Zero trust countdown: New OMB memo stresses urgency for modern AppSec
A new OMB memo from the White House is underscoring the need for federal agencies to adopt zero trust architecture in AppSec. Here’s what you need to know.
Your Information will be kept private.
Stay up to date on web security trends
Your Information will be kept private.

The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal agencies leave nothing unchecked when it comes to information handoffs.
This new memorandum by the United States government’s Office of Management and Budget (OMB), memo M-22-09, outlines why zero trust architecture is critical to securing the web applications that federal agencies and the public rely on daily. With the SolarWinds case reminding the government that supply chain security is vital and the recent Log4Shell incident highlighting how important effective incident response can be, finding a path to improved security posture is imperative.
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” Shalanda Young, Acting Director of OMB, stated in the memo. Young also noted that, as outlined by President Biden’s executive order on cybersecurity, the government needs to act quickly with significant changes to how it handles cybersecurity if it wants to keep up with sophisticated modern threats.
Staying one step ahead of access control issues
The strategy outlined in OMB’s memo M-22-09 places significance on improving enterprise identity and access controls, which can be done through efforts like multi-factor authentication, and a new baseline for access to heighten defenses around phishing attempts. Ultimately, it conceptualizes a government that has:- Enterprise-managed accounts for federal staff, which provide access to everything needed to complete tasks while also staying secure
- Devices that are tracked and monitored constantly while taking into consideration how secure the devices are when accessing internal resources
- Isolated agency systems with encryption for network traffic moving between those systems
- Internal and external testing for enterprise applications, which staff can access securely via the internet
- Federal security teams and data teams working together to develop data categories and security rules that automatically detect – and ultimately block – unauthorized access to sensitive information
- Collaboration between federal data teams and security teams to build data categories and rules to detect and block unauthorized access