The National Security Agency has released Phase One and Phase Two of its Zero Trust Implementation Guidelines (ZIGs), with the aim of guiding organizations in their cyber defense.
The move is part of a broader Zero Trust Implementation Guidelines series that also includes a primer and a discovery guideline.
Specifically, NSA says the guidelines are intended to help the Department of War, the Defense Industrial Base, national security systems and affiliated organizations incorporate zero trust principles and reach “Target-level” maturity.
In both documents, NSA links the work to Executive Order 14028 and positions the ZIGs as an implementation layer that leverages prior federal frameworks, including NIST SP 800-207 and CISA’s Zero Trust Maturity Model.
NSA also says the phased approach is meant to organize the 152 zero trust activities in the Department of War strategy into five phases, with Discovery, Phase One and Phase Two mapped to Target-level and later phases aligned to Advanced-level.
How phases map to DoD “Target-level” deadlines
In the DoD Zero Trust Strategy execution timeline, “Target-level” is the baseline: 91 activities due by the end of FY 2027, while “Advanced-level” adds 61 more activities with a FY 2032 target.
With that sequencing in place, the two new documents focus on the first execution steps for Target-level controls and how they build toward integrated enforcement.
Phase One is framed as building a secure foundation. NSA says Phase One covers 36 activities that support 30 capabilities, while Phase Two covers 41 activities that support 34 capabilities and “mark the beginning of integrating distinct” zero trust “fundamental solutions” within a component environment.
The ZIGs are modular and can be aligned to an organization’s environment, the agency says, and Phase Three and Phase Four “may be developed at a later time.”
Phase Two’s executive summary sets the conceptual frame. NSA says zero trust is meant to reduce reliance on perimeter defenses by emphasizing continuous authentication and authorization of every user, device and application under “never trust, always verify” and “assume breach.”
“Assume breach” and post-login abuse
That “assume breach” approach reflects a broader shift in how incident patterns are tracked. Verizon’s 2025 Data Breach Investigations Report says stolen credentials remain a common factor in major breach patterns and notes that many “Basic Web Application Attacks” involve the use of stolen credentials.
Microsoft’s incident response guidance on token theft also warns that attackers can reuse stolen tokens to access resources, calling for rapid investigation, containment and remediation once access is established.
Continuous authentication in practice
One example of how NSA wants agencies to operationalize that approach appears in Phase One’s “Continuous Authentication” capability.
NSA describes a staged path that starts by standardizing legacy authentication into an approved identity provider, then adds periodic re-authentication and ultimately matures to continuous authentication based on “application/software activities and privileges requested.”
In the scenario, unusual mid-session behavior triggers re-authentication and a failed biometric check ends the session.
Phase Two repeats the same capability description and expands the supporting controls list. In the continuous authentication section, NSA lists technologies it considers fundamental, including audit and logging, endpoint detection and response, multi-factor authentication, user and entity behavior analytics and just-in-time access.
Zero trust must evaluate users after login
Brian Soby, CTO and co-founder of AppOmni, in a statement to TechInformed said that “continuous evaluation has to happen after login, not just at login,” arguing the guidance “pushes maturity beyond ‘authenticate, then trust.’”
He also said the guidance leans into orchestration of policy decision points and policy enforcement points and into analytics that focus on what happened “inside the session, inside the application.”
Soby also warned that “a common implementation mistake is treating Zero Trust as ‘we bought ZTNA, so we’re done,’” adding that ZTNA “only controls access to an application.” He said the guidance “repeatedly signals” the need for application-aware telemetry, behavior context and adaptive policy.