Risk-Based Dynamic Access Rules: Meeting CISA ZTMM Conditional Access Requirements Under OMB M-22-09
- Vishal Masih
- Jun 29
- 7 min read
Static Roles Are Not Enough for OMB M-22-09
Most civilian agencies still have a practical problem at the access layer: users are granted access based on static roles, but the risk around that user changes throughout the day. The user may move from a managed laptop to an unmanaged device. The session may originate from an unusual location. The endpoint may fall out of compliance. The account may show abnormal behavior. If the access decision does not change when the risk changes, the agency is not operating at the maturity level OMB M-22-09 and the CISA Zero Trust Maturity Model are driving toward.

This is not a tooling conversation first. It is a governance and operating model conversation. Conditional user access requires agencies to define how risk changes access, who owns the rules, what signals feed the decision, and how those decisions are enforced across mission applications, cloud services, and legacy systems. That is difficult work under continuing resolution budget uncertainty, lean IT staffing, and procurement timelines that do not always match OMB deadlines.
What OMB M-22-09 and CISA ZTMM Require
OMB M-22-09 directs agencies to move toward risk-adaptive access decisions. Access is not supposed to be a one-time check at login. Agencies are expected to continuously verify the user, device, location, behavior, and context, then adjust access based on risk. That means authentication strength, session duration, application access, and permission levels must be tied to current risk signals.
The CISA Zero Trust Maturity Model makes this explicit in the User pillar. At the Advanced level, agencies use risk-based conditional access that accounts for real-time signals instead of depending only on static role-based access control. At the Optimal level, the access decision becomes continuous, with automated policy response when risk changes.
FISMA reinforces the same direction through ongoing authorization and continuous monitoring. Agencies need current risk information to support authorization decisions for federal systems. FedRAMP also matters here because many civilian agencies will buy or consume identity, endpoint, analytics, and cloud access services through FedRAMP-authorized offerings. Procurement officers need to confirm that those services can support dynamic policy decisions, not just basic MFA and group membership.
The Diagnostic Question: Can Access Change When Risk Changes?
The anchor question for this capability is direct: has the organization developed rules for dynamic access decision-making that account for risk factors? In AISE, this maps to Conditional User Access under the User pillar and is assessed at Strategic Foundation with a CISA ZTMM maturity target of Optimal.
That question cannot be answered by pointing to MFA alone. MFA is necessary, but it does not equal risk-adaptive access. The stronger diagnostic is whether the agency has documented policy rules that say what happens when specific risk signals appear. For example: when a privileged user signs in from a non-compliant device, access is limited or stepped up. When impossible travel is detected, the session is challenged or terminated. When endpoint risk rises during a session, access to sensitive applications is reduced until the condition clears.
The supporting questions show where agencies usually find the hard work. A centralized governance body must manage and update universal roles and permissions. User and group attributes need to federate from components into the enterprise ICAM solution through automated processes. Roles must be based on federated attributes, standardized across the enterprise, and enforced across applications and systems. The agency also needs mechanisms to monitor and audit the use of roles and permissions for security and FISMA reporting.
In practice, this means conditional access depends on three operating disciplines:
Authoritative identity and attribute data from HR, PIV, directory, mission, and component sources.
Policy rules that translate risk signals into access outcomes.
Enforcement points across cloud, SaaS, on-premises, and legacy applications.
What AISE Scores Mean for Conditional User Access
AISE produces separate DoD ZTA CoA and CISA ZTMM scores from a single assessment—giving civilian agencies one assessment with two separate scorecards: a CISA ZTMM maturity score mapped to OMB M-22-09 requirements and a DoD ZTA Course of Action score for additional context. For this audience, the CISA ZTMM score is the primary reporting artifact because it aligns directly to the mandate path agencies are already managing.
At Maturity Level 1, the agency is usually operating with static access controls. Groups and roles exist, but they are inconsistently governed. Risk signals may exist in endpoint, SIEM, cloud, or identity tools, but those signals do not drive access decisions. Reviews are manual. Exceptions live in spreadsheets. Application owners make local decisions that do not always match enterprise ICAM policy.
At Maturity Level 3, the agency has established a stronger foundation. MFA is broadly implemented. Identity federation is expanding. Some conditional access policies exist for major cloud platforms or high-value applications. Role definitions are improving, and governance is beginning to standardize permissions. The gap is usually consistency. Dynamic access works in some environments but not across the full application portfolio.
At Maturity Level 5, conditional access is an enterprise control. Federated attributes feed the ICAM platform. Endpoint posture, user behavior, threat intelligence, location, device status, and session context influence access in near real time. Policy changes are governed, versioned, tested, and monitored. Exceptions are time-bound. Access decisions produce evidence that supports FISMA reporting and leadership visibility.
The AISE score matters because it separates maturity from activity. An agency can have many IAM tools and still score low if access rules are static, attributes are unreliable, or enforcement is limited to a narrow set of applications. A higher score shows that risk-adaptive access is defined, governed, enforced, and monitored in a way that supports OMB M-22-09 implementation.
Turning Scores Into Milestones
The right next step is not to replace every IAM component at once. Civilian agencies are working with constrained budgets, small teams, and procurement limits. The better approach is to convert the maturity score into a phased plan that leadership can fund, staff, and track.
For Conditional User Access, the first milestone is policy clarity. Agencies need a defined set of risk factors and access outcomes. The policy should state which signals matter, which applications are in scope, what user populations are covered, and what happens when risk increases.
The second milestone is attribute readiness. Dynamic access fails when the identity data is not trusted. Agencies need to know which attributes are authoritative, how they are federated, how often they update, and who owns data quality.
The third milestone is enforcement coverage. Start with cloud services, high-value assets, privileged users, and applications already integrated with the enterprise identity provider. Then expand to mission systems and legacy platforms through proxies, gateways, application modernization, or compensating controls where full integration is not realistic in the near term.
The fourth milestone is monitoring and evidence. Conditional access policies need telemetry. Leadership should be able to see how many decisions were made, how many sessions were stepped up, how many were blocked, how many exceptions exist, and whether policy coverage is expanding.
Realistic ROM Timelines
For an agency starting from static RBAC and limited conditional policies, a realistic ROM for the first mandate-aligned operating baseline is 6 to 12 months. That includes policy definition, governance setup, attribute mapping, priority application onboarding, and initial reporting.
For an agency already using MFA and cloud conditional access in selected environments, moving from partial implementation to broader CISA ZTMM Advanced maturity usually takes 9 to 18 months. The schedule depends on the number of identity stores, application complexity, endpoint signal quality, and how many mission systems can consume modern identity controls.
For agencies targeting continuous evaluation and automated response across a wider portfolio, the ROM is commonly 18 to 30 months. That work typically includes deeper integration among ICAM, EDR, SIEM, SOAR, cloud access controls, and application gateways. It also requires sustained governance so policy does not drift as new systems, users, and exceptions are added.
FedRAMP can shorten procurement friction when agencies select cloud identity, endpoint, or access services already available through approved paths. It does not remove the agency responsibility to define policy, govern attributes, and integrate enforcement into the operating environment.
An Anonymized Civilian Agency Scenario
A civilian agency we assessed had strong MFA coverage and a modern identity provider, but its access model was still mostly static. Program offices managed application roles locally. Endpoint risk was visible to the security team but did not affect access. The agency had conditional access policies for cloud email, but not for grants management, case management, or administrative applications.
The AISE assessment produced a CISA ZTMM score that showed moderate progress in authentication but lower maturity in dynamic access control. The same assessment also produced a separate DoD ZTA CoA score, which helped the team compare its control model against a different federal Zero Trust structure without mixing the two reporting paths.
The agency used the CISA ZTMM scorecard to brief leadership on three gaps: lack of centralized role governance, inconsistent attribute federation, and limited enforcement outside the cloud productivity stack. The first 90 days focused on defining risk factors and standardizing privileged-user policies. The next two quarters expanded conditional rules to high-value applications and connected endpoint posture to access decisions. That did not solve every legacy integration issue, but it created measurable movement from static RBAC toward risk-adaptive access aligned with OMB M-22-09.
Get the Baseline Before You Buy More Tools
Conditional user access is where Zero Trust becomes operational. It forces the agency to connect policy, identity data, device posture, application access, and monitoring into one decision model. Buying another IAM feature without knowing the maturity gap usually creates more fragmentation.
AISE gives civilian agencies one assessment and two clean scorecards: the CISA ZTMM maturity score mapped to OMB M-22-09 requirements, and a separate DoD ZTA CoA score for added context. That gives CISOs, IT directors, and procurement teams a common baseline for leadership reporting and investment planning.
Get your agency's AISE maturity baseline mapped to OMB M-22-09 at zephon.tech/zt or contact defend@zephon.tech.




Comments