OMB M-22-09 is the federal memorandum, issued January 26, 2022, that put the entire U.S. civilian government on a Zero Trust cybersecurity timeline. It set hard deadlines, named the agencies that had to comply, and translated a few years of executive orders and CISA guidance into something that looked a lot more like a project plan than a policy paper. If you have ever heard a federal CIO mutter the phrase “the OMB memo” while looking exhausted, this is the memo they were talking about.
I have spent a fair amount of time over the last several years sitting across the table from defense contractors, federal systems integrators, and a few exhausted agency security teams trying to make sense of what M-22-09 actually requires. The memo itself is around fourteen pages, which sounds short until you read it and realize it is also dense, prescriptive, and tied to a stack of other directives that all have their own acronyms. This piece is the explainer I wish someone had handed me the first time a contractor called and said, “we need to be M-22-09 ready, what does that mean.”
Short version. M-22-09 is the federal Zero Trust strategy memo. It told civilian agencies what they had to do by end of FY 2024 across five pillars: identity, devices, networks, applications and workloads, and data. The deadlines were real, and follow on guidance is still being issued.
What Is OMB M-22-09?
OMB M-22-09 is a memorandum issued by the White House Office of Management and Budget on January 26, 2022, formally titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. It is addressed to the heads of executive departments and agencies, and it lays out the federal Zero Trust Architecture strategy that civilian agencies were required to implement by the end of Fiscal Year 2024, which closed on September 30, 2024.
A memorandum from OMB sounds bureaucratic, and on paper it is. In practice, OMB memos are how the executive branch tells federal agencies what they have to do, when, and how their performance will be measured. The same office that signs off on agency budgets is also the one that issues these directives, which means there is real teeth behind them. If you ignore an OMB memo, your funding conversations get awkward fast.
M-22-09 specifically addresses Federal Civilian Executive Branch agencies, often shortened to FCEB. The Department of Defense has its own parallel Zero Trust strategy, published by the DoD CIO in October 2022, which lines up with M-22-09 conceptually but follows its own implementation track. Intelligence community agencies run on yet another set of directives. So when people talk about M-22-09, they are usually talking about the civilian side of the federal government: agencies like the Department of Energy, Department of Health and Human Services, Department of Homeland Security, and the rest of the cabinet level departments and their components.
A useful mental model. M-22-09 is not the law, and it is not a regulation. It is a directive from the executive branch to its own agencies, with deadlines and reporting requirements attached. The closest private sector equivalent would be a CEO sending a strategy memo to every business unit, except the CEO also controls everyone’s budget.
The Executive Order Behind the Memo
M-22-09 did not appear out of nowhere. It is the operational follow up to Executive Order 14028, “Improving the Nation’s Cybersecurity,” which President Biden signed on May 12, 2021. That executive order arrived a few weeks after the SolarWinds disclosure and the Colonial Pipeline ransomware incident, when federal cybersecurity was, charitably, getting more political attention than usual. EO 14028 directed agencies to modernize cybersecurity, share threat information more aggressively, and adopt Zero Trust as a foundational architecture.
Executive orders are usually high level. They tell the federal government to do a thing without spelling out how. That is where OMB memos come in. Between EO 14028 in May 2021 and M-22-09 in January 2022, OMB and CISA were essentially translating “go adopt Zero Trust” into a concrete playbook with deadlines and metrics. M-22-09 was the playbook. If you want a deeper background on the architecture itself, our piece on what Zero Trust is and why it matters covers the underlying ideas in plain English.
A few related directives sit alongside M-22-09 and often get confused with it. M-21-31 covers logging and incident response data retention. M-22-01 addresses endpoint detection and response. CISA’s Zero Trust Maturity Model, currently at Version 2.0 published in April 2023, is the framework agencies use to measure their progress against M-22-09 goals. Over on the military side, the DoD Zero Trust Strategy and Reference Architecture govern military and intelligence networks. NIST Special Publication 800 207 is the technical foundation that defines what Zero Trust actually means in architectural terms. M-22-09 references most of these and ties them together.
The Five Pillars of M-22-09
The memo organizes its requirements around five pillars borrowed from the CISA Zero Trust Maturity Model. Each pillar carries a vision statement and a set of specific actions agencies were expected to complete. Below is what each one actually means in operational terms.
Cutting across all five pillars are three themes the memo also calls out: visibility and analytics, automation and orchestration, and governance. Those three are not pillars themselves but capabilities every pillar depends on. You cannot defend what you cannot see, you cannot scale Zero Trust without automation, and none of it sticks without governance to enforce it.
The Deadlines That Made M-22-09 Different
Federal cybersecurity directives often suffer from what I gently call “aspirational compliance.” Lots of “should” and “may,” not much “by Tuesday.” M-22-09 broke that pattern by attaching specific dates to specific actions, which is why it landed harder than most prior memos.
The first deadline was 30 days from issuance, which put it at February 25, 2022. By that date, every covered agency had to designate and identify a Zero Trust strategy implementation lead. One person, one name, in writing to OMB.
The second deadline was 60 days from issuance, March 27, 2022. Agencies that had previously developed implementation plans under EO 14028 had to revise those plans to incorporate the M-22-09 requirements and submit a multi year implementation plan covering FY 2022 through FY 2024 to OMB for concurrence. They also had to submit budget estimates.
The third and biggest deadline was the end of FY 2024, which fell on September 30, 2024. By that date, agencies were expected to have met the specific cybersecurity goals laid out across the five pillars. Some sub goals had earlier 12 month or 24 month milestones along the way.
Why the Deadlines Mattered
A federal CIO operating under M-22-09 had three distinct conversations to manage, all happening at the same time. One was internal, getting the agency’s IT, security, and program offices aligned around a multi pillar transformation. Another was budgetary, convincing appropriators that the cybersecurity line items deserved funding. A third was procurement, figuring out which vendors and integrators could actually deliver against the requirements within the available time.
Forcing all three to happen on the same clock is part of why M-22-09 generated so much vendor activity in the federal market between 2022 and 2024. Identity providers, EDR vendors, microsegmentation platforms, and cloud security tooling all benefited from the surge in agency demand. Some of that demand was real modernization. Plenty of it was checkbox shopping. Both were real.
What M-22-09 Actually Required Agencies to Do
Strip away the framework language and the memo amounts to a fairly concrete checklist. Here are the key things agencies had to put in place by FY 2024.
Phishing resistant MFA for everyone. Push notifications and SMS codes are not phishing resistant. The memo explicitly calls for FIDO2/WebAuthn or PIV credentials. Agency staff, contractors with access, and external partners all fall under this requirement at the application layer.
Centralized identity management. The era of agencies running fifteen different identity stores connected by duct tape was officially over. Identity has to flow through a managed enterprise platform, and access decisions across applications need to query that single source of truth.
Complete device inventory and EDR coverage. Agencies have to know every device that touches their network and run endpoint detection and response on those devices. This is also tied to OMB Memorandum M-22-01, which is specifically about EDR.
Encrypted DNS and HTTP traffic. All DNS requests within agency environments must be encrypted, along with all internal HTTP traffic. CISA’s Protective DNS service became the recommended path for many agencies, and the memo explicitly nudged shared services in that direction.
Network microsegmentation. The flat trusted internal network is treated as the legacy that it is. Agencies have to break their environments into smaller isolated segments so that compromise of one system does not automatically grant access to everything else.
Application security testing and exposure. Internal applications need rigorous security testing programs and, where appropriate, should be made directly available to authorized users over public networks rather than hidden behind VPNs. The memo treats VPN as a transitional control, not a destination.
A clear data security strategy. Categorization of data by sensitivity, automated tagging where feasible, encryption in transit and at rest, and granular access controls tied to identity.
Where Things Stand in 2026
The September 30, 2024 deadline came and went. Then Federal CIO Clare Martorana told a Billington Cybersecurity Summit audience that the 24 CFO Act agencies were in the “high 90 percent” range on completing essential ZTA elements. CISA published a formal Zero Trust Architecture Implementation report on January 29, 2025, walking through agency progress pillar by pillar. The headline takeaway was that meaningful progress had been made, especially on identity and devices, while networks and data remained the harder pillars to operationalize at scale.
M-22-09 itself remains in effect. The follow up FY 2025 guidance, issued as OMB M-25-04 in January 2025, explicitly directs agencies to continue maturing their Zero Trust architectures and increasing the deployment of critical security tools. OMB Memorandum M-24-14, released in July 2024, set Zero Trust maturation as one of the FY 2026 budget cybersecurity priorities for federal agencies. Translation: Zero Trust funding lines are still active, the reporting is still required, and the metrics under FISMA and CDM are still being collected.
The honest reality from the field is that Zero Trust at the federal level looks more like a long capital improvement project than a one time compliance push. Agencies that hit FY 2024 milestones are now working on the harder maturity gains. The ones that fell behind are renegotiating budget commitments and implementation plans with OMB. Either way, the architecture is here to stay.
A note on the DoD side: the Department of Defense Zero Trust Strategy, published October 2022, sets a target of full Zero Trust implementation across the department by FY 2027. DoD components are working through a separate framework with seven pillars rather than five. If you work in the defense contractor world, this is the document that probably matters more to you than M-22-09 directly, though the two strategies share most of their underlying assumptions. Our piece on what defense contractors need to know about CMMC covers the contractor compliance side in more depth.
Why M-22-09 Matters Outside the Federal Government
If you do not work for a civilian federal agency, why should you care about an OMB memo? Two reasons.
The first reason is contractor and vendor flow down. If your company sells to the federal government, M-22-09 affects what your customers buy, how they expect those products to integrate, and how they expect you to handle access to their environments. Federal contracts increasingly bake Zero Trust expectations into their statements of work. Even if you are a subcontractor three levels deep, the requirements eventually reach you. Knowing what M-22-09 actually says is part of the job. Our explainer on cybersecurity certifications government contractors actually require is a useful companion read if you are trying to figure out where the credential pieces fit.
The second reason is that federal cybersecurity directives quietly become commercial security expectations. State and local governments adopt federal guidance as their own. Heavily regulated industries like banking, healthcare, and energy use federal frameworks as benchmarks for their own boards and auditors. When the Office of Management and Budget tells the federal government that Zero Trust is the new baseline, the rest of the U.S. economy hears that signal too, and a lot of corporate security strategies start quietly mirroring the same pillars.
For working security professionals, the practical implication is that knowing the M-22-09 framework is now table stakes if you do any kind of federal work, contractor work, or work in a regulated industry. The five pillars and the maturity model show up in audits, RFPs, and architecture reviews. Even when nobody is naming the memo directly, the structure of the conversation comes from it.
Frequently Asked Questions About OMB M-22-09
What does OMB M-22-09 stand for?
OMB stands for the Office of Management and Budget, which is part of the Executive Office of the President. M-22-09 is the memorandum’s filing number, indicating it was the ninth memo issued in fiscal year 2022. The full title is “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.”
When was OMB M-22-09 issued?
OMB issued M-22-09 on January 26, 2022. It was released in support of Executive Order 14028, “Improving the Nation’s Cybersecurity,” which President Biden signed on May 12, 2021.
What is the deadline in OMB M-22-09?
The primary deadline was the end of Fiscal Year 2024, which was September 30, 2024. Earlier interim deadlines included 30 days from issuance to designate a Zero Trust implementation lead and 60 days to submit a multi year implementation plan to OMB.
What are the five pillars in OMB M-22-09?
The five pillars are Identity, Devices, Networks, Applications and Workloads, and Data. These mirror the CISA Zero Trust Maturity Model. Three additional cross cutting themes apply across all pillars: visibility and analytics, automation and orchestration, and governance.
Does OMB M-22-09 apply to federal contractors?
Not directly. M-22-09 applies to Federal Civilian Executive Branch agencies. However, agencies regularly flow M-22-09 expectations down into their contracts, so federal contractors with access to agency systems often have to meet the same identity, device, and access standards. Defense contractors fall under the parallel DoD Zero Trust Strategy and CMMC.
What is phishing resistant MFA under M-22-09?
Phishing resistant MFA refers to authentication methods that cannot be intercepted or relayed by typical phishing attacks. The memo points specifically to FIDO2/WebAuthn protocols and Personal Identity Verification (PIV) credentials. SMS codes, push notifications, and one time passwords from authenticator apps are not considered phishing resistant under M-22-09.
Is OMB M-22-09 still in effect in 2026?
Yes. M-22-09 has not been rescinded or superseded. Subsequent OMB guidance, including M-25-04 in January 2025 and M-24-14 in July 2024, explicitly directs agencies to continue maturing their Zero Trust architectures. FISMA reporting and CDM metrics still measure agency progress against M-22-09 goals through 2026 and beyond.
CMO & Certification Guru | Training Camp
Mike McNelis is the CMO at Training Camp, where he combines a passion for technology with a hands-on approach to leadership. Beyond overseeing marketing strategy, Mike is actively involved in the technical side of the business — collaborating with clients, shaping learning solutions, and staying connected to the fast-changing world of IT and cybersecurity. He works closely with companies, government agencies, and individuals to help them achieve meaningful certification and workforce development goals.