The National Security Agency (NSA) is released the first two products in a series of Zero Trust Implementation Guidelines (ZIGs) to provide practical, actionable recommendations to facilitate the implementation of Zero Trust (ZT).These initial releases cover the Primer and the Discovery Phase, which together set the groundwork for future guidance tied to the Department of War CIO Zero Trust Framework. These are actionable strategies for organizations outlining architecture, maturity models and guidance.

This series of reports outlines the steps to implement the technologies and processes that support achieving the Target-level ZT Capabilities, Activities, and Expected Outcomes described in the Department of War (DoW) CIO ZT Framework.

Released on 14 Jan the Primer and Discovery Phase are the gateway to ZT implementation, providing guidance and direction to ensure organizations are fully equipped to digest and implement the Phase 1 and Phase 2 ZIGs upon their release.

The Primer phase outlines the strategy and principles used to develop the ZIGs and provides a holistic approach to maximizing the usage of the series. Notably, the ZIGs are designed to be modular, allowing organizations at different levels of ZT maturity to select and implement the capabilities most relevant to the needs of their environment.

The Discovery Phase is intended to help organizations establish foundational visibility and understand the critical data, applications, assets, and services, as well as access and authorization activity existing within the architecture.
System owners, cybersecurity professionals and stakeholders should review these foundational guidelines to gain a deeper understanding of ZT activities and their organization’s operational landscape in preparation for the release of the Phase 1 and Phase 2 ZIGs.

As mandated by Executive Order (EO) 14028, the United States Government (USG) developed several ZT strategies, to achieve ZT.

Key foundational documents outlining architecture, maturity models and guidance
supporting this effort include:

• National Institute of Standards and Technology (NIST), Zero Trust Architecture
  Special Publication (SP) 800-207, August 2020
• The Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity
  Model, Version 2.0, January 2022
• The Department of War1 (DoW) CISA< Zero Trust Reference Architecture (ZT RA),
  Version 2.0, July 2022
• The DoW Zero Trust Strategy, Version 1.0, October 2022

Read the full products below:

• Zero Trust Implementation Guideline Primer
• Zero Trust Implementation Guideline Discovery Phase

The Foundation Document for Zero Trust

• Released on January 8, 2026, the series begins with two essential documents: the Primer and the Discovery Phase guidelines.
• These publications serve as the foundation for understanding and preparing for Zero Trust implementation before more detailed Phase 1 and Phase 2 guidance becomes available.
• The Primer establishes the strategic framework and principles underlying the entire ZIG series. It presents a comprehensive approach to utilizing the guidelines effectively, emphasizing modularity that allows organizations at varying maturity levels to select capabilities matching their specific environmental requirements.
• This flexibility ensures organizations can customize their Zero Trust journey based on existing infrastructure and

Zero Trust Implementation Guideline Primer

The purpose of this document was developed in furtherance of NSA’s cybersecurity missions, including its
responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications
and mitigations for National Security Systems, Department of War information systems, and the Defense
Industrial Base. This information may be shared broadly to reach all appropriate stakeholders.

The ZIGs phased implementation approach is as follows:

• Discovery Phase ZIG covers 14 Activities that support 13 Capabilities. The
  purpose of the Activities within the Discovery Phase ZIG is to collect information
  about the Component environment(s), such as Data, Applications, Assets, and
  Services (DAAS), Users/PEs/Non-Person Entities (NPEs), etc.
• Phase One ZIG covers 36 Activities that support 30 Capabilities. Phase One
  Activities build upon or further refine the Component environment(s) to establish
  a secure foundation that supports ZT Capabilities.
• Phase Two ZIG covers 41 Activities that support 34 Capabilities. Phase Two
  Activities mark the beginning of integrating distinct ZT fundamental solutions
  within the Component environment.

The Zero trust strategies include frameworks, guidelines and maturity models designed to assist organizations in implementing ZT.

(Sources: NSA Releases First in Series of Zero Trust Implementation Guidelines > National Security Agency/Central Security Service > Press Release View)