SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Secure us gov datacenter layers of shielded servers and users
#
Application Security
#
Advanced Persistent Threat Protection
#
Physical Security

NSA sets phased Zero Trust enforcement maturity plan

Mon, 2nd Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

The National Security Agency has released two phases of Zero Trust enforcement guidance, with a focus on reaching a target level of maturity defined by the Department of War.

Brian Soby, Chief Technology Officer and Co-Founder of AppOmni, said the guidance emphasised continuous checks during user sessions, coordinated policy enforcement, and stronger behavioural analytics.

Continuous checks

"Continuous evaluation has to happen after login, not just at login. The guidance pushes maturity beyond "authenticate, then trust," toward ongoing decisions driven by what the user is doing, what privileges are being requested, and what resources are being touched. That matters because the attacks that are winning right now are post-auth. Device posture and login checks are necessary, but against modern SaaS compromise they can be largely performative if you cannot detect abuse happening inside the session, inside the application," said Brian Soby, Chief Technology Officer and Co-Founder, AppOmni.

Policy coordination

Soby said the guidance treated Zero Trust as an operating model rather than a product. He pointed to the role of policy decision points and policy enforcement points in that model.

"Orchestration of policy decision points (PDPs) and policy enforcement points (PEPs) must be a core capability. A major theme in the guidance is that Zero Trust is an operating model, not a product. Policies have to be centrally defined, consistently applied, continuously assessed, and enforced through coordinated policy decision points and policy enforcement points, with real-time monitoring and automation to adapt as conditions change. That's exactly right. Without orchestration, you get static controls that drift out of alignment and fail under real adversary pressure," said Soby.

Behaviour analytics

The guidance also addressed user and entity behaviour analytics, often referred to as UEBA. Soby said organisations needed to focus on behaviour inside applications rather than relying on generic indicators.

"Meaningful UEBA requires understanding real activity, not generic signals. The guidance clearly leans into behavior baselining, analytics, and context enrichment so that anomalies are detected based on behavioral patterns and resource access, not just simplistic indicators like login location. That's the right direction. "We saw a new IP" is weak signal. The higher-signal story is what happened in the application: Privilege use, data access, configuration changes, creation of integrations, unusual exports, and lateral movement across SaaS capabilities," said Soby.

Common gaps

Soby said the guidance covered the major components of a Zero Trust model, but he argued that many deployments still missed key elements.

"The guidance doesn't miss any components, but most organizations' implementations of Zero Trust are missing the core points of Zero Trust:

1) "Organisations over-center on ZTNA (Zero Trust Network Access), and ZTNA-only architectures are easy to bypass.

"A common implementation mistake is treating Zero Trust as "we bought ZTNA, so we're done." ZTNA only controls access to an application. The guidance repeatedly signals that Zero Trust needs application-aware telemetry, behavior context, and adaptive policy, which implies you must address the application layer itself. Recent breach patterns show attackers going straight to SaaS or leveraging supply chain integrations and post-auth workflows to steal data, rendering the organization's ZTNA, IdP, etc. completely irrelevant.

2) "Organisations fail to recognize that each application is its own policy decision point and policy enforcement point.

"This is the core point that gets ignored. The guidance treats policy decision points and policy enforcement points as essential building blocks that must be coordinated. The problem is that many organizations pretend the only real decision and enforcement happens at the identity provider or a proxy. In reality, every application, SaaS or otherwise, is itself a policy decision point and policy enforcement point. The application decides what a user, integration, service account, or agent can do, and it enforces that decision. This is especially true for identities that never traverse the enterprise front door at all, including customers, partners, external collaborators, integrations, and non-human identities.

"Any Zero Trust architecture that leaves visibility and management of the application PDPs and PEPs out of the architecture is expensive and grossly insufficient. It is a predictable recipe for bypass and poor ROI."

The NSA guidance sets out enforcement expectations for Zero Trust controls in phases, and future phases are expected to expand coverage across additional technical domains and operational practices.

Related stories
Ripjar appoints Matt Mills as Chief Executive Officer
Record rise in digital squatting fuels phishing wave
SYTECH workshop sparks global interest in digital forensics
BT opens 2026 tech careers at flagship Salford hub
Genetec report finds healthcare ramping up hybrid-cloud and AI security

Top stories

DroneShield names Michael Powell new chief operating officer
Why the all-AI social network looks more fad than legacy
Hexnode embeds upgraded Genie AI to run UEM actions
Safer Internet Day spotlights AI, trust & child safety
Finalists revealed for 2025 everywoman in Tech Awards