Every major federal IT procurement conversation in 2025 includes Zero Trust. OMB Memorandum M-22-09 set concrete deadlines, and agencies are under pressure to demonstrate progress. But in the rush to comply, a dangerous pattern has emerged: organizations buying “Zero Trust” products without the organizational readiness to implement the model they enable.
Zero Trust Is an Architecture, Not a Vendor
The National Institute of Standards and Technology (NIST) defines Zero Trust in SP 800-207 as a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions. There is no single product that makes you “Zero Trust compliant.”
The core tenets — verify explicitly, use least privilege access, assume breach — require changes across identity management, device compliance, network segmentation, data classification, and application access. These are organizational and architectural changes first, and technology purchases second.
The Five Pillars Federal Agencies Should Focus On
CISA’s Zero Trust Maturity Model provides a useful framework organized around five pillars:
- Identity — Strong authentication (MFA, PIV/CAC), continuous authorization, and privileged access management
- Devices — Device compliance enforcement, endpoint detection and response, hardware attestation
- Networks — Micro-segmentation, encrypted traffic inspection, software-defined perimeters
- Applications & Workloads — Application-layer access controls, CASB integration, workload isolation
- Data — Data discovery and classification, DLP, access logging tied to data sensitivity
Most agencies have made good progress on Identity and are lagging on Data. The hardest pillar — and often the most impactful — is data classification. You can’t apply least-privilege data access controls if you don’t know where your sensitive data lives.
A Practical Starting Point
Rather than attempting all five pillars simultaneously, we recommend a sequenced approach:
- Start with Identity — deploy phishing-resistant MFA organization-wide, then layer in continuous authorization
- Instrument your environment — you cannot enforce what you cannot see; invest in logging and visibility first
- Define your protect surface — identify your most critical data and systems; Zero Trust efforts should expand from there
- Measure your ZTMM maturity level — CISA’s model provides a clear scoring rubric for each pillar
Zero Trust is a multi-year program, not a fiscal year deliverable. Agencies that succeed treat it as a continuous capability evolution — not a project with an end date.
Interested in assessing your agency’s Zero Trust maturity? Contact the CEdge team to schedule a no-obligation conversation.