The U.S. government continues to push for stronger cybersecurity standards as demonstrated by Executive Order (EO) 14144. Signed on January 16, 2025, this order builds on previous cybersecurity directives by enhancing Zero Trust adoption, securing identity and access management, and strengthening software supply chain security.
Explore EO 14144’s key mandates and how Pomerium’s Zero Trust approach addresses these requirements below.
1. Zero Trust Architecture and Security
What EO 14144 Mandates
EO 14144 reinforces the government’s commitment to Zero Trust Architecture (ZTA), requiring agencies to move away from perimeter-based security in favor of continuous verification. The order acknowledges that authenticated connections are not inherently trustworthy and mandates that agencies adopt security measures that assess identity, posture, and context before granting access.
Sec. 7. Aligning Policy to Practice.
(B) revise OMB Circular A–130 to be less technically prescriptive in key areas, where appropriate, to more clearly promote the adoption of evolving cybersecurity best practices across Federal systems, and to include migration to zero trust architectures and implementation of critical elements such as EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication;
How Pomerium Aligns
Pomerium is built on Zero Trust security principles, evaluating and verifying every access request instead of assuming that a user within the network is trusted. This mitigates risks associated with stolen credentials, insider threats, and lateral movement within networks.
2. Identity and Access Management (IAM)
What EO 14144 Mandates
The order calls for strong authentication measures across federal systems, requiring agencies to adopt phishing-resistant authentication methods such as WebAuthn and hardware security tokens. It also mandates robust identity verification to prevent unauthorized access and credential-based attacks.
Sec. 3: Improving the Cybersecurity of Federal Systems.
(a) The Federal Government must adopt proven security practices from industry—to include in identity and access management—in order to improve visibility of security threats across networks and strengthen cloud security.
(b) To prioritize investments in the innovative identity technologies and processes of the future and phishing-resistant authentication options, FCEB agencies shall begin using, in pilot deployments or in larger deployments as appropriate, commercial phishing-resistant standards such as WebAuthn, building on the deployments that OMB and CISA have developed and established since the issuance of Executive Order 14028. These pilot deployments shall be used to inform future directions for Federal identity, credentialing, and access management strategies.
(c) The Federal Government must maintain the ability to rapidly and effectively identify threats across the Federal enterprise… To enable identification of threat activity, CISA’s capability to hunt for and identify threats across FCEB agencies under 44 U.S.C. 3553(b)(7) must be strengthened.
How Pomerium Aligns
Pomerium integrates seamlessly with existing identity providers, enabling organizations to enforce strong authentication and access policies. By implementing fine-grained, identity-aware access control, Pomerium ensures that users are authenticated and authorized in real-time, using contextual factors such as device posture, location, and risk level.
3. Data Privacy and Security
What EO 14144 Mandates
The executive order emphasizes protecting sensitive federal data and reducing the risks of third-party exposure. Agencies are required to enhance data sovereignty, ensuring that sensitive information remains under strict organizational control.
Sec. 2. Operationalizing Transparency and Security in Third-Party Software Supply Chains.
(b) ...The Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest.
Sec. 5. Solutions to Combat Cybercrime and Fraud.
(iv) Agencies should, consistent with applicable law, seek to ensure that digital identity documents accepted as digital identity verification evidence to access public benefits programs [...] (B) do not enable authorities that issue digital identity documents, device manufacturers, or any other third party to surveil or track presentation of the digital identity document, including user device location at the time of presentation.
How Pomerium Aligns
Pomerium’s self-hosted deployment model allows organizations to maintain full control over their infrastructure, whether on-premises or in a private cloud. Unlike traditional cloud-based access solutions, Pomerium does not require routing traffic through external services, preserving data residency, minimizing latency, and maintaining compliance with regulatory frameworks.
4. Continuous Verification
What EO 14144 Mandates
Rather than relying on one-time authentication, the executive order requires continuous monitoring and verification of access requests. Access decisions must account for real-time security context, ensuring that permissions remain valid throughout a session.
Sec. 3: Improving the Cybersecurity of Federal Systems.
(e) As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments. In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that Federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation.
How Pomerium Aligns
Pomerium continuously evaluates access requests based on real-time conditions. If a user’s risk posture changes—such as a device moving to an untrusted network—Pomerium can dynamically revoke access, preventing session hijacking or credential theft from leading to unauthorized actions.
5. Simplified Deployment and Management
What EO 14144 Mandates
EO 14144 stresses operational efficiency, directing agencies to reduce complexity in security deployments. Solutions must be scalable, interoperable, and easy to manage without introducing excessive overhead.
Sec. 5. Solutions to Combat Cybercrime and Fraud.
...It is the policy of the executive branch to strongly encourage the acceptance of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.
…
(iv) Agencies should, consistent with applicable law, seek to ensure that digital identity documents accepted as digital identity verification evidence to access public benefits programs:
(A) are interoperable with relevant standards and trust frameworks, so that the public can use any standards-compliant hardware or software containing an official Government-issued digital identity document, regard- less of manufacturer or developer;
(C) support user privacy and data minimization by ensuring only the minimum information required for a transaction—often a ‘‘yes’’ or ‘‘no’’ response to a question, such as whether an individual is older than a specific age—is requested from the holder of the digital identity document.
(b) The use of ‘‘Yes/No’’ validation services, also referred to as attribute validation services, can enable more privacy-preserving means to reduce identity fraud. These services allow programs to confirm, via a privacy- preserving ‘‘yes’’ or ‘‘no’’ response, that applicant-provided identity information is consistent with information already contained in official records, without needing to share the contents of those official records.
How Pomerium Aligns
Pomerium is agentless and clientless, making it easy to deploy across diverse environments without requiring endpoint installations. Users can securely access applications through their web browser, eliminating compatibility issues and reducing IT overhead while maintaining strong security controls.
Conclusion
Executive Order 14144 sets clear cybersecurity priorities for federal agencies: Zero Trust adoption, identity security, continuous monitoring, and access control modernization. While meeting these mandates may seem daunting, solutions like Pomerium provide a clear path forward.
With policy-driven, identity-aware access control, Pomerium enables organizations to meet EO 14144’s requirements while improving security and operational efficiency. As agencies and enterprises alike work to implement these security mandates, Zero Trust solutions like Pomerium will play a crucial role in safeguarding sensitive data and ensuring resilient access control.
Try Pomerium Today.
