The National Security Agency (NSA) has published the first two components of its Zero Trust Implementation Guidelines (ZIGs), releasing a Primer and a Discovery Phase guide aimed to provide practical, actionable recommendations for zero trust implementation.
The series is meant as a practical implementation companion to the existing federal zero-trust direction, with additional phases planned.
What the NSA “Primer” is
The ZIGs are an implementation map that is meant to align with the Department of War (DoW) CIO “Zero Trust Framework” and its Target-level capabilities. The program decomposes Target into 152 activities.
The structure is designed to help teams plan, sequence, and measure progress, which contrasts with treating zero trust as a single product deployment.
The Primer also clarifies the terminology that can confuse non-federal readers: it notes that “Department of War (DoW)” is an authorized secondary title for the Department of Defense, and references alignment work with the DoW/DoD CIO’s Zero Trust portfolio function.
What “Discovery Phase” means in operational terms
The Discovery Phase guide is the most immediately reusable piece for enterprises because it focuses on establishing what the NSA calls baseline visibility and control prerequisites. It frames Discovery as structured pre-work to identify gaps, dependencies, and the current state across users, devices, applications, data, and network behaviors before teams move into enforcement-focused phases.
In practical terms, the document emphasizes building an authoritative picture of users, devices, and services and how they connect, mapping data flows to understand where enforcement would need to sit, and putting foundational control concepts in place, such as policy decision and enforcement thinking and orchestration hooks, so later phases can be executed against a known baseline rather than assumptions.
How this connects to federal deadlines and to vendor strategy
The NSA documents are explicitly framed as implementation guidance for organizations adopting zero trust architectures, and they sit alongside widely cited federal references like NIST SP 800-207 (Zero Trust Architecture) and CISA’s maturity model work that many enterprises already use as vocabulary with auditors and regulators.
In 2024, Gartner predicted that “through 2026, 75% of U.S. federal agencies will fail to implement zero trust security policies due to funding and expertise shortfalls.”
At the time, Gartner said broad requirements and budget timing constraints are key contributors, and described zero trust as a set of design principles rather than a single product.
The firm warned that this type of “how-to” guidance is being published now: even with policy pressure, agencies can struggle to execute if they don’t translate goals into phased, resourced work, especially when staffing and budget constraints collide with compliance timelines.