An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | March 14, 2023

NSA Releases Recommendations for Maturing Identity, Credential, and Access Management in Zero Trust

FORT MEADE, Md. - The National Security Agency (NSA) released the “Advancing Zero Trust Maturity throughout the User Pillar” Cybersecurity Information Sheet (CSI) today to help system operators’ mature identity, credential, and access management (ICAM) capabilities to effectively mitigate certain cyber threat techniques.

Cybersecurity incidents are on the rise due to immature capabilities in identity, credential, and access management (ICAM) of national security, critical infrastructure, and Defense Industrial Base (DIB) systems. The Zero Trust model limits access to only what is needed and assumes that a breach is inevitable or already occurred. Adoption of a Zero Trust cybersecurity framework is part of the National Cybersecurity Strategy and is directed by the President’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8), for Federal Civilian Executive Branch (FCEB) agencies and National Security System (NSS) owners and operators.

NSA is assisting DoD customers in integrating the Zero Trust framework within NSS, Department of Defense (DoD), and DIB environments. Upcoming additional guidance will help organize, guide, and simplify incorporating Zero Trust principles and designs into enterprise networks.

To achieve a mature Zero Trust framework, systems must integrate and harmonize the capabilities from the following seven pillars: user, device, data, application/workload, network/environment, visibility and analytics, and automation and orchestration. The CSI expands on the “Embracing a Zero Trust Security Model” CSI published in 2021, by defining capability and maturity levels for the user pillar.

“Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nation’s most critical systems,” said Kevin Bingham, Critical Government Systems, Zero Trust Lead. “Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises.”

NSA strongly recommends NSS owners and operators build up ICAM and operational practices of their enterprise, working through the outlined capabilities toward the advanced maturity level.
Read the full report here.
Version 1.1 corrects the quote to data directly from Verizon’s 2020 Data Breach Investigations Report instead of the version 1.0 quote that was from’s discussion on Verizon’s 2020 report.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations