NSA's Zero Trust Implementation Guidelines Turn Target-Level Maturity Into Sequence
NSA published Phase One of its Zero Trust Implementation Guidelines on January 14, 2026 and Phase Two on January 30, 2026. The market did not need another zero trust definition. It needed the sequence: which capability outcome unlocks which next outcome, which prerequisite must land before a target-level claim is credible, and which dependencies cross pillars.
Existing zero trust frameworks had described outcomes. NIST SP 800-207 named the architecture. CISA's Zero Trust Maturity Model v2.0 mapped maturity dimensions. The DoD Zero Trust Overlays specified 152 capability outcomes across seven pillars. None of them prescribed an order. NSA's 2026 guidelines do.
What the guidelines actually contain
Phase One describes the foundational activities: identity inventory, asset discovery, baseline classification, and initial policy decision point deployment. Phase Two describes the integration activities: cross-pillar policy enforcement, continuous authentication tied to attribute-based access control, and the data pillar capability outcomes that depend on the foundational pieces being in place.
Each activity in the guidelines names predecessors and outputs. A program office can read Phase One and identify which activity it has not yet completed. The guidelines treat the work as a directed graph, not a checklist.
Why ordering matters
Zero trust adoption fails most often not because programs skipped controls, but because they implemented them out of order. A policy decision point (PDP) without a credible identity inventory makes decisions against incomplete data. Continuous authentication without classified asset discovery surfaces the wrong risks. Data pillar enforcement without cryptographic agility produces audit findings that look like progress but unwind under examination.
The NSA guidelines name these dependencies explicitly. Phase One's identity inventory unlocks Phase One's PDP deployment. Phase One's PDP unlocks Phase Two's policy enforcement at the data layer. Phase Two's data layer enforcement unlocks the FY27 target-level outcomes that DoD ZT Strategy 2.0 already mandates.
Where data-centric architectures fit in the sequence
Data-centric zero trust binds policy to the object through attribute-based access control (ABAC) at the policy enforcement point (PEP), post-quantum key encapsulation through ML-KEM-768 or ML-KEM-1024, and Merkle-tree lineage in tamper-evident audit storage. In the NSA sequence, this is the Phase Two work that depends on Phase One's identity, asset, and PDP foundations.
Programs that have completed Phase One inherit Phase Two as a build, not a redesign. The PDP they stood up evaluates ABAC requests against the data object's classification metadata. The identity inventory they completed feeds the principal attribute side of the ABAC equation. The asset discovery feeds the resource side. Phase Two's data pillar outcomes become tractable because the inputs already exist.
Programs that skipped Phase One and started with a data security product cannot satisfy Phase Two without retroactively building the foundation. The product runs, but the audit fails on missing predecessors.
What program offices should map this quarter
For each in-flight zero trust program, build a Phase One to Phase Two crosswalk. Mark each NSA activity as Complete, In Progress, or Not Started. Identify the dependencies that are blocking Phase Two activities. Compare the resulting plan to the FY27 capability outcomes deadline.
Programs that find more "Not Started" Phase One activities than they expected need to recalibrate the timeline. Programs that find Phase One mostly complete can move directly to Phase Two without rework. The crosswalk is a one-week exercise that exposes the gap that the FY27 deadline will surface in fifteen months.
Sequence is the contribution
The NSA guidelines do not invent new controls. They put existing controls in order. That is the missing piece for most programs reading the broader zero trust documentation. Implementation order is the difference between a program that lands the FY27 target-level outcomes and a program that builds an audit finding.