The federal government went zero trust when OMB issued M-22-09 in January 2022, built on five pillars — Identity, Devices, Networks, Applications & Workloads, and Data. That memo binds federal agencies, not your small shop. But the same philosophy still lands on you, because the agencies you serve expect it and the CMMC and DFARS controls you already owe demand the exact multifactor, segmentation, and encryption practices zero trust is made of. You don't buy "zero trust." You build it, one pillar at a time.
A prime calls and drops a phrase into the requirements conversation — "zero trust" — and half the small contractors I talk to assume a new federal mandate just appeared with their name on it. It didn't. But the instinct to pay attention is right. The policy behind that phrase is real, it's specific, and even though it was written for agencies, it shapes what your customers expect and what your CMMC assessment already grades.
Let me untangle it plainly, because the honest version is more useful than the scary one. Then I'll take the five pillars the federal strategy is built on and translate each one into what a small shop actually does and buys — no enterprise budget, no jargon, just the moves that hold up in an assessment.
Two documents drive this. First, Executive Order 14028, "Improving the Nation's Cybersecurity," signed May 12, 2021. It pushed the whole federal government toward zero trust and mandated the fundamentals: multifactor authentication, encryption, software supply-chain security, faster breach reporting, and standardized cybersecurity language in federal contracts.
Second, and more specific: OMB Memorandum M-22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," issued January 26, 2022. This is the Federal Zero Trust Strategy that implements EO 14028. It set a hard target — agencies were to meet its zero-trust goals by the end of fiscal year 2024, September 30, 2024 — and it leaned hard on one control in particular: phishing-resistant multifactor authentication.
Here's the part that matters for you, and I want to be exact about it: M-22-09 is an order to federal executive agencies. It is not a clause in your contract, and it does not, by itself, create a legal obligation on your business. Anyone selling you "M-22-09 compliance" is selling you a thing that doesn't exist. Agencies comply with M-22-09. Contractors comply with their contracts.
So if it doesn't bind you, why does every prime and program office suddenly talk like it does? Two channels.
Your customers. When an agency reorganizes its entire security posture around never trusting a connection by default, that expectation flows outward to everyone it does business with. Primes flow it down to subs. Program offices ask pointed questions about how you handle identity and data. You may never be legally bound by M-22-09, but you can absolutely lose a teaming spot to a competitor who can speak fluently about how their environment already works this way.
The controls you already owe. This is the concrete one. If you touch Controlled Unclassified Information, you're bound by DFARS 252.204-7012 and the requirement to implement NIST SP 800-171 — 14 control families, 110 requirements — with CMMC certification arriving to verify it. Look at what those controls actually require: multifactor authentication, least-privilege access, network boundary protection, encryption of CUI at rest and in transit, device accountability. That's the zero-trust pillar list wearing a compliance uniform. You were going to build most of this for CMMC regardless. Zero trust is just the philosophy that explains why the controls are shaped the way they are.
The federal strategy — and the CISA Zero Trust Maturity Model it mirrors — organizes everything into five pillars. Agencies read them as an architecture. You should read them as a checklist of things to go do. Here's the whole map before I break out the ones that need real gear.
Three of those pillars come down to policy and process — inventory your devices, tighten permissions, know where your data sits. Two of them are where a small shop actually buys something. Let's do those.
If you take one thing from the entire federal zero-trust push, take this: the MFA you're probably using isn't good enough for the standard they're driving toward. A code texted to a phone or read out of an authenticator app can be phished — a convincing fake login page captures it and replays it in seconds. "Phishing-resistant" means the second factor cannot be handed to an attacker even by a user who's been fooled.
A hardware security key does that. It uses the FIDO2 protocol, which cryptographically ties the login to the real website, so a spoofed page gets nothing back. This is the identity pillar in one small piece of metal, and it maps straight to the CMMC IA (Identification & Authentication) control family your assessor grades.
The practitioner default for hardware MFA. FIDO2 over USB-C or NFC means the login is bound to the real site, so a phishing page can't capture and replay it. Buy one per person who touches CUI, plus a couple of spares for the safe so a lost key never locks someone out. This is the single clearest way to satisfy the multifactor requirement the way the federal strategy wants it done.
The key handles the login moment. The credentials behind it need a home you can show an assessor — managed passwords, access logs, provisioning and de-provisioning you can prove. That's a vault, and for federal work you want one built to the government's own bar.
A FedRAMP-authorized, FIPS-validated password manager — the managed-credential backbone the identity pillar assumes you have. Every account provisioned centrally, every access event logged, so when an assessor asks "who has access to what, and how do you know," you have an answer on a screen instead of a shrug. Pairs naturally with the YubiKey: the key proves the person, the vault governs the credential.
The networks pillar is a direct rejection of the flat office LAN where the guest WiFi, the accountant's PC, and the machine holding a drawing package all sit on the same trusting network. Zero trust says: assume the network is already hostile, and wall the sensitive part off. For a small contractor that means one thing — segmentation behind a real firewall that logs.
This is exactly the move at the heart of scoping CUI down to a small, controlled island. I've written the full playbook for it, because it's also the single biggest lever on what your CMMC assessment costs. Read The CUI Enclave Method for how to carve CUI into a segmented enclave and shrink your assessment boundary, and the Best Firewall for CMMC guide for the specific boxes that enforce the segmentation and produce the logs an assessor asks for. Your ISP's combo router can't segment or log — that's why it's the first thing to replace.
The remaining three pillars don't need a big purchase — they need discipline you can document.
Devices. Keep a real inventory of every endpoint that stores or moves CUI, and have a documented, standards-based way to wipe a drive before any device is reused, returned, or retired. An old drive in a drawer is a breach waiting to be reported. This is the CMMC MP (Media Protection) family, and "we have a process and here's the log" beats "we're pretty sure we deleted it" every time.
Applications & Workloads. Least privilege, enforced. Every person and service gets the minimum access the work requires and nothing extra. Kill the shared admin logins. Stop making everyone a local admin because it's convenient. This is mostly configuration and policy, and it's the pillar that quietly closes the most doors an attacker would otherwise walk through.
Data. The pillar the other four exist to protect. CUI has to be encrypted at rest and in transit, kept in known locations, and moved only through channels built to protect it. For most small shops the sharp edge is email and file sharing — ordinary email was never built to carry controlled data. A purpose-built encrypted platform closes that gap.
End-to-end encrypted email and file sharing built specifically for CUI, and a common answer for small contractors who can't send controlled data over regular email and don't want to stand up a full government cloud tenant to do it. It protects the data pillar at rest and in transit — the encryption boundary around CUI that the strategy, and your 800-171 controls, both expect.
I'll close where I opened, because getting this wrong makes you sound either naive or dishonest, and neither wins federal work.
Do the pillars because they make you genuinely harder to breach and because they're the same controls your assessment already requires. That's the honest, durable reason — and it happens to be the one that also keeps you eligible for the contract.
Want to know where you stand against those 110 controls right now? The free SPRS score estimator gives you a baseline in about two minutes, before you spend a dollar on hardware.
Zero-trust hardware and process get you secure. What passes the assessment is the documentation: a System Security Plan that describes exactly how you implement identity, segmentation, least-privilege, and encryption, the 20 required policies, a POA&M template, and a per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.
No. M-22-09 is a directive to federal executive agencies, not a clause in your contract. It tells agencies to adopt a zero-trust architecture by the end of fiscal year 2024. It does not create a direct legal obligation on contractors. What reaches you is the practical shadow of that policy: the agencies you serve expect zero-trust-style controls, and the CMMC and DFARS requirements you are already bound by demand the same multifactor, access-control, and encryption practices zero trust is built on.
Identity, Devices, Networks, Applications and Workloads, and Data. These five pillars come from the CISA Zero Trust Maturity Model and frame OMB M-22-09. For a small contractor they translate cleanly into concrete actions: phishing-resistant hardware MFA for identity, device inventory and sanitization for devices, network segmentation for networks, least-privilege for applications and workloads, and encryption at rest and in transit for data.
It means MFA that a fake login page cannot capture and replay. Codes texted to a phone or typed out of an authenticator app can be phished. A hardware security key like a YubiKey uses the FIDO2 protocol, which cryptographically binds the login to the real site, so a spoofed page gets nothing. That is the standard the federal strategy pushes agencies toward, and it is the same identity control your CMMC assessment grades under the IA family.
Zero trust is a philosophy — never trust a user, device, or connection by default, verify everything, and assume the network is already hostile. CMMC is a certification that checks whether you have implemented specific controls from NIST SP 800-171. They overlap heavily: the multifactor, least-privilege, segmentation, and encryption controls CMMC requires are exactly how you operationalize zero trust in a small environment. Meeting your CMMC controls well is, in practice, most of the way to a zero-trust posture.
No. A small contractor does not buy a single zero-trust product. You buy hardware keys for identity, a real firewall to segment the network, an encrypted platform for CUI email and files, and you tighten permissions and device inventory with policy and process. The pillars are outcomes, not a shopping cart. Most of the spend is modest hardware plus a couple of subscriptions, backed by the documentation that proves you actually do it.
NIST SP 800-171 is the control set underneath CMMC Level 2 — 14 control families and 110 requirements. It is the concrete rulebook that turns zero-trust principles into things an assessor can grade: access control, identification and authentication, media protection, system and communications protection, and more. When people say zero trust flows down to contractors, 800-171 is the mechanism it flows through.