What Government CISOs Need to Know About NSA Zero Trust Guidance
In January 2026, the National Security Agency released a series of documents that changed the Zero Trust conversation from “what should we do?” to “here is exactly how to do it.” The Zero Trust Implementation Guidelines (ZIGs) – a Primer, Discovery Phase, Phase One, and Phase Two – translate the DoD Zero Trust Strategy’s 152 activities into phased, execution-ready guidance for the Department of Defense, Defense Industrial Base, National Security Systems, and affiliated organizations.
The numbers define the scope. Phase One covers 36 activities supporting 30 capabilities. Phase Two covers 41 activities supporting 34 capabilities. Together, they deliver the 77 activities required to achieve Target-level Zero Trust maturity by FY2027. Phases Three and Four – targeting Advanced-level maturity by FY2032 – will add 61 additional activities when released.
These are not conceptual recommendations. They are execution documents with specific expected outcomes per activity, technology considerations, implementation guidance, and positive impact statements. The ZIGs sit alongside the seven NSA CSI pillar guidance documents published between 2023 and 2024, which define how to mature each pillar independently.
For government CISOs evaluating connectivity platforms against NSA guidance, the question is no longer “does this platform support Zero Trust?” Every vendor claims that. The question is: which specific NSA pillar capabilities does this platform address, at what maturity level, and with what architectural evidence?
This article maps TerraZone’s truePass platform – specifically the truePass Gravity configuration designed for cross-network government environments – against each of the seven NSA Zero Trust pillars, with specific capability-level alignment.
The Seven NSA Zero Trust Pillars
Before mapping platform capabilities, the pillars themselves need precise definition. The NSA’s seven pillars provide a framework for securing modern IT systems by emphasizing continuous verification, strict access controls, and data protection. Each pillar works in concert with the others – no pillar operates independently.
Pillar 1 – User. Continually authenticate, assess, and monitor user behavior to govern users’ access and privileges while protecting and securing all interactions. Key disciplines: phishing-resistant MFA, identity lifecycle management, privileged access management, and continuous user risk assessment.
Pillar 2 – Device. Inventory and manage the health and status of devices to inform risk-based decisions. This should occur in real time to inspect, assess, patch, and change conditions based on any and every request. Key disciplines: device inventory, compliance posture checks, endpoint detection and response, and hardware/firmware integrity validation.
Pillar 3 – Network and Environment. Provide segmentation, isolation, and control (physically and logically) within network environments and network routes with granular policy and access controls. Key disciplines: data flow mapping, macro segmentation, micro segmentation, and software-defined networking.
Pillar 4 – Application and Workload. Secure applications by granting access only to authorized users, ensuring the integrity and security of applications and workloads. Key disciplines: application inventory, secure development, application access authorization, and continuous application monitoring.
Pillar 5 – Data. Protect data through effective cataloging, labeling, encryption, and access controls while at rest and in transit. Key disciplines: data inventory and categorization, data tagging, data loss prevention, data rights management, and encryption.
Pillar 6 – Automation and Orchestration. Automate security response, facilitate remediation, and coordinate security incident response across pillars. Key disciplines: security orchestration, automated response, policy automation, and integration between security tools.
Pillar 7 – Visibility and Analytics. Analyze events to improve detection and reaction time. Key disciplines: centralized logging, security analytics, user and entity behavior analytics (UEBA), and threat intelligence integration.
How truePass Gravity’s Three-Layer Architecture Maps to NSA Pillars
truePass Gravity is not a single-capability product. It is a three-layer platform architecture that addresses multiple NSA pillars simultaneously – which is precisely what the NSA guidance requires, since the pillars are interdependent.
Layer 1 – Reverse Access Infrastructure. Zero-inbound-port connectivity using patented Reverse Access technology. The Access Controller inside the protected network initiates outbound connections to the Access Gateway. No ports are opened inbound. The internal network is architecturally invisible from the internet.
Layer 2 – SMB Proxy with Content Disarm and Reconstruction (CDR). Heimdall SMB protocol replacement provides identity-based file sharing with MFA, content filtering, CDR scanning, and per-operation policy enforcement. Every file crossing between networks is scanned and sanitized before reaching the protected zone.
Layer 3 – Zero Trust Application Access with Session Recording. Per-session RDP, SSH, HTTP, and TCP access with MFA, device posture verification, and integrated video + keystroke recording. Every interactive session is authorized, recorded, and auditable.
The three-layer architecture means truePass Gravity touches every NSA pillar – not through marketing claims, but through specific architectural capabilities that map to specific pillar requirements. The following sections document that mapping in detail.
Pillar-by-Pillar Alignment: truePass Gravity vs. NSA Requirements
Pillar 1 – User: Identity Verification and Privileged Access
The NSA User Pillar CSI (V1.1, April 2023) requires organizations to continually authenticate users, assess behavior, and enforce least-privilege access. The ZIGs Phase One activities include establishing authoritative identity sources and enforcing MFA across all access paths.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Phishing-resistant MFA for all users | Per-session MFA with PIV/CAC, Duo, Okta, Microsoft Authenticator, FIDO2 | Advanced |
MFA re-authentication for privileged operations | Policy-configurable re-authentication triggers during active sessions | Advanced |
Identity lifecycle management | Integration with AD, LDAP, SAML, OpenID, RADIUS for centralized identity | Target |
Privileged access management | Named vendor accounts, time-bounded sessions, full session recording | Advanced |
Continuous user risk assessment | Session-level monitoring with anomaly-based policy triggers | Target |
Non-person entity (NPE) authentication | Application-to-application access with certificate-based authentication | Target |
The User Pillar is where truePass Gravity’s per-session MFA enforcement directly addresses a critical gap that VPN architectures create. VPNs authenticate once at tunnel establishment. truePass Gravity authenticates at every session – and can require re-authentication for elevated operations within a session.
For government agencies managing contractor and vendor access – a persistent identity management challenge – truePass Gravity provides named vendor accounts with time-bounded sessions and complete session attribution. This directly addresses the TerraZone solutions portfolio for state, federal, and defense agencies where vendor access governance is a primary procurement requirement.
Pillar 2 – Device: Posture Verification and Compliance
The NSA Device Pillar CSI (V1.0, October 2023) requires real-time device health assessment and compliance verification before granting access. The ZIGs Discovery Phase specifically requires building an authoritative device inventory.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Device inventory and classification | Discovery mode maps all connecting devices by type, OS, and posture | Target |
Device compliance posture check before access | Pre-authentication checks: OS version, patch status, firewall status, running processes | Advanced |
Endpoint health continuous monitoring | Geolocation verification, process monitoring during active sessions | Target |
Managed vs. unmanaged device differentiation | Policy differentiation: agent-based enforcement for managed devices, clientless for BYOD/vendor with reduced privileges | Advanced |
IoT/OT device identification | Protocol-aware identification of OT endpoints (PLCs, HMIs, RTUs) during discovery | Target |
The Device Pillar is particularly important for government OT environments where legacy devices – Windows XP Embedded industrial PCs, legacy HMIs, PLCs – cannot run endpoint agents. truePass Gravity supports agentless enforcement for these devices while maintaining posture-based policy for managed endpoints.
Pillar 3 – Network and Environment: Segmentation and Isolation
The NSA Network and Environment Pillar CSI (V1.0, March 2024) focuses on preventing lateral movement through data flow mapping, macro segmentation, micro segmentation, and software-defined networking. This is the pillar most directly relevant to cross-network connectivity platforms.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Data flow mapping | Discovery mode passively maps all device-to-device communication flows | Target |
Macro segmentation (zone-based) | Reverse Access architecture enforces zone boundaries with zero inbound ports | Advanced |
Micro segmentation (per-device/workload) | Identity-based segmentation creates per-device security zones | Advanced |
Software-defined networking | Software-defined policy enforcement independent of physical network topology | Target |
Encrypted internal traffic | AES-128-CCM for SMB, TLS 1.3 for all interactive sessions | Target |
Zero standing port exposure | Patented Reverse Access – no inbound ports opened on protected network firewalls | Advanced |
The Network and Environment Pillar is where truePass Gravity’s Reverse Access architecture provides the most distinctive alignment. The NSA guidance emphasizes that “any device could potentially be a beach head for future attacks” – including OT and IoT devices. Reverse Access eliminates the inbound attack surface that traditional VPN and gateway architectures expose.
For state and federal government systems where cross-network connectivity between classified, unclassified, and OT segments is operationally required, the Reverse Access architecture provides zone isolation that satisfies NSA macro segmentation requirements without the operational complexity of multiple gateway appliances.
Pillar 4 – Application and Workload: Secure Access and Integrity
The NSA Application and Workload Pillar CSI (V1.0, May 2024) requires organizations to secure applications by granting access only to authorized users and ensuring workload integrity.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Application-level access (not network-level) | Per-application authorization: RDP, SSH, HTTP, TCP per policy | Advanced |
Application inventory and authorization | Central policy engine inventories and authorizes all accessible applications | Target |
Application access logging | Every application session logged with identity, device, timestamp, duration, and operations performed | Advanced |
Workload integrity protection | CDR scanning for all file operations protects workload integrity from malicious content | Target |
API security | Server-to-server access control through certificate-based Reverse Access | Target |
The Application and Workload Pillar directly addresses the government procurement pain point of consolidating multiple connectivity products. Traditional government environments run separate products for RDP access, SSH access, file sharing, and web application access – each with separate authentication, separate logging, and separate policy management. truePass Gravity consolidates these into a single platform with unified policy and audit.
Pillar 5 – Data: Protection, Labeling, and DLP
The NSA Data Pillar CSI (V1.0, April 2024) requires data protection through cataloging, labeling, encryption, and access controls. The guidance explicitly addresses insider threat risk.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Data encryption in transit | TLS 1.3 for all sessions; AES encryption for SMB file transfers | Target |
Data encryption at rest | AES-256 encryption for all stored files in Secure Virtual Vaults | Target |
Content inspection and sanitization | CDR scanning strips active content (macros, scripts, exploits) from all transferred files | Advanced |
Data loss prevention | Integration with agency DLP platforms through SecureStream policy engine | Target |
Data access controls per file operation | Heimdall SMB enforces per-operation (create, modify, view, delete) policies per user/group | Advanced |
Data transfer audit trail | Complete audit of every file operation: user, device, timestamp, file name, file hash, operation type, policy decision | Advanced |
The Data Pillar is where truePass Gravity’s Layer 2 – the Heimdall SMB Proxy with CDR – provides capabilities that most ZTNA platforms lack entirely. Standard ZTNA platforms handle application access but do not address file sharing between networks with content inspection. For government environments where firmware files, configuration backups, and classified documents cross between networks, the CDR layer addresses NSA Data Pillar requirements that application-only platforms cannot.
For homeland security systems where data crossing between networks carries specific classification handling requirements, the CDR + DLP integration provides the data-level controls that NSA Data Pillar guidance mandates.
Pillar 6 – Automation and Orchestration
The NSA Automation and Orchestration Pillar CSI (November 2024) requires automated security response, orchestrated remediation, and policy automation.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Automated policy enforcement | SecureStream policy engine automatically enforces security policies on all inbound/outbound data flows | Target |
Security tool integration | API-based integration with SIEM, SOAR, DLP, AV, CDR, and EDR platforms | Target |
Automated incident response triggers | Policy-based session termination, access revocation, and alert generation on anomaly detection | Target |
Workflow automation for access provisioning | Automated provisioning/deprovisioning through AD/LDAP sync and REST API | Target |
Pillar 7 – Visibility and Analytics
The Visibility and Analytics pillar requires centralized logging, security analytics, and comprehensive event correlation.
NSA Requirement | truePass Gravity Capability | Maturity Level Addressed |
Centralized logging | Unified audit trail across all three layers (Reverse Access, SMB Proxy, Application Access) | Advanced |
SIEM integration | Syslog, CEF export to any enterprise SIEM (Splunk, Microsoft Sentinel, Elastic, Chronicle) | Target |
Session-level forensics | Video recording + keystroke logging + file transfer attribution for all interactive sessions | Advanced |
Identity-attributed audit trail | Every operation attributed to verified user identity and device identity – not just IP address | Advanced |
Cross-pillar event correlation | Unified log format enables SIEM correlation of access events, file operations, and session activities | Target |
The Visibility and Analytics Pillar is where truePass Gravity’s integrated session recording provides government-specific value. The ZIGs Phase One explicitly requires establishing comprehensive audit and logging systems. Agencies running separate products for RDP access, file sharing, and session recording produce fragmented logs that complicate SIEM correlation. truePass Gravity’s unified audit trail produces a single, identity-attributed log stream across all connectivity types.
The Consolidated Alignment Summary
The following table provides a single-view summary of truePass Gravity alignment across all seven NSA pillars.
NSA Pillar | Key NSA Requirement | truePass Gravity Capability | Maturity Level |
1. User | Phishing-resistant MFA, privileged access management | Per-session MFA (PIV/CAC/FIDO2), named vendor accounts, session recording | Advanced |
2. Device | Device posture, managed/unmanaged differentiation | Pre-auth posture checks, agent + agentless enforcement, OT device identification | Advanced |
3. Network | Macro + micro segmentation, zero standing ports | Reverse Access (zero inbound ports), identity-based segmentation | Advanced |
4. Application | Application-level access, workload integrity | Per-application RDP/SSH/HTTP authorization, CDR for workload protection | Advanced |
5. Data | Encryption, CDR, DLP, per-operation controls | AES encryption, Heimdall SMB with CDR, per-operation policy | Advanced |
6. Automation | Automated policy, tool integration | SecureStream engine, API integrations, automated provisioning | Target |
7. Visibility | Centralized logging, session forensics | Unified audit trail, video recording, SIEM export | Advanced |
truePass Gravity achieves Advanced maturity alignment on five of seven pillars and Target maturity on two – without requiring supplementary products. For government CISOs evaluating the best zero trust platform for federal agencies, this cross-pillar coverage from a single platform eliminates the vendor sprawl that fragments audit trails and creates integration gaps.
How truePass Gravity Addresses the ZIGs Phase Timeline
The NSA ZIGs define a phased implementation path. truePass Gravity’s deployment model maps directly to this timeline.
ZIG Phase | NSA Intent | truePass Gravity Alignment |
Discovery (13 capabilities, 14 activities) | Build authoritative inventory of users, devices, applications, data, and traffic | Discovery mode: passive mapping of all device communication, user activity, and application flows across IT and OT |
Phase One (30 capabilities, 36 activities) | Establish secure foundation: MFA, logging, basic segmentation | Deployment of Reverse Access + MFA + unified audit + SIEM integration |
Phase Two (34 capabilities, 41 activities) | Integrate ZT solutions: microsegmentation, CDR, session recording, automated policy | Full truePass Gravity deployment: Heimdall SMB + CDR + per-application access + session recording + identity-based segmentation |
Phase Three/Four (future) | Advanced-level: UEBA, AI-driven analytics, advanced automation | Platform roadmap: behavioral analytics, advanced automation through SecureStream |
The practical implication: a government agency deploying truePass Gravity addresses Discovery, Phase One, and Phase Two requirements through a single platform deployment – typically completed in 8–16 weeks. This compresses the FY2027 Target-level timeline compared to multi-vendor approaches that require separate procurement, integration, and testing cycles for each capability.
For government CISOs managing this timeline, a platform evaluation comparing zero trust solutions for government provides the procurement-level detail needed to justify the consolidated approach against multi-vendor alternatives.
What Makes truePass Gravity Different from IT-Only Zero Trust Platforms
The NSA ZIGs acknowledge a significant scope limitation: “Future updates may address other contextual environments, including Operational Technology (OT), Defense Critical Infrastructure (DCI), and/or Tactical/Weapons Systems.” The current ZIGs address Enterprise IT environments. OT-specific guidance is forthcoming.
Government agencies cannot wait for OT-specific ZIGs before securing their OT environments. The threat is present now – Dragos documented 119 ransomware groups targeting industrial organizations in 2025, with SMB and RDP as primary lateral movement protocols. Agencies with OT/SCADA – water utilities, power systems, transportation networks, border surveillance, facility management – need platforms that address both IT Enterprise and OT today.
truePass Gravity was designed for precisely this convergence. The three-layer architecture provides:
For IT Enterprise: Per-application ZTNA with MFA, device posture, session recording, and unified audit – directly addressing ZIGs Discovery through Phase Two activities.
For OT/SCADA: RDP/SSH to SCADA workstations with per-session MFA and recording, Heimdall SMB for firmware and configuration file transfer with CDR scanning, zero inbound ports on OT network boundaries, and vendor access with named accounts and time-bounded sessions.
For Cross-Network: Secure connectivity between IT and OT zones, between classified and unclassified segments, and between agency networks and contractor environments – all through a single architecture with unified policy and audit.
This IT/OT convergence capability is what distinguishes truePass Gravity from platforms designed exclusively for IT ZTNA. For government CISOs managing the broader consolidation challenge, a practical guide on how to consolidate cross-network security into a single zero trust platform maps the procurement, deployment, and operational steps that move from multi-vendor boundary security to unified Zero Trust.
Frequently Asked Questions
How many NSA Zero Trust pillars does truePass Gravity address?
All seven. truePass Gravity achieves Advanced maturity alignment on five pillars (User, Device, Network & Environment, Application & Workload, Data) and Target maturity alignment on two (Automation & Orchestration, Visibility & Analytics). The three-layer architecture – Reverse Access, SMB Proxy with CDR, and Zero Trust Application Access – addresses pillar requirements that single-capability ZTNA platforms cannot cover.
What are the NSA Zero Trust Implementation Guidelines (ZIGs)?
The ZIGs are execution-focused documents released by the NSA in January 2026 that translate the DoD Zero Trust Strategy into specific, phased activities for achieving Zero Trust maturity. The series includes a Primer, Discovery Phase (14 activities), Phase One (36 activities), and Phase Two (41 activities) – totaling 91 activities for Target-level maturity by FY2027. Phases Three and Four (61 additional activities for Advanced-level by FY2032) will be released in the future.
Does truePass Gravity satisfy the DoD FY2027 Target-level Zero Trust deadline?
truePass Gravity’s capabilities align with Target-level requirements across all seven pillars and reach Advanced maturity on five. A typical government deployment completing Discovery, Phase One, and Phase Two alignment takes 8–16 weeks. Agencies deploying in 2026 can achieve Target-level maturity before the FY2027 deadline.
How does truePass Gravity handle PIV/CAC authentication required for government environments?
truePass Gravity integrates natively with PIV (Personal Identity Verification) for civilian agencies and CAC (Common Access Card) for DoD personnel. The PIV/CAC certificate chain is validated directly – not through a third-party authentication broker. Per-session MFA with PIV/CAC satisfies both the NSA User Pillar and OMB M-22-09 phishing-resistant MFA requirements.
What is the difference between truePass and truePass Gravity?
truePass is the unified Zero Trust platform. truePass Gravity is a specific three-layer configuration designed for cross-network government and critical infrastructure environments that require all three connectivity types – Reverse Access infrastructure protection, SMB-based file sharing with CDR, and interactive application access with session recording – in a single deployment.
Can truePass Gravity address OT/SCADA environments even though the NSA ZIGs don’t yet cover OT?
Yes. While the current ZIGs focus on Enterprise IT environments and acknowledge OT-specific guidance is forthcoming, truePass Gravity was designed for IT/OT convergence. The platform provides the same zero-inbound-port architecture, identity-based access, and session recording for OT endpoints (SCADA workstations, HMIs, engineering stations) that it provides for IT applications. Agencies deploying truePass Gravity for IT can extend the same architecture to OT without a separate procurement.
How does this guidance relate to CISA ZTMM and OMB M-22-09?
The NSA ZIGs, CISA ZTMM V2.0, and OMB M-22-09 are complementary frameworks – not competing ones. The NSA ZIGs Primer explicitly references CISA ZTMM and OMB M-22-09 as foundational documents. The ZIGs translate the strategic direction of OMB M-22-09 and the maturity measurement of CISA ZTMM into activity-level implementation guidance. truePass Gravity’s pillar alignment maps consistently across all three frameworks.
Conclusion
The NSA’s January 2026 Zero Trust Implementation Guidelines moved government Zero Trust from strategic vision to execution-level specificity. With 91 activities across seven pillars required for Target-level maturity by FY2027, government CISOs need connectivity platforms that address multiple pillars through integrated architecture – not point products that cover one pillar while leaving gaps in others.
truePass Gravity’s three-layer architecture – Reverse Access, Heimdall SMB Proxy with CDR, and Zero Trust Application Access with session recording – maps to all seven NSA pillars with Advanced maturity alignment on five. The platform addresses the cross-network connectivity requirements that define government environments: IT-to-OT boundaries, classified-to-unclassified transfers, and agency-to-contractor access paths – all with zero inbound ports, per-session MFA, content inspection, and unified audit.
The FY2027 deadline is 14 months away. The 91 activities are defined. The pillar alignment is documented. For government CISOs who need a government procurement cross network zero trust platform that maps to NSA guidance with architectural evidence – not marketing claims – the evaluation starts with this pillar mapping and the procurement requirements it reveals.
