Zero Trust for Government.
Zero Trust architecture for federal and state government — engineered against OMB M-22-09 zero-trust executive order, NIST 800-207 reference architecture, CISA Zero Trust Maturity Model, and the FedRAMP / CMMC supply-chain requirements that follow.
Drivers in government
- OMB M-22-09 zero-trust executive order
- NIST 800-207 reference architecture
- CISA Zero Trust Maturity Model self-assessment
- CMMC 2.0 supply-chain identity requirements
Regulations this combination must satisfy.
- OMB M-22-09
- NIST 800-207
- NIST 800-53 Rev 5
- CISA ZTMM
- CMMC 2.0
Patterns we actually ship for government.
- Pattern · 01
Identity pillar prioritization per OMB M-22-09 sequencing
- Pattern · 02
Phishing-resistant MFA rollout (PIV / CAC / FIDO2)
- Pattern · 03
Continuous authentication on federal user sessions
- Pattern · 04
Cross-agency federation via FCCX / login.gov for citizen-facing
Common questions.
Where do federal agencies start with M-22-09?+
The identity pillar — phishing-resistant MFA on all federal users + cloud-based MFA infrastructure + continuous authentication. CISA ZTMM puts identity at the foundation; the network and data pillars build on it.
Can we use CAC + PIV in a zero-trust model?+
Yes — PIV / CAC are phishing-resistant by design and satisfy M-22-09. The gap is the long tail of legacy systems that cannot validate PIV; those need FIDO2 bridges or PIV-D derivation.
Ready to scope Zero Trust for Government?
Two-week diagnostic. Audit-ready artifacts. Same engineers from discovery through handoff.