RegScale Now Supports Zero Trust for OMB M-22-09

February 12, 2022 | By J. Travis Howerton
Zero Trust

The Office of Management and Budget (OMB) Management Directive M-22-09 sets forth a Federal Zero Trust Architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target Federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in Government.

At RegScale, we give agencies easy and free tools to get started with building a M-22-09 compliant ZTA strategy with support for tracking policies, related assessments, architecture drawings, evidence collection, issues management/performance improvement, and other related workflows. As of February 12, 2022, RegScale has announced that we officially support OMB M-22-09 as a catalog within our platform with automated tools/wizards for building Zero Trust Architecture plans. In addition, we have published multiple machine readable formats of OMB M-22-09 including raw JSON and NIST OSCAL that are available upon request. These artifacts are freely available for others to reuse in their ZTA programs using machine readable formats.

We believe that Zero Trust has become the de-facto standard over time as organizations have realized that their expensive, labor-intensive compliance documentation provides zero assurance relative to risk. Everyone knows that the paperwork quickly becomes out of date as the environments evolve, that work as imagined in paper seldom matches work in practice in the real-world, and that maintaining all of this paperwork is unsustainable in a cloud-first world. However, until recently, there hasn’t been a better way to do it. This disconnect and the need for continuous assurance is exactly why we built the RegScale platform. We imagine a future where everything is API driven, paperwork updates itself while being connected to continuous monitoring systems, audits are performed by machines instead of people, changes in risk can be detected and managed in near real-time instead of after the fact when an audit fails, and Authorization to Operate (ATO) packages become continuous instead of point in time snapshots.

To make this future a reality, RegScale has designed and implemented the leading set of continuous compliance automation features in the market; which include:

  • Real-time APIs for collecting data from continuous monitoring systems
  • AI and machine readable approaches to ingesting any compliance framework (NIST, ISO, etc.); with support for over 70 frameworks today (and growing)
  • Industry leading support for NIST OSCAL at the catalog, profile, system security plan, component, SAP, SAR, and POAM levels for machine readable audits and compliance checks
  • Support for both manual and automated assessments in a single platform to provide high assurance and complete coverage


Schedule a free demo today to learn how RegScale can help you continuously meet your ZTA strategies while providing higher assurance in your overall architecture. If you are ready to start automating your processes for creating and managing Zero Trust requirements, this demo will also show how you can leverage RegScale to deliver continuous assurance as the ultimate compliment to your ZTA. In addition to offering free tools, we have experienced engineers and architects who can assist you in creating robust ZTA architectures that will help you pass audits and prevent attacks with ease. With RegScale, our customers get software with a service to provide a concierge like experience for achieving ZTA objectives.

Ready to get started?

Choose the path that is right for you! 

Skip the line

My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now. 


My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.