The Government Cybersecurity Crisis in Numbers
Government agencies are the most targeted sector by nation-state cyber actors. According to Microsoft’s threat tracking, 79% of nation-state cyberattacks between 2020 and 2024 targeted government agencies, NGOs, and think tanks. The majority of state-sponsored attacks originated from Russia (58%) and China, with PRC cyber espionage efforts rising 150% in 2024 compared to the previous year and targeted attacks on government, financial, manufacturing, and industrial sectors increasing 300%.
The threat is not slowing down. In July 2025, three PRC-associated threat actors compromised over 400 organizations through Microsoft SharePoint vulnerabilities, including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services. The UK’s National Cyber Security Centre managed 204 significant or highly significant cyber incidents in the year leading up to September 2025 – averaging one significant incident every two days – a 129% increase from 89 incidents the year before. At least 44 U.S. states reported cyber incidents affecting state and local government systems in 2025.
Against this escalating threat, the federal Zero Trust mandate is non-negotiable. Executive Order 14028 and OMB Memorandum M-22-09 established specific Zero Trust architecture requirements for all federal civilian agencies. The DoD’s Zero Trust Strategy targets full implementation by 2027. NSA published its Zero Trust Implementation Guideline Primer in January 2026, outlining phased activities across discovery, target-level, and advanced-level capabilities.
ZTNA is not one of many possible responses to these mandates – it is a foundational component. But government environments impose constraints that most commercial ZTNA solutions were not designed to meet: classified and sensitive-but-unclassified data handling, FedRAMP authorization requirements, legacy system dependencies stretching back decades, PIV/CAC smartcard integration, air-gapped and sovereign deployment requirements, and multi-classification-level operations. Identifying the best ZTNA solution for government agencies requires evaluating vendors against these government-specific requirements – not against generic enterprise criteria.
The Regulatory Framework Driving Government ZTNA Adoption
Executive Order 14028 and OMB M-22-09
OMB M-22-09 requires agencies to achieve specific Zero Trust goals organized around CISA’s Zero Trust Maturity Model across five pillars: Identity (enterprise-managed identities with phishing-resistant MFA), Devices (complete inventory with incident detection and response capabilities), Networks (encrypted DNS and HTTP traffic, segmented into isolated environments), Applications (routine security testing, including external testing programs), and Data (thorough data categorization with automated security responses).
ZTNA directly addresses the Identity, Networks, and Applications pillars by enforcing identity-verified, per-application access with continuous session validation, network segmentation through application-level connectivity, and encrypted communications across all access paths.
NIST SP 800-207 (Zero Trust Architecture)
NIST 800-207 defines Zero Trust as an architecture where no network location is inherently trusted. Every access request must be continuously verified, with least privilege enforced. Key principles include all data sources and computing services are considered resources, all communication is secured regardless of network location, access to individual enterprise resources is granted on a per-session basis, and access is determined by dynamic policy including client identity, application, and behavioral attributes.
DoD Zero Trust Strategy and Reference Architecture
The Department of Defense published its Zero Trust Strategy in 2022 and updated the Reference Architecture in subsequent years. The strategy outlines 152 activities across seven pillars (Users, Devices, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, Visibility & Analytics). CMMC 2.0, effective December 16, 2024, includes Zero Trust principles in its cybersecurity requirements for the Defense Industrial Base, with full contract enforcement expected by October 2026.
NSA Zero Trust Implementation Guideline (January 2026)
The NSA’s ZIG Primer covers phased implementation: Discovery Phase (asset inventory, data flow mapping, identity assessment), Phase One (36 activities supporting 30 capabilities – establishing foundational controls), Phase Two (41 activities supporting 34 capabilities – integrating distinct ZT solutions), and subsequent phases advancing toward mature Zero Trust operations.
FedRAMP and Cloud Authorization
FedRAMP provides the authorization framework for cloud services used by federal agencies. FedRAMP Moderate requires 325 security controls for personal/proprietary data. FedRAMP High mandates approximately 421 controls for highly sensitive data. ZTNA solutions delivered as cloud services to federal agencies generally require FedRAMP authorization – though the 2024 FedRAMP Policy Memorandum introduced potential exemptions for direct-routed ZTNA solutions that do not process or store federal data in the cloud.
Nine Requirements That Make Government ZTNA Different
Standard enterprise ZTNA evaluation criteria – PoP count, SSE integration, user experience – are necessary but insufficient for the public sector. The best ZTNA solution for government agencies must satisfy requirements that commercial buyers never encounter. The following nine criteria define the gap between enterprise-grade ZTNA and government-grade ZTNA.
1. Classified and Sensitive Data Handling
Government agencies operate across multiple classification levels – Unclassified, CUI (Controlled Unclassified Information), Secret, and Top Secret/SCI. ZTNA solutions must enforce access policies that respect classification boundaries and prevent data spillage across levels. For classified environments, this often means on-premises deployment with no traffic routing through commercial cloud infrastructure.
2. FedRAMP Authorization or Exemption
Cloud-delivered ZTNA solutions used by federal agencies typically require FedRAMP Moderate or High authorization. As of early 2026, Zscaler has achieved FedRAMP High JAB and Moderate Agency authorization. Palo Alto Prisma Access holds FedRAMP authorizations. Fortinet and others hold various authorization levels. Agencies should verify current authorization status on the FedRAMP Marketplace. Direct-routed ZTNA solutions that keep all traffic within agency infrastructure may qualify for FedRAMP exemption under the 2024 Policy Memorandum.
3. PIV/CAC Integration
Federal employees authenticate using Personal Identity Verification (PIV) cards. DoD personnel use Common Access Cards (CAC). ZTNA solutions must integrate with these smartcard-based authentication mechanisms natively – not as an afterthought. This includes certificate-based authentication through the PIV/CAC certificate chain, integration with agency Active Directory/LDAP infrastructure that maps PIV identities, and support for derived credentials on mobile devices.
4. On-Premises and Air-Gapped Deployment
Many government systems – particularly those handling classified data, operating in SCIFs, or supporting defense and intelligence missions – cannot connect to commercial cloud infrastructure. The ZTNA solution must be deployable entirely within the agency’s own data center, on GovCloud infrastructure, or in fully air-gapped environments. Cloud-only ZTNA solutions are disqualified for these use cases.
5. Legacy System Support
Federal agencies operate some of the oldest IT systems in any sector. Mainframe applications (TN3270), legacy databases, custom thick-client applications, and systems running unsupported operating systems are common. The ZTNA solution must support these protocols and applications – not just modern web-based services. If the ZTNA deployment covers cloud apps but forces VPN fallback for legacy systems, the security benefit is halved while operational complexity doubles.
6. Network Invisibility and Attack Surface Elimination
Government networks are permanent targets for nation-state reconnaissance. Agencies at the highest threat levels need architecture that makes application infrastructure invisible to the internet. Standard ZTNA hides applications behind a broker but leaves the broker’s infrastructure discoverable. Reverse-access architecture eliminates even this exposure – internal components initiate outbound-only connections, the firewall stays in permanent deny-all for inbound traffic, and there are no discoverable services. For agencies defending against adversaries like Volt Typhoon, Salt Typhoon, and APT29, this architectural distinction determines whether reconnaissance is possible or impossible.
7. Microsegmentation Across Government Networks
Government networks are large, complex, and often insufficiently segmented. OMB M-22-09 explicitly requires agencies to “break down perimeters into isolated environments.” ZTNA controls north-south traffic (user-to-application). Microsegmentation controls east-west traffic (application-to-application). Both are required to meet the Networks pillar of the Zero Trust Maturity Model.
The distinction matters operationally. Without east-west controls, a compromised application session can move laterally across agency network segments – exactly the technique used in the SolarWinds breach to traverse from a compromised Orion server to email systems, identity infrastructure, and eventually classified networks. Identity-based segmentation that governs workload-to-workload communication closes this gap by ensuring each application communicates only with explicitly authorized peers, regardless of network location.
Evaluate whether the ZTNA vendor provides integrated microsegmentation or requires a separate procurement, separate deployment, and separate policy management.
8. Contractor and Third-Party Access Governance
Federal agencies depend on contractors, system integrators, and managed service providers. Each contractor relationship is a potential access vector – as the SolarWinds breach (2020) and multiple supply chain compromises since have demonstrated. Government ZTNA must provide agentless access for contractors on non-government devices, time-bounded sessions with automatic revocation, per-contractor access policies scoped to specific applications, session recording for all contractor sessions, and audit trails that satisfy IG and GAO examination.
9. Continuous Authorization and Compliance Monitoring
Federal compliance is not a point-in-time certification – it requires continuous monitoring. The ZTNA solution must generate continuous compliance data: who accessed what, when, from which device, under which policy, and what actions were performed. This data must integrate with agency SIEM (Splunk, Microsoft Sentinel, QRadar) and GRC platforms to support ongoing Authority to Operate (ATO) requirements.
Beyond access logging, the solution should support data protection and encryption controls that enforce AES-256 encryption for data at rest and in transit, file-level access controls with view-only and download restrictions, and DLP policy enforcement aligned with agency data classification requirements. These capabilities directly support FISMA reporting requirements and NIST SP 800-53 security control families AC (Access Control), AU (Audit and Accountability), and SC (System and Communications Protection).
For agencies undergoing continuous ATO processes, the ZTNA solution should automatically generate machine-readable compliance artifacts – supporting the OSCAL (Open Security Controls Assessment Language) compatibility requirement that OMB mandates by July 2026.
How Leading ZTNA Vendors Address Government Requirements
No single product is the best ZTNA solution for government agencies across every scenario. Cloud-first civilian agencies, classified defense environments, and budget-constrained state governments have fundamentally different requirements. Understanding how specific threat scenarios map to ZTNA capabilities helps government CISOs make architecture decisions based on operational reality, not vendor marketing.
Scenario: Nation-state APT conducting pre-positioning on agency infrastructure. Groups like Volt Typhoon maintain persistent access to government networks for future disruption capability. Their reconnaissance depends on discovering internet-facing services. ZTNA solutions with reverse-access architecture eliminate discoverable services entirely – the APT’s reconnaissance phase returns no targets. Cloud-delivered ZTNA hides applications behind the broker, but the broker’s infrastructure remains discoverable and attackable.
Scenario: Contractor credential compromise leading to lateral movement. A contractor’s credentials are stolen through phishing. In a VPN environment, the attacker gains network-level access to the agency segment and moves laterally to high-value systems. ZTNA limits the compromised session to the specific application the contractor was authorized to access – no lateral movement. Adding microsegmentation restricts east-west communication even further, containing the compromise to a single application.
Scenario: Legacy system access from a remote classified facility. An analyst at a remote SCIF needs access to a legacy mainframe application (TN3270) hosted at the agency data center. Cloud ZTNA cannot reach the air-gapped network. On-premises ZTNA with legacy protocol support and reverse-access architecture provides the access path while maintaining the classified network’s zero-inbound-port posture.
Zscaler Private Access (ZPA)
Government positioning: FedRAMP High JAB and Moderate Agency authorized. Serves 14 of 15 U.S. Cabinet-level agencies. DoD IL5 authorized. Largest PoP infrastructure among cloud ZTNA vendors.
Where it fits: Cloud-hosted applications for federal civilian agencies. SASE consolidation (ZTNA + SWG + CASB + DLP) under one FedRAMP-authorized platform. Large-scale deployments with tens of thousands of users.
Where it falls short: Cloud-only delivery – all traffic routes through Zscaler’s cloud. Not suitable for classified environments, air-gapped networks, or agencies with strict data sovereignty requirements. Microsegmentation requires a separate product (Zscaler Workload Segmentation). Premium pricing ($15–25/user/month). Legacy protocol support beyond web, RDP, and SSH is limited.
Palo Alto Networks Prisma Access
Government positioning: FedRAMP authorized. ZTNA 2.0 with continuous post-connection inspection. Integrated with Cortex XDR and Strata firewalls already deployed in many federal environments.
Where it fits: Agencies already invested in the Palo Alto ecosystem. Hybrid environments requiring both cloud and on-premises firewall integration. Full protocol support including non-web applications.
Where it falls short: Cloud-delivered – not deployable on-premises for classified environments. Usage-based pricing creates budget unpredictability. Microsegmentation requires separate Prisma Cloud licensing. Steep learning curve for agencies without existing Palo Alto infrastructure.
Fortinet Universal ZTNA
Government positioning: ZTNA built into FortiGate appliances with no additional licensing. FortiClient unified agent covers ZTNA, VPN, EDR. FortiSASE extends cloud ZTNA. Widely deployed across federal and DoD networks.
Where it fits: Agencies with existing FortiGate infrastructure – lowest-cost ZTNA activation. On-premises deployment through FortiGate appliances. Smooth VPN-to-ZTNA migration path.
Where it falls short: Full value requires Fortinet ecosystem commitment. Cloud-native capabilities less mature than Zscaler or Palo Alto. Microsegmentation not integrated into ZTNA – requires separate FortiGate segmentation policies.
Appgate SDP
Government positioning: Software-defined perimeter with direct-routed architecture. Strong presence in federal and defense environments. Dynamic, context-aware access policies built for regulated sectors. On-premises deployment capability.
Where it fits: Agencies requiring direct-routed ZTNA that may qualify for FedRAMP exemption. Dynamic trust evaluation for high-security environments. Built-in microsegmentation. Strong compliance mapping.
Where it falls short: Smaller market presence than the major SASE vendors. Implementation requires dedicated security engineering resources. Agentless access options are more limited. Steeper learning curve for policy configuration.
TerraZone truePass
Government positioning: Unified Zero Trust platform combining ZTNA, microsegmentation, identity isolation, and secure data exchange. Patented reverse-access technology (outbound-only connections, zero inbound ports). Full on-premises, cloud, and hybrid deployment. Offices in Israel and North America.
Where it fits: Agencies requiring zero internet-facing exposure – patented reverse-access architecture keeps the firewall in permanent deny-all for inbound traffic, with no discoverable services or attack surface. Essential for environments where nation-state reconnaissance is a primary threat. Sovereign and classified environments where data cannot traverse commercial cloud infrastructure – full on-premises deployment without external dependencies. Agencies needing unified ZTNA + microsegmentation on a single platform without separate procurements. Full protocol support including HTTP/S, RDP, SSH, SFTP, and SMB via the Heimdall protocol (identity-based Zero Trust controls for file sharing). Built-in PAM capabilities (session recording, just-in-time access, credential management) reduce vendor sprawl for privileged access to government systems. AES-256 encryption with comprehensive audit trails.
Where it falls short: Smaller global PoP footprint than Zscaler, Cloudflare, or Palo Alto – agencies with globally distributed users across hundreds of locations should validate latency. Does not hold FedRAMP authorization as of early 2026 – agencies requiring FedRAMP-authorized cloud delivery should verify current authorization status or evaluate on-premises deployment (which may be FedRAMP-exempt under the 2024 Policy Memorandum). No native CASB or secure web gateway – agencies requiring full SSE consolidation under one cloud platform will need a complementary SWG/CASB solution. Less brand recognition in U.S. federal market compared to established vendors like Zscaler, Palo Alto, or Fortinet.
Cloudflare Access
Government positioning: Part of Cloudflare One (SSE platform). Largest edge network (300+ PoPs). Free tier for small deployments.
Where it fits: State and local government agencies needing fast, cost-effective ZTNA deployment. Cloud-first environments. Agencies prioritizing DDoS resilience and low latency.
Where it falls short: Non-web protocol support (RDP, SSH, SMB) is less mature. No on-premises deployment – cloud-only. Microsegmentation not available. Enterprise/government features require higher-tier pricing. FedRAMP status should be verified for federal use.
Government ZTNA Capability Matrix
The following matrix maps the nine government-specific requirements against six vendors. When evaluating the best ZTNA solution for government agencies, this comparison should be read alongside the agency’s own requirement priorities – a “Yes” in a row that is not relevant to the agency’s environment carries no weight.
Government Requirement | Zscaler ZPA | Palo Alto Prisma | Fortinet ZTNA | Appgate SDP | TerraZone truePass | Cloudflare Access |
FedRAMP authorized | High JAB + Moderate | Yes | Varies | Potential exemption | Verify / On-prem exempt | Verify |
On-premises / air-gapped | No | No | Yes (FortiGate) | Yes | Yes | No |
Zero inbound ports (reverse-access) | Partial | No | No | Yes (SDP) | Yes (patented) | No |
PIV/CAC integration | Yes | Yes | Yes | Yes | Via IdP integration | Limited |
Integrated microsegmentation | No | No | No | Yes | Yes | No |
Integrated PAM | No | No | Add-on | No | Yes | No |
Legacy protocol support | Limited | Full | Full | Full | Full (incl. SMB) | Limited |
Session recording | Via SIEM | Via SIEM | FortiAnalyzer | Built-in | Built-in | Via SIEM |
DoD IL5 | Yes | Verify | Verify | Verify | Verify | No |
Global PoP count | 160+ | 100+ | Growing | Regional | Regional | 300+ |
CASB/SWG bundling | Yes (SSE) | Yes (SASE) | Yes (FortiSASE) | No | No | Yes |
Decision Framework for Government CISOs
The best ZTNA solution for government agencies depends on the agency’s classification level, deployment constraints, threat model, and existing infrastructure. The following scenarios map common government profiles to the vendors best positioned to address them.
Federal civilian agencies pursuing SASE consolidation with FedRAMP-authorized cloud services: Zscaler ZPA or Palo Alto Prisma Access. Both hold FedRAMP authorizations and deliver ZTNA as part of broader SSE/SASE platforms. Zscaler has the broadest federal footprint (14 of 15 Cabinet agencies).
DoD and defense agencies with existing Fortinet infrastructure: Fortinet Universal ZTNA – no additional cost, on-premises deployment, smooth VPN-to-ZTNA transition on existing FortiGate appliances.
Agencies requiring classified-environment or air-gapped deployment where no traffic can traverse commercial cloud: TerraZone truePass, Fortinet (on FortiGate), or Appgate SDP – all support full on-premises deployment. TerraZone’s reverse-access architecture adds zero-inbound-port protection that eliminates the internet-facing attack surface entirely.
Agencies where nation-state reconnaissance is the primary threat model (intelligence, defense, critical infrastructure protection): Prioritize reverse-access architecture that makes infrastructure invisible. TerraZone truePass and Appgate SDP both eliminate inbound exposure, with TerraZone’s patented approach providing the strongest architectural guarantee of zero discoverability.
Agencies needing unified ZTNA + microsegmentation under one platform to meet OMB M-22-09 network segmentation requirements without separate procurements: TerraZone truePass or Appgate SDP – both integrate north-south and east-west controls natively.
State and local governments with limited budgets seeking fast deployment: Cloudflare Access offers the simplest deployment with a free tier for testing and the largest edge network for performance.
Agencies where contractor access governance is the priority: All vendors support contractor access to varying degrees. Prioritize agentless access, time-bounded sessions, session recording, and audit trail completeness – these features differentiate more than underlying architecture for this specific use case.
Implementation Guidance for Government Agencies
Phase 1: Identify High-Value Assets (Weeks 1–4)
Map the applications and systems requiring Zero Trust access controls. Prioritize based on data sensitivity and regulatory exposure. Identify which systems are cloud-hosted (suitable for cloud ZTNA) and which are on-premises or classified (requiring on-prem deployment).
Phase 2: Contractor Access (Weeks 5–10)
Deploy ZTNA for contractor and third-party access first – the highest-risk pathway and the one most scrutinized by IG and GAO. Configure time-bounded, application-specific access with session recording. Close corresponding VPN access.
Phase 3: Employee Remote Access (Weeks 11–20)
Extend to agency employees accessing applications remotely. Integrate with PIV/CAC authentication infrastructure. Run in parallel with VPN during transition. Migrate application by application, starting with highest-sensitivity systems.
Phase 4: Network Segmentation (Weeks 21–30)
Deploy microsegmentation to isolate application tiers and meet OMB M-22-09 network isolation requirements. If the ZTNA vendor provides integrated microsegmentation, deploy from the same policy engine. If not, deploy a parallel solution and ensure policy consistency.
Phase 5: VPN Decommission and Validation (Weeks 31–40)
Narrow VPN to maintenance-only access. Conduct penetration testing targeting ZTNA bypass scenarios. Validate compliance posture against NIST SP 800-207, OMB M-22-09, and applicable agency-specific requirements. Document the architecture for ATO renewal and IG examination.
Conclusion
Selecting the best ZTNA solution for government agencies requires evaluation against constraints that commercial enterprise guides rarely address: FedRAMP authorization, PIV/CAC integration, classified-environment deployment, legacy protocol support, nation-state threat resilience, and continuous compliance monitoring.
No single vendor dominates every government requirement. Cloud-native SSE platforms (Zscaler, Palo Alto) offer the broadest federal footprint and FedRAMP authorization – but cannot serve classified or air-gapped environments. On-premises-capable platforms (Fortinet, TerraZone truePass, Appgate SDP) serve these environments but may require complementary cloud security solutions for SSE consolidation. Platforms with integrated microsegmentation (TerraZone truePass, Appgate SDP) reduce procurement and integration complexity for agencies meeting OMB M-22-09 segmentation requirements. Solutions with reverse-access architecture (TerraZone truePass, Appgate SDP) provide the strongest protection against nation-state reconnaissance by eliminating the internet-facing attack surface entirely.
Government CISOs should define requirements first – classification level, deployment environment, compliance mandates, threat model, and existing infrastructure – and match those requirements to the vendor whose architecture aligns most closely. The strongest ZTNA deployment is the one that addresses the agency’s specific threat model and regulatory obligations, not the one with the broadest commercial market share.
