Zero Trust has moved well past the buzzword phase in the federal government. Executive Order 14028, signed in May 2021, directed federal agencies to develop Zero Trust Architecture implementation plans. OMB Memorandum M-22-09 (January 2022) set specific goals for agencies to meet by the end of Fiscal Year 2024. In January 2025, CISA published its first comprehensive implementation progress report, giving the public a detailed picture of where the federal civilian executive branch actually stands.
The CISA Zero Trust Maturity Model
CISA's Zero Trust Maturity Model Version 2.0, published in April 2023, is the foundational guidance document for federal agency implementation. It organizes Zero Trust across five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Within each pillar, it defines four maturity stages: Traditional, Initial, Advanced, and Optimal.
The model is not a checkbox exercise. It is designed to reflect the operational reality that Zero Trust is an ongoing journey, not a one-time deployment. Agencies at the Traditional stage are still relying on perimeter-based security models. Agencies at the Optimal stage have achieved continuous monitoring, automated policy enforcement, and least-privilege access across all five pillars.
What OMB M-22-09 Required by FY 2024
- Identity: All agency staff use enterprise-managed identities; phishing-resistant multifactor authentication is enforced for all agency staff.
- Devices: Agencies have a complete inventory of every device authorized to access federal systems; unknown and unmanaged devices cannot access sensitive data.
- Networks: Agencies encrypt DNS and HTTP traffic; email is fully encrypted in transit.
- Applications: Agencies treat all applications as internet-accessible; applications are tested routinely from the outside.
- Data: Agencies have cataloged their sensitive data categories and deployed protections based on data classification.
Key Findings from the January 2025 CISA Progress Report
The CISA report documents federal civilian executive branch progress from FY 2022 through FY 2024. Agencies showed meaningful progress on identity and MFA adoption, with phishing-resistant MFA deployment representing one of the most significant security improvements during the period. Progress on the Data pillar was the most uneven, reflecting the difficulty of comprehensive data classification and the maturity of data governance programs across agencies.
The report also highlighted areas where agencies struggled: legacy systems that cannot natively support modern authentication mechanisms, inconsistent device inventory programs, and budget constraints that slowed network segmentation initiatives. These patterns matter for contractors because they reveal where agency investment and procurement priority will be concentrated over the next several years.
CISA's July 2025 Next Steps Guidance
In July 2025, CISA released a new guide to help agencies move from initial to advanced maturity stages across each pillar. The guide emphasizes automation as a primary lever: manual processes cannot scale to meet Zero Trust requirements across large federal networks. Agencies are being directed to invest in automated policy enforcement, continuous monitoring pipelines, and machine-speed identity verification.
For technology vendors and contractors, this signals specific capability requirements. Products and services that support Zero Trust must be able to integrate into existing agency toolsets, report on compliance posture in real time, and support phishing-resistant authentication standards such as PIV and FIDO2.
What This Means for Contractors Supporting Federal Environments
- Your access credentials will be subject to stricter identity controls. Expect agencies to enforce phishing-resistant MFA for contractor personnel accessing federal systems.
- Device compliance is becoming a gate, not an afterthought. Contractor devices that access federal systems may need to be enrolled in agency or contractor-managed device compliance programs.
- Network access for contractor personnel is increasingly conditional. Zero Trust network segmentation means contractors may have access to specific segments only, not broader agency networks.
- If you are building or delivering software to federal agencies, your pipeline and tooling will need to support continuous monitoring requirements and may need to integrate with agency security operations toolsets.
- Vendors selling into the federal market should be prepared to demonstrate how their products fit within the CISA ZTMM and map their capabilities to specific pillar requirements.
Zero Trust is reshaping federal procurement requirements across every technology category. Contractors who understand the CISA maturity model and can speak to how their capabilities support agency Zero Trust goals will have a significant competitive advantage.