top of page


Risk-Based Dynamic Access Rules: Meeting CISA ZTMM Conditional Access Requirements Under OMB M-22-09
Most civilian agencies still have a practical problem at the access layer: users are granted access based on static roles, but the risk around that user changes throughout the day. The user may move from a managed laptop to an unmanaged device. The session may originate from an unusual location. The endpoint may fall out of compliance. The account may show abnormal behavior. If the access decision does not change when the risk changes, the agency is not operating at OMB M-22-
Jun 297 min read


CISA ZTMM Dynamic Privilege Management: Meeting OMB M-22-09 User Capability Requirements for Conditional Access
Most civilian agencies do not fail conditional user access because the identity tool is weak. They fail because dynamic privilege management gets deployed as a configuration project instead of an operating discipline. The access rules go live, the integrations look good during implementation, and then nobody owns the recurring review process. Under OMB M-22-09 and the CISA Zero Trust Maturity Model, that gap matters.
Jun 246 min read


CISA ZTMM User Pillar: Building Dynamic Privilege Rules for OMB M-22-09 Identity Requirements
Most civilian agencies still have a privilege problem hiding inside normal operations: static Active Directory groups, standing administrator roles, VPN-era access assumptions, and quarterly access reviews that do not respond to user risk in the moment. That model does not hold up against the CISA ZTMM User Pillar or the identity direction in OMB M-22-09. Explore how conditional user access has to move from policy language into enforceable rules.
Jun 157 min read


Enterprise ICAM Implementation for CISA ZTMM Conditional Access Requirements Under OMB M-22-09
Conditional user access is not an MFA project. To meet OMB M-22-09, it is an enterprise ICAM operating model tied to attributes, privileged access, policy enforcement, monitoring, and ATO boundaries. Agencies are trying to build that while operating under continuing resolution uncertainty, lean IT staffing, FedRAMP procurement constraints, and production systems that cannot be taken offline for identity redesign. This blog details how to get it right with the right sequencing
Jun 116 min read


CISA ZTMM User Attribute Architecture: Meeting OMB M-22-09 Requirements for Federal Identity Management
Conditional access breaks down fast when user attributes live in too many places. We see this across agencies: HR owns one version of the user, Active Directory owns another, the identity provider has a partial profile, and mission applications maintain local roles that nobody reconciles until access is wrong. That is not a tool problem first. It is an attribute architecture problem, and it affects how well an agency can implement OMB M-22-09 and the CISA Zero Trust Maturity
Jun 87 min read
bottom of page
