Home / Guides / Zero Trust for Small Contractors

Zero Trust for Small Contractors: What OMB M-22-09 Means When It Flows Down to You

Focus: zero trust small business Veteran-run · practitioner guide Updated Jul 2026 ~9 min read
The short answer

The federal government went zero trust when OMB issued M-22-09 in January 2022, built on five pillars — Identity, Devices, Networks, Applications & Workloads, and Data. That memo binds federal agencies, not your small shop. But the same philosophy still lands on you, because the agencies you serve expect it and the CMMC and DFARS controls you already owe demand the exact multifactor, segmentation, and encryption practices zero trust is made of. You don't buy "zero trust." You build it, one pillar at a time.

A prime calls and drops a phrase into the requirements conversation — "zero trust" — and half the small contractors I talk to assume a new federal mandate just appeared with their name on it. It didn't. But the instinct to pay attention is right. The policy behind that phrase is real, it's specific, and even though it was written for agencies, it shapes what your customers expect and what your CMMC assessment already grades.

Let me untangle it plainly, because the honest version is more useful than the scary one. Then I'll take the five pillars the federal strategy is built on and translate each one into what a small shop actually does and buys — no enterprise budget, no jargon, just the moves that hold up in an assessment.

What M-22-09 is — and what it isn't

Two documents drive this. First, Executive Order 14028, "Improving the Nation's Cybersecurity," signed May 12, 2021. It pushed the whole federal government toward zero trust and mandated the fundamentals: multifactor authentication, encryption, software supply-chain security, faster breach reporting, and standardized cybersecurity language in federal contracts.

Second, and more specific: OMB Memorandum M-22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," issued January 26, 2022. This is the Federal Zero Trust Strategy that implements EO 14028. It set a hard target — agencies were to meet its zero-trust goals by the end of fiscal year 2024, September 30, 2024 — and it leaned hard on one control in particular: phishing-resistant multifactor authentication.

Here's the part that matters for you, and I want to be exact about it: M-22-09 is an order to federal executive agencies. It is not a clause in your contract, and it does not, by itself, create a legal obligation on your business. Anyone selling you "M-22-09 compliance" is selling you a thing that doesn't exist. Agencies comply with M-22-09. Contractors comply with their contracts.

Say this correctly M-22-09 does not legally bind contractors. It's the federal government telling itself to go zero trust. The reason you care isn't the memo — it's that the same expectations reach you through the customers you serve and the CMMC and DFARS controls you're already on the hook for. Frame it that way on any call and you'll sound like someone who's read it, not someone who skimmed a headline.

Why an agency memo lands on your shop anyway

So if it doesn't bind you, why does every prime and program office suddenly talk like it does? Two channels.

Your customers. When an agency reorganizes its entire security posture around never trusting a connection by default, that expectation flows outward to everyone it does business with. Primes flow it down to subs. Program offices ask pointed questions about how you handle identity and data. You may never be legally bound by M-22-09, but you can absolutely lose a teaming spot to a competitor who can speak fluently about how their environment already works this way.

The controls you already owe. This is the concrete one. If you touch Controlled Unclassified Information, you're bound by DFARS 252.204-7012 and the requirement to implement NIST SP 800-171 — 14 control families, 110 requirements — with CMMC certification arriving to verify it. Look at what those controls actually require: multifactor authentication, least-privilege access, network boundary protection, encryption of CUI at rest and in transit, device accountability. That's the zero-trust pillar list wearing a compliance uniform. You were going to build most of this for CMMC regardless. Zero trust is just the philosophy that explains why the controls are shaped the way they are.

The deadline that makes it real November 10, 2026 starts CMMC Phase 2, when Level 2 third-party certification becomes a condition of award on applicable DoD contracts. That's the mechanism that turns "we'd like you to be zero-trust-ish" into "prove you implemented the controls." The pillars below are how you get there.

The five pillars, translated for a small shop

The federal strategy — and the CISA Zero Trust Maturity Model it mirrors — organizes everything into five pillars. Agencies read them as an architecture. You should read them as a checklist of things to go do. Here's the whole map before I break out the ones that need real gear.

  1. Identity — prove people are who they claim, every time.Phishing-resistant hardware MFA on every account that touches CUI, plus managed credentials with real access logs. This is the pillar M-22-09 hammers hardest, and the one assessors fail small shops on most.
  2. Devices — know and control every endpoint.A real inventory of every machine that stores or moves controlled data, plus a documented way to sanitize a drive before a device is reused or retired. If you can't name every device in scope, you don't control them.
  3. Networks — segment, don't trust the flat LAN.Put the CUI machines behind a real boundary — a segmented VLAN behind a firewall that logs — instead of one flat network where everything trusts everything. This is where the enclave approach earns its keep.
  4. Applications & Workloads — least privilege, always.People and services get the minimum access the job requires, and nothing more. Shared admin logins and "everyone's a local admin" are the exact posture zero trust exists to kill.
  5. Data — encrypt it and know where it lives.CUI encrypted at rest and in transit, stored in known locations, moved only through channels built to protect it. The other four pillars all exist to protect this one.

Three of those pillars come down to policy and process — inventory your devices, tighten permissions, know where your data sits. Two of them are where a small shop actually buys something. Let's do those.

Identity: phishing-resistant hardware MFA

If you take one thing from the entire federal zero-trust push, take this: the MFA you're probably using isn't good enough for the standard they're driving toward. A code texted to a phone or read out of an authenticator app can be phished — a convincing fake login page captures it and replays it in seconds. "Phishing-resistant" means the second factor cannot be handed to an attacker even by a user who's been fooled.

A hardware security key does that. It uses the FIDO2 protocol, which cryptographically ties the login to the real website, so a spoofed page gets nothing back. This is the identity pillar in one small piece of metal, and it maps straight to the CMMC IA (Identification & Authentication) control family your assessor grades.

YubiKey 5C NFC

Identity · phishing-resistant MFA

The practitioner default for hardware MFA. FIDO2 over USB-C or NFC means the login is bound to the real site, so a phishing page can't capture and replay it. Buy one per person who touches CUI, plus a couple of spares for the safe so a lost key never locks someone out. This is the single clearest way to satisfy the multifactor requirement the way the federal strategy wants it done.

FIDO2 / WebAuthnUSB-C + NFCIA.L2
View YubiKey 5C NFC on Amazon →

The key handles the login moment. The credentials behind it need a home you can show an assessor — managed passwords, access logs, provisioning and de-provisioning you can prove. That's a vault, and for federal work you want one built to the government's own bar.

Keeper Security

Identity · credential vault

A FedRAMP-authorized, FIPS-validated password manager — the managed-credential backbone the identity pillar assumes you have. Every account provisioned centrally, every access event logged, so when an assessor asks "who has access to what, and how do you know," you have an answer on a screen instead of a shrug. Pairs naturally with the YubiKey: the key proves the person, the vault governs the credential.

FedRAMPFIPS 140-2Access logsAC.L2
Get Keeper →

Networks: segment the boundary

The networks pillar is a direct rejection of the flat office LAN where the guest WiFi, the accountant's PC, and the machine holding a drawing package all sit on the same trusting network. Zero trust says: assume the network is already hostile, and wall the sensitive part off. For a small contractor that means one thing — segmentation behind a real firewall that logs.

This is exactly the move at the heart of scoping CUI down to a small, controlled island. I've written the full playbook for it, because it's also the single biggest lever on what your CMMC assessment costs. Read The CUI Enclave Method for how to carve CUI into a segmented enclave and shrink your assessment boundary, and the Best Firewall for CMMC guide for the specific boxes that enforce the segmentation and produce the logs an assessor asks for. Your ISP's combo router can't segment or log — that's why it's the first thing to replace.

How the pillar maps to the control Segmentation and boundary logging land in the CMMC SC (System & Communications Protection) and AU (Audit & Accountability) families. A firewall that walls off the CUI machines and keeps an exportable log is you implementing the networks pillar in a way an assessor can actually verify.

Devices, Applications & Data: the practical moves

The remaining three pillars don't need a big purchase — they need discipline you can document.

Devices. Keep a real inventory of every endpoint that stores or moves CUI, and have a documented, standards-based way to wipe a drive before any device is reused, returned, or retired. An old drive in a drawer is a breach waiting to be reported. This is the CMMC MP (Media Protection) family, and "we have a process and here's the log" beats "we're pretty sure we deleted it" every time.

Applications & Workloads. Least privilege, enforced. Every person and service gets the minimum access the work requires and nothing extra. Kill the shared admin logins. Stop making everyone a local admin because it's convenient. This is mostly configuration and policy, and it's the pillar that quietly closes the most doors an attacker would otherwise walk through.

Data. The pillar the other four exist to protect. CUI has to be encrypted at rest and in transit, kept in known locations, and moved only through channels built to protect it. For most small shops the sharp edge is email and file sharing — ordinary email was never built to carry controlled data. A purpose-built encrypted platform closes that gap.

PreVeil

Data · encrypted CUI email & files

End-to-end encrypted email and file sharing built specifically for CUI, and a common answer for small contractors who can't send controlled data over regular email and don't want to stand up a full government cloud tenant to do it. It protects the data pillar at rest and in transit — the encryption boundary around CUI that the strategy, and your 800-171 controls, both expect.

End-to-end encryptedCUI email & filesSC.L2MP.L2
Get PreVeil →

The honest limit: don't overstate this

I'll close where I opened, because getting this wrong makes you sound either naive or dishonest, and neither wins federal work.

Read this before you repeat any of it on a call M-22-09 is an agency mandate, not a contractor clause. No one hands you a "zero trust certification." What you get certified against is CMMC, whose controls come from NIST SP 800-171. Zero trust is the philosophy; 800-171 and CMMC are the graded rulebook. Implement the five pillars well and you'll satisfy the controls and sound credible to your customers — but say it as "we've built our environment around zero-trust principles and it maps to our 800-171 controls," never as "we're M-22-09 compliant." One of those is true. The other doesn't mean anything.

Do the pillars because they make you genuinely harder to breach and because they're the same controls your assessment already requires. That's the honest, durable reason — and it happens to be the one that also keeps you eligible for the contract.

Want to know where you stand against those 110 controls right now? The free SPRS score estimator gives you a baseline in about two minutes, before you spend a dollar on hardware.

From principle to paperwork

Building the pillars is half the job. Proving it is the other half.

Zero-trust hardware and process get you secure. What passes the assessment is the documentation: a System Security Plan that describes exactly how you implement identity, segmentation, least-privilege, and encryption, the 20 required policies, a POA&M template, and a per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.
Primary sources
  • OMB M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (Jan 26, 2022) — whitehouse.gov (PDF)
  • CISA, Zero Trust Maturity Model (the five pillars) — cisa.gov/zero-trust-maturity-model
  • NIST, Executive Order 14028: Improving the Nation's Cybersecurity (signed May 12, 2021) — nist.gov
  • CISA, Executive Order on Improving the Nation's Cybersecuritycisa.gov

Frequently asked questions

Does OMB M-22-09 legally require my small business to go zero trust?

No. M-22-09 is a directive to federal executive agencies, not a clause in your contract. It tells agencies to adopt a zero-trust architecture by the end of fiscal year 2024. It does not create a direct legal obligation on contractors. What reaches you is the practical shadow of that policy: the agencies you serve expect zero-trust-style controls, and the CMMC and DFARS requirements you are already bound by demand the same multifactor, access-control, and encryption practices zero trust is built on.

What are the five pillars of the federal zero trust strategy?

Identity, Devices, Networks, Applications and Workloads, and Data. These five pillars come from the CISA Zero Trust Maturity Model and frame OMB M-22-09. For a small contractor they translate cleanly into concrete actions: phishing-resistant hardware MFA for identity, device inventory and sanitization for devices, network segmentation for networks, least-privilege for applications and workloads, and encryption at rest and in transit for data.

What does phishing-resistant MFA actually mean for a small shop?

It means MFA that a fake login page cannot capture and replay. Codes texted to a phone or typed out of an authenticator app can be phished. A hardware security key like a YubiKey uses the FIDO2 protocol, which cryptographically binds the login to the real site, so a spoofed page gets nothing. That is the standard the federal strategy pushes agencies toward, and it is the same identity control your CMMC assessment grades under the IA family.

How is zero trust different from just being CMMC compliant?

Zero trust is a philosophy — never trust a user, device, or connection by default, verify everything, and assume the network is already hostile. CMMC is a certification that checks whether you have implemented specific controls from NIST SP 800-171. They overlap heavily: the multifactor, least-privilege, segmentation, and encryption controls CMMC requires are exactly how you operationalize zero trust in a small environment. Meeting your CMMC controls well is, in practice, most of the way to a zero-trust posture.

Do I need expensive zero-trust software to satisfy this?

No. A small contractor does not buy a single zero-trust product. You buy hardware keys for identity, a real firewall to segment the network, an encrypted platform for CUI email and files, and you tighten permissions and device inventory with policy and process. The pillars are outcomes, not a shopping cart. Most of the spend is modest hardware plus a couple of subscriptions, backed by the documentation that proves you actually do it.

Where does NIST SP 800-171 fit into all this?

NIST SP 800-171 is the control set underneath CMMC Level 2 — 14 control families and 110 requirements. It is the concrete rulebook that turns zero-trust principles into things an assessor can grade: access control, identification and authentication, media protection, system and communications protection, and more. When people say zero trust flows down to contractors, 800-171 is the mechanism it flows through.