Achieving Zero Trust in Federal Agencies Starts with Identity



It is no secret that cybersecurity is a top priority for government agencies. With the threat of cyberattacks, data breaches, and other nefarious activity, organizations are scrambling to find a way to protect themselves. One solution gaining attention in recent years has been the Zero Trust Architecture (ZTA), which is a framework for designing, building, and running IT systems in a way that limits the number of systems and users that can access sensitive information. By eliminating the implicit trust between networks and authenticated users, ZTA reduces overprivileged access and the risk of threats moving across the network. When executed successfully, ZTA provides superior security to federal agency workforces and the citizens they serve, and it starts with identity.

In January of this year, the Office of Management and Budget (OMB) acting director Shalanda Young issued the finalized strategy for federal agencies to achieve a Zero Trust Architecture, as detailed in President Biden's Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, issued in May 2021. This memorandum requires federal agencies to come up with a plan within 60 days for how they will meet these cybersecurity standards by the end of fiscal year (FY) 2024. The Cybersecurity Infrastructure & Security Agency (CISA) added a  Zero Trust maturity model in October 2021 to provide a roadmap for agencies to meet the requirements outlined in the EO, complementing the strategy defined by OMB.

What is a Zero Trust Architecture?

Zero Trust is a security model that removes implied trust based on network location and requires all information systems and services to operate under the assumption that their networks are already compromised.

Several agencies and standards bodies have written their own reference architectures for Zero Trust. The common thread is that the perimeter between trusted and untrusted people, systems, networks, and services no longer exists. Instead, architectures must start from a trust point of “zero” and grant access and authorization for resources based on context, which means it’s continually assessing the user’s location, device, security posture, and the access being requested, among other factors.

In the event of an intrusion, the zero trust architecture, with its granular access controls, limits an attacker’s ability to move laterally across the network — without specific permission to access a resource, based on agency-defined policy, there is nowhere for an attacker to go.

The Role of Identity in the Zero Trust Executive Order

The Executive Order lists five key areas that agencies need to secure: The first is Identity, followed by securing Devices, Networks, Applications and Workloads, and Data.

For Identity, the executive order requires agencies to submit a plan to implement the following identity tasks:

  1. Centralized identity management systems: Federal agencies need to eliminate identity silos across legacy identity and access management (IAM) and cloud IAM systems, and across agencies and their bureaus and offices. Such consolidation will enable consistent protection and monitoring. In addition, a centralized identity management system can make intelligent access and authorization decisions based on its analysis of device and user information and its assessment of the security posture of all agency systems.
  2. Phishing-resistant multi-factor authentication (MFA) for the workforce: When authenticating to any agency-hosted accounts, agency users must use security-hardened authenticators, such as a cryptographic Personal Identity Verification (PIV) or Common Access Credentials (CAC) cards or other passwordless authentication methods, such as FIDO2/WebAuthn. Phishing-resistant MFA can eliminate the possibility of stolen credentials being used to authenticate to any agency domain. MFA that relies on one-time passcodes (OTPs) delivered through SMS (text) messaging is not recommended due to security concerns.
  1. MFA for citizens: Within one year of the memo, public-facing agencies that provide web-based access to their services must offer citizens the option to secure their accounts with MFA.
  1. Eliminating complex password requirements: Within one year of the memo, agencies must remove password policies that require special characters and regular password rotation from all systems. These password policies are onerous, outdated, and a leading reason why people tend to reuse passwords across work and consumer accounts. Password reuse is a serious vulnerability that attackers have been exploiting for years.

Challenges agencies face

While implementing a Zero Trust Architecture is a challenge for any organization, federal agencies face particular hurdles. In addition to their reliance on older technologies, many agencies with citizen-facing services need to scale to support millions of users. They often have siloed identities between legacy on-premises and cloud environments.

Since COVID-19, the demand for more digital access to government services has exceeded the government's capacity. Identity-related fraud has skyrocketed and agencies urgently need to modernize and secure their services.

The pandemic has also changed the way federal workers get their jobs done. Instead of facing long traffic jams up I-95 or the Beltway, office shutdowns have forced employees to access their work applications remotely from home offices. Workers who used to rely on their PIV or CAC cards to log in at NIST Authenticator Assurance Level 3 – AAL3 from the office found themselves unable to do so from home. IT administrators started handing out VPN accounts and requiring MFA to enable remote access, but the VPNs potentially open up new vulnerabilities around privileges and overprovisioned access. With the focus on a Zero Trust Architecture, federal IT administrators are replacing VPNs with advanced authentication and authorization for workers, whether they’re working remotely or not.

How ForgeRock can help

Agencies that have become ForgeRock customers had been working with legacy IAM solutions that supported their older applications. They were considering adding on a cloud IAM solution to support cloud applications, but wondering how to bridge the gap between identity silos on-premises and in the cloud.

Many of their legacy applications do not support modern authentication standards, such as OpenID Connect or even the older SAML protocol. Agencies were also challenged with how to scale out digital access for citizens.

These are areas where ForgeRock shines. Our identity platform is purpose-built for large organizations that need to support identity for both modern cloud and legacy on-premises applications. The ForgeRock Identity Gateway and connectors can help put a modern and secure identity front-end into older applications and extend their viability within a Zero Trust Architecture.

Our Intelligent Access Trees can enable multiple types of user access experiences for both workforce and citizens. Employees can work from home and authenticate with their smart cards and still achieve NIST Authenticator Assurance Level 3 – AAL3 remote access to their work environments, including legacy applications. ForgeRock Trees provide the flexibility to enable multiple ways for citizens to register, sign in, and choose multi-factor authentication options. It can also enable administrators to set password requirements as needed to meet current requirements.

The comprehensive ForgeRock Identity Platform offers access management, identity management, directory services, modernization accelerators for legacy applications, and artificial intelligence (AI)-powered identity governance. It supports strong authentication to modern and legacy on-premises applications for government employees. ForgeRock is built for scale to support tens of millions of citizens logging in concurrently.

ForgeRock helps federal agencies address the identity-related mandates set forth in the executive order.


The challenge of achieving a Zero Trust Architecture across federal agencies may be significant, but the benefits are crucial to the nation’s cyber defense. If a Zero Trust Architecture is successfully implemented, Americans inside and outside of government will benefit from more secure networks, systems, and data.

To realize a true Zero Trust Architecture, cybersecurity must be adopted as a core mission and treated with the same gravity as physical security when it comes to safeguarding our federal information systems.

To learn more about Zero Trust, and the key role identity and access management plays in helping agencies achieve this important objective, read our whitepaper, Digital Identity: The Foundation of Your Zero Trust Strategy.