Key takeaways:
- Compromised passwords and stolen session cookies obtained through infostealer malware allow threat actors to bypass multi-factor authentication (MFA) and gain a foothold inside enterprise networks. This unauthorized access directly undermines Zero Trust architectures and paves the way for sophisticated ransomware attacks and severe operational disruptions.
- Security teams must immediately leverage darknet threat intelligence to detect exposed credentials and automate rapid password resets through Identity and Access Management (IAM) integrations.
- To prevent future compromises, organizations should enforce phishing-resistant MFA, continuously monitor both managed and unmanaged devices for malware, and strictly prohibit password reuse across all accounts.
In practice, the zero trust security model means never trusting and always verifying users’ identities to combat fraud. It grants access only after confirming users are who they say they are through authentication methods. At its core, identity is the most critical component of zero trust.
With increasing cyber threats putting organizations at risk, ensuring only authorized users gain access to networks is critical for the private and public sector alike. This principle is the driving force behind the federal government’s strategy.
According to SpyCloud’s 2025 Annual Identity Exposure Report, our researchers found [X number] of breaches containing .gov emails in 2024. These incidents add powerful ammunition to sophisticated ransomware attacks against critical infrastructure organizations.
The resulting compromised credentials give threat actors a potential foothold inside of those agencies.
Understanding the federal zero trust strategy
The Federal Zero Trust Strategy is a U.S. government mandate requiring federal agencies to adopt a ‘never trust, always verify’ security model. This initiative moves agencies away from traditional perimeter defenses to a system where every access request is rigorously authenticated, regardless of its origin. Its implementation is guided by official memos and maturity models.
What OMB memorandum M-22-09 requires
To strengthen national cybersecurity, the White House issued OMB Memorandum M-22-09. The memo established the federal government’s official zero trust strategy and set a deadline for the end of fiscal year 2024 for agencies to meet specific cybersecurity standards. While that deadline has passed, work is ongoing to achieve full implementation.
CISA's zero trust maturity model
To guide this process, the Cybersecurity and Infrastructure Security Agency (CISA) developed the Zero Trust Maturity Model. This framework provides a roadmap for agencies to transition from a ‘Traditional’ security posture to ‘Optimal’ zero trust capabilities. It helps agencies assess their current state and plan for incremental improvements across each of the five pillars.
The five-pillar framework explained
The federal strategy organizes zero trust architecture around five core pillars. These are supported by three cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance. The following table outlines the function of each pillar.
| Pillar | Function |
|---|---|
| Identity | Verifying users through strong authentication and identity management |
| Devices | Inventorying and monitoring the security posture of all agency assets |
| Networks | Segmenting and encrypting network traffic to limit lateral movement |
| Applications | Treating all applications as internet-connected and testing them rigorously. |
| Data | Categorizing, labeling, and protecting information with automated responses. |
The five pillars of federal zero trust architecture
Identity: The foundation of federal zero trust
Identity serves as the cornerstone of any zero trust architecture. Without robust identity verification, all other security controls become vulnerable to bypass. Federal agencies must implement multiple layers of identity protection to meet OMB M-22-09 requirements and achieve CISA maturity model standards.
Key identity security requirements include:
- Phishing-resistant MFA: Traditional MFA methods like SMS codes or push notifications remain vulnerable to phishing and social engineering attacks. Phishing-resistant MFA requires physical authentication factors—such as FIDO2 security keys or PIV cards—that cryptographically verify the user’s identity and cannot be remotely stolen or replicated by attackers.
- Centralized identity management: Agencies must consolidate identity systems to enable consistent policy enforcement across all applications and resources. This includes integrating legacy systems with modern Identity and Access Management (IAM) platforms.
- Continuous authentication: Rather than authenticating once at login, zero trust requires ongoing verification throughout a user’s session based on behavioral analytics, device posture, and risk signals.
- Least privilege access: Users should only receive the minimum permissions necessary to perform their duties, with access rights regularly reviewed and automatically revoked when no longer needed.
Despite these controls, identity remains the primary attack vector. Compromised credentials from third-party breaches and infostealer malware continue to give threat actors unauthorized access to federal systems, making proactive credential monitoring essential.
Devices: Managing federal endpoints and assets
The Devices pillar requires agencies to maintain comprehensive visibility and control over all endpoints accessing federal resources. This includes government-issued laptops, mobile devices, IoT sensors, and increasingly, personal devices used by remote workers and contractors.
OMB M-22-09 mandates that agencies must:
- Maintain complete device inventories: Every device accessing agency resources must be cataloged, tracked, and continuously monitored. This inventory should include hardware specifications, installed software, security configurations, and current patch levels.
- Deploy endpoint detection and response (EDR): Agencies must implement EDR solutions that provide real-time monitoring, threat detection, and automated response capabilities across all managed endpoints. EDR tools help identify suspicious behavior patterns that may indicate compromise.
- Enforce device health checks: Before granting access, systems must verify that devices meet minimum security standards—including up-to-date patches, active antivirus protection, and proper encryption.
- Address BYOD and unmanaged device risks: Personal devices and contractor-owned endpoints create significant blind spots. While agencies may not have full control over these devices, they must still assess their risk and limit their access to sensitive resources.
The challenge intensifies when employees use personal devices for work-related tasks. Infostealer malware on these unmanaged endpoints can exfiltrate credentials that provide access to federal systems, creating a critical security gap that traditional endpoint security cannot address.
Networks: Encrypting and segmenting federal traffic
The Networks pillar fundamentally reimagines how agencies approach network security. Rather than relying on perimeter defenses that assume internal traffic is trustworthy, zero trust requires agencies to encrypt and authenticate all network communications regardless of origin.
Federal network security requirements include:
- Network segmentation: Agencies must divide their networks into isolated segments, limiting lateral movement if an attacker gains initial access. Critical systems should be separated from general-use networks, with strict access controls between segments.
- Traffic encryption mandates: All network traffic—both internal and external—must be encrypted using modern protocols like TLS 1.3. This prevents eavesdropping and man-in-the-middle attacks, even on internal networks.
- Microsegmentation: Advanced agencies are moving toward microsegmentation, which creates granular security zones around individual workloads or applications. This approach limits the blast radius of any compromise to a minimal set of resources.
- DNS security: Agencies must implement DNS filtering and monitoring to detect and block malicious domains, preventing command-and-control communications and data exfiltration attempts.
This shift away from perimeter-based security acknowledges that threats can originate from anywhere, including from compromised credentials used by remote workers or contractors accessing systems from outside traditional network boundaries.
Applications and workloads: Securing federal systems
The Applications pillar requires agencies to treat all applications as internet-facing and potentially vulnerable, regardless of where they’re hosted. This represents a significant departure from legacy approaches that assumed applications on internal networks were inherently protected.
Key application security requirements include:
- Assume internet connectivity: Even applications that aren’t directly exposed to the internet must be secured as if they were. This means implementing authentication, authorization, and encryption for all application access.
- Continuous security testing: Agencies must conduct regular vulnerability assessments, penetration testing, and code reviews for all applications. Security cannot be a one-time checkpoint but must be integrated throughout the development lifecycle.
- Third-party application risk management: Many federal agencies rely on commercial software and SaaS applications. Agencies must assess the security posture of these vendors, monitor for vulnerabilities, and ensure proper integration with identity and access controls.
- API security: As agencies modernize their systems, APIs become critical integration points. These must be properly authenticated, rate-limited, and monitored for abuse.
- Application-level access controls: Rather than granting broad network access, agencies should implement application-aware policies that grant access to specific applications based on user identity, device posture, and contextual risk factors.
Compromised credentials remain a primary threat to application security. When attackers steal valid user credentials, they can access applications just as legitimate users would, bypassing many traditional security controls.
Data: Protecting federal information assets
The Data pillar focuses on protecting the ultimate target of most cyberattacks: sensitive government information. Zero trust requires agencies to know where their data resides, who can access it, and how it’s being used—then enforce protections accordingly.
Federal data protection requirements include:
- Data categorization and labeling: Agencies must classify all data based on sensitivity levels and apply appropriate labels. This enables automated policy enforcement and helps users understand handling requirements.
- Encryption at rest and in transit: All sensitive data must be encrypted using approved cryptographic standards, both when stored and when transmitted across networks.
- Automated data loss prevention (DLP): Agencies must deploy DLP solutions that automatically detect and block unauthorized data transfers. These systems should monitor email, cloud storage, removable media, and other exfiltration vectors.
- Access logging and monitoring: Every data access attempt must be logged and analyzed for anomalous patterns that may indicate unauthorized access or insider threats.
- Data exposure monitoring: Beyond protecting data within agency systems, security teams must monitor for exposed data in external breaches and on the criminal underground.
This is where SpyCloud provides critical value. When federal data appears in third-party breaches or is exfiltrated by infostealer malware, agencies need immediate visibility to assess the scope of exposure and take remediation action. SpyCloud’s darknet intelligence helps agencies discover exposed .gov credentials, session tokens, and other sensitive data before threat actors can weaponize it against federal systems.
Why federal zero trust implementations fall short
Even with a defined framework, federal agencies face significant hurdles in achieving a mature zero trust posture. Many implementations fall short because they fail to account for the sophisticated, identity-focused tactics used by modern threat actors.
The limits of multi-factor authentication
While enforcing MFA is a critical layer of security, it is a preventive measure that adversaries can bypass. Modern infostealer malware is designed to siphon authentication data, including web session cookies and tokens. With this information, criminals can hijack an active, authenticated session, gaining access without needing a password or an MFA code.
Session Hijacking: This technique allows an attacker to take over a validated user session by stealing the session cookie from the user’s browser, effectively impersonating the user without needing their credentials.
Password policy challenges in government agencies
Poor password hygiene continues to plague government agencies. SpyCloud reports that weak password hygiene persists among .gov users—for example, 67% of .gov passwords were exposed in two or more breaches in the last year—meaning a single compromised credential can increase risk across multiple systems. Enforcing strong, unique passwords across vast organizations is a persistent challenge.
The malware blind spot in federal security
To increase MFA’s effectiveness, agencies must prepare for malware that operates beyond traditional endpoint security. Infostealer malware often infects employees’ personal devices, exfiltrating credentials used for both personal and professional accounts. This creates a significant blind spot outside the secured government network.
The speed-of-detection problem
Recapturing data early is critical to mitigating attacks. The later breach or malware data is discovered, the wider the exposure window for cyberattacks. A mature zero trust strategy requires closing this gap between compromise and detection.
How darknet intelligence strengthens federal zero trust
A mature zero trust strategy must proactively secure user identities by preparing for the limits of preventive measures. By leveraging intelligence from the criminal underground, agencies can address implementation gaps and gain a decisive advantage.
Early detection of compromised federal credentials
SpyCloud provides access to the most current and actionable data recaptured directly from criminal sources. This allows security teams to detect exposed .gov credentials from third-party breaches and malware infections. This early warning enables proactive password resets before criminals have a chance to use them.
Discovering malware-infected government devices
Darknet intelligence reveals devices, including personal and unmanaged contractor endpoints, that have been infected with credential-stealing malware. By identifying these infected devices through the data they exfiltrate, agencies gain visibility into a critical threat vector. This helps satisfy the requirements of the Devices pillar.
Automated remediation for faster response
The speed of data recovery makes it possible to automate remediation. Through API integrations with Identity and Access Management (IAM) systems, SpyCloud enables automated workflows. Implementing automated remediation through IAM integrations can reduce incident lifecycles by nearly 100 days, significantly shrinking the window of exposure.
Examples of IAM integrations include:
- Active Directory
- Okta
- Entra ID (formerly Azure AD)
Federal zero trust implementation frameworks and resources
Agencies can refer to several key documents to guide their implementation efforts:
- CISA Zero Trust Maturity Model: A roadmap for incremental implementation across the five pillars.
- NIST SP 800-207: The foundational technical document defining zero trust architecture.
- DoD Zero Trust Strategy: Specific guidance for Department of Defense components.
- OMB M-22-09: The executive memorandum establishing the federal strategy.
Strengthen your agency's zero trust strategy with SpyCloud
It is critical that federal agencies and contractors have comprehensive identity protection to strengthen their zero trust strategy. By providing early warning of exposed credentials and malware-infected devices, SpyCloud helps agencies close security gaps and build a resilient zero trust architecture.
Learn how insights from the darknet can help protect your federal agency and enable zero trust strategies
FAQs
It is a U.S. government mandate requiring federal agencies to adopt a ‘never trust, always verify’ security model, moving away from traditional perimeter defenses.
The five pillars are Identity, Devices, Networks, Applications & Workloads, and Data, which represent the core areas of focus for securing federal systems.
Zero trust continuously verifies every access attempt, while traditional security automatically trusts users and devices once they are inside the network perimeter.
Identity is the foundation because stolen credentials are the primary vector for cyberattacks; if an attacker can impersonate a user, other security controls may fail.
Malware can steal active session cookies from a user’s browser, allowing an attacker to hijack an authenticated session without needing a password or MFA code.
No. Password resets do not invalidate OAuth refresh tokens in most default IdP configurations. An attacker in possession of a refresh token can continue minting new access tokens silently, often for up to 90 days and even after the victim changes their password, unless the refresh token is explicitly revoked via the token revocation API or a sign-in risk policy that forces re-authentication. Effective remediation requires identifying the compromised token, revoking it directly, and reviewing all device registrations and inbox rules created during the attacker’s access window.
Keep reading
