A new set of Zero Trust Implementation Guidelines (ZIGs) detailing how organizations can progress to target-level zero trust maturity has been released by the US National Security Agency (NSA).
The guidance introduces Phase One and Phase Two of the ZIGs, designed to support the US Department of War’s (DoW), previously the Department of Defense, zero trust framework and the wider US government cybersecurity strategy.
The newly published phases are intended to move organizations from the Discovery stage through to target-level implementation. They outline required activities, dependencies and outcomes while allowing flexibility for firms to tailor adoption based on operational needs and constraints.
Phase One establishes a secure baseline. It defines 36 activities that support 30 zero trust capabilities, helping organizations build or refine foundational controls before deeper integration. Phase Two builds on this work with 41 activities that enable 34 additional capabilities, focusing on integrating core zero trust solutions across component environments.
The phased approach reflects a modular design rather than a fixed roadmap.
Brian Soby, CTO and co-founder of AppOmni, said this structure reinforces the idea that zero trust is not a one-time deployment. “[It] is an operating model, not a product,” Soby said, noting that policy decisions must be continuously evaluated and enforced as conditions change.
Read more on Zero Trust: Risk of AI Model Collapse to Drive Zero Trust Data Governance, Gartner Says
Shifting From Perimeter Security to Continuous Evaluation
The guidance reinforces a shift away from perimeter-based security toward continuous authentication and authorisation of users, devices and applications. Zero trust operates on the principles of “never trust, always verify” and “assume breach,” an approach increasingly viewed as necessary as cyber threats evolve.
Soby said one of the strongest aspects of the guidance is its focus on activity after authentication.
“Continuous evaluation has to happen after login, not just at login,” he said. According to Soby, many successful attacks now occur post-authentication, where basic identity checks and device posture assessments offer limited protection without visibility into what happens inside applications.
The guidelines draw on several established frameworks developed under Executive Order 14028, including NIST Special Publication 800-207, the CISA Zero Trust Maturity Model Version 2.0 and the DoW Zero Trust Reference Architecture. The NSA developed the guidelines in close coordination with the DoW CIO to organize 152 Zero Trust activities into structured phases.
However, Soby warned that many organizations still misapply zero trust by focusing too heavily on network access controls alone. Treating zero trust network access as a complete solution overlooks how applications make and enforce their own access decisions.
“Any zero trust architecture that leaves visibility and management of the application policy decision points out of the architecture is expensive and grossly insufficient,” he said.
The NSA said the current guidance is intended to help skilled practitioners achieve target-level zero trust maturity, with additional advanced phases potentially developed in the future.
