The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive requiring all federal civilian agencies to fully implement zero trust architecture by September 30, 2026. The mandate accelerates the previous timeline by six months in response to a surge of attacks targeting government systems.
Agencies must implement identity-verified access controls, network micro-segmentation, encrypted communications for all internal traffic, and continuous monitoring of all endpoints. CISA will conduct compliance assessments starting in July.
The directive also allocates $2.1 billion in emergency funding to help agencies that are behind schedule. Cybersecurity vendors specializing in zero trust solutions have seen stock prices surge on the announcement.
