top of page


Risk-Based Dynamic Access Rules: Meeting CISA ZTMM Conditional Access Requirements Under OMB M-22-09
Most civilian agencies still have a practical problem at the access layer: users are granted access based on static roles, but the risk around that user changes throughout the day. The user may move from a managed laptop to an unmanaged device. The session may originate from an unusual location. The endpoint may fall out of compliance. The account may show abnormal behavior. If the access decision does not change when the risk changes, the agency is not operating at OMB M-22-
Jun 297 min read


CISA ZTMM Dynamic Privilege Management: Meeting OMB M-22-09 User Capability Requirements for Conditional Access
Most civilian agencies do not fail conditional user access because the identity tool is weak. They fail because dynamic privilege management gets deployed as a configuration project instead of an operating discipline. The access rules go live, the integrations look good during implementation, and then nobody owns the recurring review process. Under OMB M-22-09 and the CISA Zero Trust Maturity Model, that gap matters.
Jun 246 min read
bottom of page
