Zero Trust at the device layer requires evidence, not architecture diagrams.
OMB Memorandum M-22-09 set a 2024 deadline for agencies to implement a federal zero-trust architecture. By 2025 the conversation moved past strategy and into evidence — agencies need to show, continuously, that they know every device on the network. The Devices pillar in CISA's Zero Trust Maturity Model 2.0 is where that evidence lives.
What the Devices pillar actually asks for
CISA Zero Trust Maturity Model 2.0 (April 2023) defines five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. The Devices pillar covers asset discovery, device inventory, configuration management, and policy enforcement at the device level.
The maturity progression on Devices runs Traditional → Initial → Advanced → Optimal. The "Initial" line for asset discovery requires a continuously updated inventory of all connected assets — managed and unmanaged. "Advanced" requires automated discovery and risk scoring. "Optimal" requires automated, real-time inventory with deviation alerting.
The gap most agencies hit at "Initial" is the same one that surfaced in CDM: the inventory only covers hardware the agency knows it provisioned. Lab equipment, contractor laptops, building systems, conference-room gear, and devices brought to the LAN through side channels do not show up. That gap is what the Devices pillar maturity progression is designed to close, and it's where CybrIQ deploys.
Continuous device discovery from switch-side signals
Every managed switch on the network produces signals about every device connected to it — link negotiation pattern, MAC OUI, LLDP/CDP advertisements, port statistics, VLAN context. CybrIQ reads those signals through read-only switch access via SNMP, combines them into a Layer-1 device fingerprint, and matches that fingerprint against a 750-million-device reference library to identify the device family and model class. The process repeats continuously; new devices appear within one polling cycle.
This produces the inventory the Devices pillar requires: complete, continuously updated, covering every device whether or not the agency provisioned it. The data feeds the agency's existing reporting — CDM HWAM, the ZTMM dashboard, the SIEM — through syslog (RFC 5424) and a REST API.
What CybrIQ supports compliance with
- EO 14028 — Executive Order on Improving the Nation's Cybersecurity, Section 3 (modernizing federal cybersecurity).
- OMB M-22-09 — Federal Zero Trust Strategy. Devices pillar implementation evidence.
- CISA ZTMM 2.0 — Pillar 2 (Devices), Asset Discovery and Inventory functions.
- NIST SP 800-53 Rev. 5 — CM-8 (System Component Inventory), CM-8(1), CM-8(2), CM-8(3) — automated maintenance, discovery, and authorized-component checks.
- NIST SP 800-207 — Zero Trust Architecture, Section 3 (logical components, including a Policy Information Point with device inventory).
- NIST CSF 2.0 — ID.AM-1, ID.AM-2 (asset identification).
Device inventory is the input to device-trust policy
The Identity pillar (Pillar 1) authenticates users; the Devices pillar (Pillar 2) authenticates and inventories devices; the Networks pillar (Pillar 3) enforces access policy. The flow is one-directional: you cannot enforce a device-trust policy on hardware your inventory does not see. The Devices pillar is the constraint on the rest of the model.
CybrIQ feeds device inventory and Device DNA™ fingerprints into the agency's existing identity and access infrastructure through syslog, REST, and direct integrations with NAC platforms (Cisco ISE, Forescout, Aruba ClearPass). When a device appears on the network that the inventory has never seen, the NAC has the evidence to quarantine, log, or pass it through — based on policy the agency owns.
Deployment posture for federal evaluators
Schedule a Zero Trust Devices briefing
A 30-minute session: we walk the Devices-pillar maturity progression against your environment, the M-22-09 evidence you're producing today, and the gaps your IG would find.
Request briefing