[ ← Back to Sequenxa Intelligence ]

Sequenxa Intelligence

[ Intelligence ]

M-22-09: What the Federal Zero Trust Strategy Requires

The SolarWinds supply chain attack compromised at least 18,000 organizations and multiple U.S. federal agencies through a single trusted software update. The breach succeeded because trusted systems were treated as safe by default. That is the exact assumption zero trust is designed to remove.

September 7, 20256 min read
M-22-09: What the Federal Zero Trust Strategy Requires

The SolarWinds supply chain attack compromised at least 18,000 organizations and multiple U.S. federal agencies through a single trusted software update. The breach succeeded because trusted systems were treated as safe by default. That is the exact assumption zero trust is designed to remove. (White House Office of Management and Budget, 2022)


On January 26, 2022, the White House Office of Management and Budget issued Memorandum M-22-09, titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. It required every federal civilian executive branch agency to meet specific zero trust architecture objectives by the end of Fiscal Year 2024, under Executive Order 14028, which launched a government-wide cybersecurity overhaul after repeated incidents exposed the limits of perimeter-based defense. (White House Office of Management and Budget, 2022; GovCDO IQ, 2024)


M-22-09 matters beyond government. It is the clearest public blueprint available for how a mature zero trust program should work across five pillars: Identity, Devices, Networks, Applications and Workloads, and Data.


What Is Zero Trust?


Zero trust is not a product. It is an architectural model built on one principle: no actor, system, network, or service is trusted by default, whether inside or outside the organizational perimeter. (White House Office of Management and Budget, 2022)


Traditional security assumes internal networks are safer than external ones. Zero trust assumes the environment may already be compromised, so every access request must be evaluated based on identity, device health, and context. Network location is not a trust signal. (White House Office of Management and Budget, 2022)


"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access." (White House Office of Management and Budget, 2022)


What M-22-09 Requires


M-22-09 organizes federal agency requirements around the CISA Zero Trust Maturity Model's five pillars. Each pillar addresses a distinct attack surface. Together, they form an integrated architecture that replaces perimeter trust with continuous verification. (White House Office of Management and Budget, 2022; GovCDO IQ, 2024)
Identity. Agencies must use centralized enterprise-managed identities for all staff, contractors, and partners. Phishing-resistant MFA must be enforced at the application layer, not the network layer. Password policies must stop requiring special characters and regular rotation, practices that produce weaker real-world security behavior rather than stronger. (White House Office of Management and Budget, 2022)


Devices. All devices accessing federal systems must be tracked and inventoried. Device security posture, whether the device is compliant, updated, and free of known vulnerabilities, must factor into every access decision. Agencies must deploy endpoint detection and response tools meeting CISA requirements. (White House Office of Management and Budget, 2022)


Networks. All DNS requests and HTTP traffic must be encrypted. Internal network traffic must also be encrypted. No network, including internal agency networks, is treated as implicitly trusted. Agencies must stop routing application access through specific physical networks. (White House Office of Management and Budget, 2022)


Applications and Workloads. Applications must be tested as adversaries would test them. Agencies must support external coordinated vulnerability disclosure. Applications must be accessible to authorized users from the open internet without requiring VPN access to an internal trusted network. (White House Office of Management and Budget, 2022)


Data. Agencies must develop guidance on categorizing data by protection needs and build toward automated security access rules based on data sensitivity. Enterprise-wide logging and information sharing must be implemented. (White House Office of Management and Budget, 2022)


The Five Pillars at a Glance
Why Identity Is the Starting Point


M-22-09 places its most specific requirements at the identity layer because identity is where most modern intrusions begin. The memo requires phishing-resistant MFA, specifically because standard MFA can be bypassed through phishing attacks that capture one-time codes or session tokens. (White House Office of Management and Budget, 2022)


The memo also states that approaching an application from an internal network must not be treated as less risky than approaching it from the public internet. That is a direct break from how most organizations have operated for decades. It forces access decisions to be made based on who is asking and from what device, not simply where the request originated. (White House Office of Management and Budget, 2022)


"Approaching an application from a particular network must not be considered any less risky than approaching it from the public internet." (White House Office of Management and Budget, 2022)


What Private Sector Organizations Can Take From M-22-09


M-22-09 applies to federal civilian agencies, not to private companies. But its threat model is the same one private organizations face. Credential theft, lateral movement, exposed applications, weak device visibility, and incomplete logging are not government-only problems. (White House Office of Management and Budget, 2022; TerraZone, 2025)




The five-pillar model translates directly into private sector priorities:


• Stronger identity governance and phishing-resistant authentication


• Device posture as part of access decisions


• Network encryption and segmentation


• Adversarial application testing programs


• Data classification with centralized logging (White House Office of Management and Budget, 2022; CISA, n.d.)


The CISA Zero Trust Maturity Model, the framework underlying M-22-09, is publicly available and usable by any organization regardless of regulatory status. (CISA, n.d.)


Why Zero Trust Supports Investigations


Zero trust is a prevention model. It is also an evidence model. Continuous logging of identity events, device posture, access decisions, application behavior, and data activity gives investigators the trail needed to reconstruct what happened after an intrusion. (White House Office of Management and Budget, 2022)


Organizations without those controls frequently discover incidents late and struggle to scope them because the evidence was never generated. A zero trust architecture does not prevent every breach, but it does make it possible to detect anomalous access, contain lateral movement, and determine what was reached and when. That matters both for security operations and for post-incident investigation. (White House Office of Management and Budget, 2022; TerraZone, 2025)


For organizations reviewing zero trust readiness, assessing architectural gaps, or investigating suspicious access patterns, our Corporate Intelligence Services team can support the assessment and investigative layer that sits above the technical controls.


Frequently Asked Questions


What is M-22-09?


M-22-09 is the January 26, 2022 OMB memorandum titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, which required federal civilian agencies to meet specific zero trust architecture goals by the end of FY 2024. (White House Office of Management and Budget, 2022)


What is the federal zero trust strategy?


The federal government's architecture and implementation model for zero trust, organized around five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. (White House Office of Management and Budget, 2022)


What executive order does M-22-09 implement?


Executive Order 14028, Improving the Nation's Cybersecurity, signed in May 2021. (White House Office of Management and Budget, 2022)


Does M-22-09 apply to private organizations?


No, not directly. But its five-pillar framework reflects best practice for any organization facing sophisticated threat campaigns. (CISA, n.d.; TerraZone, 2025)


What kind of MFA does M-22-09 require?


Phishing-resistant MFA for all agency staff, contractors, and partners, enforced at the application layer. (White House Office of Management and Budget, 2022)


Why does network location no longer count as a trust signal?


Because internal networks can be compromised. Zero trust requires that access decisions be based on identity, device health, and context, not on whether a request originates from within the organization's infrastructure. (White House Office of Management and Budget, 2022)


References


CISA. (n.d.). Zero Trust Maturity Model. Retrieved from https://www.cisa.gov


GovCDO IQ. (2024). OMB M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. Retrieved from https://govcdoiq.org


TerraZone. (2025). The Complete Guide to Implementing Zero Trust in Federal Agencies. Retrieved from https://terrazone.io


White House Office of Management and Budget. (2022). M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. Retrieved from https://www.whitehouse.gov



M-22-09: What the Federal Zero Trust Strategy Requires