirement under both EO 14028 and OMB M-22-09:

• End-to-End Encryption: 256-bit AES encryption for data at rest and in transit
• DLP Integration: Automatic enforcement of data loss prevention policies on outgoing and incoming data flows
• Full Audit Trail: Complete logging of “where, what, who, and when” for all data exchanges
• Multi-Protocol Support: Supports SFTP, HTTPS, WebDAV, and 120+ connectors to enterprise applications

Implementation Roadmap

Phase 1: Assessment and Planning (Months 1-3)

Conduct Security Assessment

• Inventory all assets, applications, and data flows
• Map current authentication and access control mechanisms
• Identify gaps against CISA Zero Trust Maturity Model
• Document legacy systems requiring special consideration

Establish Governance

• Designate Zero Trust implementation lead (required within 30 days of M-22-09)
• Create cross-functional implementation team
• Develop budget estimates and resource allocation plans
• Align with agency-wide IT modernization initiatives

Phase 2: Identity Foundation (Months 4-8)

Deploy Phishing-Resistant MFA

• Implement FIDO2/WebAuthn for cloud and modern applications
• Integrate with existing PIV infrastructure where applicable
• Establish account recovery procedures meeting security requirements
• Train users on new authentication methods

Centralize Identity Management

• Deploy enterprise identity provider
• Implement single sign-on (SSO) across applications
• Establish automated provisioning and deprovisioning
• Configure conditional access policies based on risk signals

Phase 3: Network Transformation (Months 9-14)

Implement Microsegmentation

• Begin with high-value assets and critical applications
• Deploy TerraZone identity-based segmentation
• Create policies based on workload identity rather than IP addresses
• Test and validate segmentation before production deployment

Encrypt All Traffic

• Encrypt DNS requests throughout the environment
• Deploy HTTPS for all internal web traffic
• Implement encrypted protocols for legacy applications
• Establish certificate management processes

Phase 4: Application and Data Security (Months 15-20)

Secure Application Access

• Deploy TerraZone truePass for application-level access control
• Make applications accessible over the internet with proper security controls
• Implement application vulnerability scanning programs
• Establish continuous monitoring for application security

Data Categorization and Protection

• Develop data classification framework
• Implement automated data discovery and tagging
• Deploy data loss prevention controls
• Establish data access logging and monitoring

Phase 5: Continuous Improvement (Ongoing)

Monitor and Optimize

• Implement comprehensive logging per OMB M-21-31 requirements
• Deploy behavioral analytics for anomaly detection
• Conduct regular security assessments and penetration testing
• Update policies based on threat intelligence

Measure Maturity Progress

• Track progress against CISA Zero Trust Maturity Model
• Report metrics through FISMA CIO reporting
• Identify areas for advancement to higher maturity stages
• Document lessons learned and best practices

Best Practices for Success

Start with Quick Wins

“A lot of progress on identity, devices and networks” has occurred “because there’s been off-the-shelf solutions to those problems.” Agencies should prioritize areas where mature commercial solutions can accelerate compliance.

Focus on Outcomes, Not Checklists

Federal agencies have seen “a modernization of zero trust” with “maturity and understanding of what customers actually want from an outcome perspective in how they’re thinking about zero trust.”

Ensure Vendor Interoperability

Federal cyber leaders emphasize that no single vendor or product can provide a holistic zero trust architecture. As agencies move into the next phase of zero trust, leaders are calling on the technology industry to ensure their cybersecurity products can be integrated into larger architectures.

Champion Cultural Change

Agencies need to recognize that people and processes need to change to achieve a zero trust approach, in addition to technology needs. Zero Trust requires organizational commitment beyond IT departments.

Looking Ahead: Beyond FY 2024

According to Federal CIO Clare Martorana, Zero Trust is “a continuous journey, not a destination.” While the FY 2024 deadline established important milestones, agencies must continue advancing their security postures.

Emerging Focus Areas

AI and Security Operations Agencies are increasingly leveraging artificial intelligence for threat detection and automated response, while also addressing the security implications of AI adoption within their environments.

Cloud Security Posture As agencies continue cloud migration, maintaining consistent security policies across hybrid and multi-cloud environments remains critical.

Supply Chain Security Software supply chain attacks like SolarWinds have demonstrated the need for comprehensive vendor risk management and SBOM requirements.

DoD Zero Trust Timeline

The DoD has outlined a strategy to reach “target level” zero trust by 2027, focusing on three key methods: assessing current environments, leveraging cloud services, and deploying purpose-built on-premises solutions.

For FY25, the Pentagon has sought $14.5 billion for cyber spending, a $1 billion increase from FY24, including $977 million specifically for zero trust.

Conclusion

The transition to Zero Trust Architecture represents the most significant transformation in federal cybersecurity in decades. Zero Trust is a security approach with the core principle of “never trust, always verify.” It assumes no user, device, or service is inherently trustworthy, even if already inside the government network.

Government agencies are now ahead of corporations in adopting and implementing zero trust security architecture, with 72% of government organizations already utilizing a zero trust framework compared to 56% of companies.

Success requires more than technology deployment – it demands organizational commitment, process transformation, and sustained investment. TerraZone’s comprehensive suite of Zero Trust solutions – including truePass ZTNA, identity-based segmentation, and secure data exchange – provides federal agencies with the capabilities needed to meet compliance requirements while building genuinely resilient security infrastructures.

The threat landscape will continue evolving, but agencies that successfully implement Zero Trust Architecture will be positioned to adapt and defend against whatever challenges emerge. The time for action is now.

About TerraZone

TerraZone is a cybersecurity company dedicated to preventing unauthorized access and use of high-threat services and data, inside and outside the organization perimeter. With solutions spanning Zero Trust Network Access, identity-based segmentation, secure data exchange, and managed file transfer, TerraZone enables federal agencies and enterprises to meet the most demanding security and compliance requirements.