Federal mandate

FedRAMP zero trust cost: OMB M-22-09 and DoD implementation

US federal zero trust is the most heavily mandated zero trust environment in the world. OMB M-22-09 sets explicit targets for civilian agencies, the DoD Zero Trust Strategy sets targets for the Department of Defense, and CMMC extends the framework to defence contractors. This page costs federal zero trust implementations, explains the FedRAMP-authorised platform premium, walks through the FIDO2 hardware mandate, and covers the CMMC overlap that lets defence contractors share zero trust and compliance investment.

The mandates

Federal zero trust mandates and their scope

Five interconnected federal mandates drive zero trust implementation in US federal and defence contexts.

Mandate	Scope	Issued	Deadline	Focus
OMB M-22-09	US federal civilian agencies	January 2022	Originally FY2024, extended to FY2027 for some elements	Identity, devices, networks, applications, data per NIST 800-207
DoD Zero Trust Strategy	Department of Defense	October 2022	Target Level by FY2027	Seven pillars (CISA five plus visibility, automation), DoD ZT Reference Architecture
CISA Federal Zero Trust Strategy Implementation Plan	Federal civilian agencies (CISA-led)	2022 onwards	Ongoing	Implementation guidance for OMB M-22-09 across CISA's customer agencies
CMMC 2.0	DoD contractors handling CUI	Effective 2025	Per contract requirement	NIST SP 800-171 (Level 2) and 800-172 (Level 3)
FAR Cybersecurity (proposed)	All federal contractors	Proposed 2023, finalisation ongoing	TBD	Cyber incident reporting plus baseline cybersecurity controls

OMB M-22-09

What the civilian zero trust mandate actually requires

OMB M-22-09, the Federal Zero Trust Architecture Strategy memorandum issued by the Office of Management and Budget in January 2022, is the dominant US federal civilian zero trust mandate. Published a year after the Biden administration's Executive Order 14028 on improving the nation's cybersecurity, M-22-09 translated the EO's broad direction into specific measurable targets for federal agencies. The key requirements are concrete enough that compliance can be audited rather than inferred.

Enterprise-managed identity systems for all federal employees and contractors. This means a single enterprise-grade identity provider, not departmental or program-specific IdPs scattered across the agency. For most agencies that meant consolidating multiple legacy identity stores into Microsoft Entra ID Government or Okta Workforce Identity Cloud for Government, a multi-year programme in its own right. Phishing-resistant MFA universal. Not for privileged accounts only, as commercial best practice often implements; for every employee and contractor with system access. FIDO2 hardware keys are the dominant implementation, with platform-resident passkeys increasingly accepted as equivalent. Complete inventory of every endpoint and resource. The traditional federal asset-management gap (devices not on the official inventory but actively in use) had to be closed, driving investment in device discovery and CMDB consolidation. Enterprise-wide IAM aligned with NIST 800-207. The IAM had to implement the architecture from NIST SP 800-207, not just any IAM. Encryption of DNS, HTTP, and email between federal systems. This drove investment in DNS filtering platforms (CISA Protective DNS, commercial alternatives), TLS everywhere, and email security infrastructure. Treat internal networks as untrusted. This is the network-pillar requirement, driving ZTNA adoption and the retirement of broad VPN access. Categorise and protect all federal data with rigorous access controls. This is the data-pillar requirement, driving DLP, classification, and access governance investment.

The original deadlines (end of fiscal year 2024 for most elements) proved aggressive; subsequent CISA implementation guidance extended some deadlines through fiscal year 2027 for the more challenging elements (full data-pillar deployment, comprehensive microsegmentation, full workload identity). The direction is settled and the funding is committed; the timeline has flexed.

DoD ZT Strategy

The Department of Defense zero trust framework

The DoD Zero Trust Strategy, published October 2022, is the Department of Defense's equivalent of OMB M-22-09 with additional rigour appropriate for defence environments. The accompanying DoD Zero Trust Reference Architecture (the v2.0 update released July 2022) defines a target architecture for DoD components, with seven pillars (the same five CISA pillars plus visibility and analytics, plus automation and orchestration, treated as separate pillars rather than cross-cutting capabilities) and three time-bound capability levels (Target Level Zero Trust by FY 2027, Advanced ZT as the longer aspiration).

The DoD strategy is more prescriptive than M-22-09 in some areas. It specifies particular capability outcomes (152 zero trust activities across the seven pillars at Target Level, additional 27 at Advanced) and provides detailed implementation guidance per activity. The funding model is per-component budget allocation through normal DoD budget cycles plus dedicated CISA-aligned investment for cross-component capabilities. Component-level zero trust office budgets at major DoD components run $50M to $300M per year for implementation plus ongoing operations.

For DoD contractors not directly under the DoD ZT Strategy mandate, the strategy still matters because it sets the direction for contractor cybersecurity expectations through CMMC and contract-level requirements. Contractors operating in DoD environments increasingly need to demonstrate alignment with DoD ZT principles even when not formally subject to the strategy itself.

Cost premium

What the federal premium covers

The 30-50% cost premium over commercial zero trust at the same scale breaks down across these components.

Component	Premium	Driver
Identity (FedRAMP-authorised IdP)	+25-40% over commercial	FedRAMP Moderate or High SKU pricing premium.
FIDO2 hardware keys universal	+$25-$50 / user one-time	OMB M-22-09 phishing-resistant MFA mandate covers all employees, not just privileged.
ZTNA (FedRAMP-authorised)	+30-45% over commercial	FedRAMP-authorised ZTNA platform pricing.
EDR (FedRAMP-authorised)	+20-35% over commercial	FedRAMP / IL-authorised EDR pricing.
SIEM with extended retention	+30-60% over commercial	Federal audit retention requirements typically exceed commercial.
Dedicated GRC headcount	+3-8 FTE	Federal frameworks (NIST 800-53, FedRAMP, FISMA, OMB guidance) require specialist depth.
FedRAMP authorisation maintenance (in-house platforms)	$200K-$2M one-time + ongoing	Only relevant if agency operates its own platforms in FedRAMP-authorised mode rather than consuming commercial FedRAMP services.

CMMC overlap

How defence contractors share zero trust and compliance investment

CMMC 2.0 (Cybersecurity Maturity Model Certification, the DoD's contractor cybersecurity framework, effective for contracts from 2025 onwards) is mandatory for any contractor handling Controlled Unclassified Information (CUI) on DoD contracts. CMMC has three levels: Level 1 (basic, 17 practices for federal contract information), Level 2 (advanced, 110 practices aligning with NIST SP 800-171, for handlers of CUI), and Level 3 (expert, additional NIST 800-172 enhanced practices, for handlers of higher-sensitivity CUI).

The overlap with zero trust is substantial. CMMC Level 2 requirements substantially overlap with CISA Initial-to-Advanced zero trust capability. CMMC Level 3 requirements align with CISA Advanced-to-Optimal. For DoD contractors, the zero trust implementation cost and the CMMC certification cost are largely shared: the same identity-pillar work satisfies both, the same device-pillar work satisfies both, the same network-pillar work satisfies both. Most DoD contractors approach CMMC and zero trust as a single integrated programme rather than two separate efforts.

The cost-sharing implication is meaningful. A defence contractor that scopes CMMC compliance and zero trust separately typically duplicates 40 to 60 percent of the work. An integrated programme saves $300K to $1.5M per year for mid-market defence contractors and significantly more for enterprise contractors. The pcicompliancecost.com sister site covers a similar pattern for PCI-DSS compliance integration with zero trust, though for a different mandate.

Cross-links

Related cost references

Compliance-driven ZT

Broader compliance-driver overview.

CISA maturity

Per-tier capability requirements.

NIST 800-207

The underlying spec M-22-09 references.

ZT for 10,000+ employees

Large-enterprise scale where federal premium concentrates.

Identity pillar

Phishing-resistant MFA universal requirement.

Cost calculator

Model federal zero trust for your agency or contract.

Frequently asked

FedRAMP zero trust cost questions

What is OMB M-22-09 and what does it require?

OMB M-22-09, the Federal Zero Trust Architecture Strategy memorandum issued in January 2022, set explicit zero trust targets for US federal civilian agencies. Key requirements: enterprise-managed identity systems for all federal employees and contractors with phishing-resistant MFA universal (not just privileged); a complete inventory of every endpoint and resource that accesses federal information systems; enterprise-wide identity and access management aligned with NIST 800-207; encryption of DNS, HTTP traffic, and email between federal systems; treating internal networks as untrusted; categorising and protecting all federal data with rigorous access controls. The original target was end of fiscal year 2024; subsequent guidance extended some elements through 2027.

What is the DoD Zero Trust Strategy?

The Department of Defense Zero Trust Strategy, published October 2022, is the DoD's equivalent of OMB M-22-09 with additional rigour appropriate for defence environments. It defines a DoD Zero Trust Reference Architecture (originally v1.0 July 2022, v2.0 update July 2022) and seven pillars (the same five CISA pillars plus visibility/analytics and automation/orchestration as separate pillars). The DoD strategy targets Target Level Zero Trust by FY 2027 across all DoD components, with Advanced Zero Trust as the longer-term aspiration. The funding model is per-component budget allocation through normal DoD budget cycles plus dedicated CISA-aligned investment.

How much does FedRAMP zero trust cost?

Federal zero trust costs are typically 30 to 50 percent higher than commercial equivalents at the same maturity tier. For a 5,000-employee federal agency or large contractor, year-one cost is $5M to $12M versus $4M to $8M for a non-regulated commercial equivalent. For a 1,000-employee federal organisation, $1.8M to $3.5M versus $1.5M to $2.5M commercial. The drivers are FedRAMP-authorised platform pricing premium (20 to 40 percent), mandatory phishing-resistant MFA universal coverage (FIDO2 hardware keys at $25 to $50 per user one-time), stricter audit and evidence requirements, dedicated GRC headcount familiar with federal frameworks, and FedRAMP authorisation maintenance cost for any platforms operated in-house.

What is the FIDO2 hardware key requirement?

OMB M-22-09 requires phishing-resistant MFA for all federal employees and contractors, not just privileged accounts. The dominant implementation is FIDO2 hardware keys (Yubico YubiKeys, Google Titan, Feitian) at $25 to $50 per key one-time, with replacement cost over time at roughly 15 to 25 percent annual replacement rate from loss, damage, and lifecycle. For a 5,000-employee agency, FIDO2 hardware cost is $125K to $250K one-time plus $25K to $60K per year ongoing. Platform-resident passkeys (Windows Hello for Business, macOS platform authentication) are increasingly accepted as equivalent to hardware keys for phishing-resistant MFA, which can reduce the hardware cost for managed-device populations.

How does CMMC overlap with federal zero trust?

CMMC (Cybersecurity Maturity Model Certification) is the DoD's contractor cybersecurity framework, mandatory for any contractor handling Controlled Unclassified Information (CUI). CMMC Level 2 (the baseline for CUI handlers) requires implementation of NIST SP 800-171, which substantially overlaps with zero trust foundational controls. CMMC Level 3 (handlers of higher-sensitivity CUI) adds NIST SP 800-172 enhanced controls, which align with CISA Advanced-to-Optimal zero trust. For DoD contractors, the zero trust implementation cost and the CMMC certification cost are largely shared; the same controls satisfy both frameworks. Most DoD contractors approach CMMC and zero trust as a single integrated programme rather than two separate efforts.

Can federal agencies use commercial zero trust platforms?

Yes, with FedRAMP authorisation. Commercial zero trust platforms with FedRAMP Moderate authorisation can serve most federal civilian use cases. Platforms with FedRAMP High authorisation can serve sensitive federal workloads. DoD requires DoD Impact Level (IL) authorisation: IL4 for CUI, IL5 for higher-sensitivity, IL6 for classified up to Secret. The major zero trust platform categories have FedRAMP-authorised variants: Microsoft Entra and Microsoft 365 Government have High authorisation, Okta has Moderate and High Government variants, Zscaler has FedRAMP High and IL5, Palo Alto Prisma Access has FedRAMP Moderate, CrowdStrike has FedRAMP Moderate plus IL4 variants. The catalog of authorised platforms is available at FedRAMP.gov.

What is the most common federal zero trust mistake?

Treating M-22-09 compliance as a one-time deliverable rather than a sustained operating model. Federal agencies that scoped M-22-09 work as a programme with the original 2024 deadline as the endpoint often delivered compliance milestones but did not build the sustained operating capability needed to maintain zero trust posture over time. As the deadlines have extended through 2027, the operating-model framing has become the dominant approach. Agencies treating zero trust as continuous capability rather than one-time programme are more likely to maintain compliance posture across leadership changes and budget cycles.