Why compliance alone doesn’t make federal networks secure

Zero Trust has moved from aspirational to a mandate within federal cybersecurity.

Policies such as Executive Order 14028, OMB M-22-09 and the DoD’s Zero Trust roadmap — reinforced by the recent White House Cyber Strategy — have spurred the adoption of new solutions across civilian agencies, driving federal operators to deploy fancy dashboards, complete longer checklists and send AI-powered progress reports to senior leadership. But compliance is not the same as security; treating Zero Trust as a milestone instead of a discipline creates blind spots adversaries exploit.

Adoption is growing, but so are the gaps

Globally, roughly 63% of organizations report at least partial Zero Trust adoption, according to Gartner, but only about 21% believe they have fully implemented Zero Trust infrastructure.

In federal environments, the gaps are even more consequential because they affect systems that support national security and critical infrastructure. Agencies frequently prioritize IT modernization efforts, while operational technology (OT), legacy systems and mission-critical edge environments remain entirely outside Zero Trust controls. 

OT remains the most consistent blind spot. These systems — controlling power, transportation, manufacturing and logistics — were never designed with modern cybersecurity assumptions. Agencies often respond to limited patch windows and lengthy equipment lifecycles by deferring enforcement or carving OT out of Zero Trust initiatives altogether, creating exploitable seams between IT and OT that adversaries readily abuse. 

High-profile breaches such as SolarWinds demonstrated how weak segmentation between environments enables lateral movement. Adversaries rarely respect the administrative boundaries that shape compliance programs, focusing on the seams between environments where formal enforcement ends and implicit trust begins. 

 A full Zero Trust implementation has been shown to reduce lateral movement success by as much as 60% and to lower breach probability by more than 40%. But those benefits only apply when coverage extends everywhere access is granted, not just where compliance frameworks are easiest to satisfy. If protections stop at enterprise IT while OT, edge systems or contractor pathways remain loosely governed, those gaps become predictable paths for lateral movement.

The problem with “move-to-green” security

Federal agencies operate under mandates, audits and oversight frameworks, but those mechanisms can incentivize “move-to-green” behavior that prioritizes requirements over security outcomes. As a result, Zero Trust efforts often focus on checking off requirements like deploying identity providers, enabling multi-factor authentication and installing segmentation tools.

Agencies report progress against maturity models and implementation plans. Agencies can meet milestones and deadlines without answering the more important question: Has risk actually been reduced?

When Zero Trust is evaluated primarily through maturity scoring and reporting artifacts, agencies risk confusing activity for outcome. A control may be deployed without being enforced everywhere it matters or layered into existing environments without fundamentally changing how trust is granted, verified and continuously reassessed. 

In complex operational environments, agencies may not even have a complete picture of what is connected to their networks at any given time. Devices are added, contractors connect temporary tools and legacy systems outlast their documentation. Without continuous visibility into assets and access paths, enforcement policies can appear complete on paper while critical portions of the environment remain outside effective control. Policies also require continuous validation. Impressive dashboards do not matter if attack paths remain open.

And beyond measurement challenges, racing towards compliance can also shape architecture in ways that unintentionally introduce risk. Since federal mandates operate on timelines, modernization can often proceed unevenly under deadline pressure. Enterprise IT environments may receive early Zero Trust investments while legacy systems and mission-specific networks lag. A Zero Trust strategy implemented in pieces becomes a map of uneven trust zones rather than a cohesive security posture.

What true Zero Trust looks like

Zero Trust is an ongoing operational discipline, not a project with a completion date. For defense and civilian agencies, it requires:

• Unified real-time visibility into both managed and unmanaged assets
• Continuous authentication and context-aware access decisions
• Enforcement of least privilege across identities, devices, applications and networks
• Adaptive segmentation that limits lateral movement across IT, OT, cloud and edge environments

For federal CISOs and mission leaders evaluating Zero Trust progress, the key questions are not about documentation status, but rather operational:

• Are access controls enforced everywhere trust is granted or denied?
• Can we measure a reduction in lateral movement and unauthorized access attempts?
• Are OT, cloud, supply chain systems and edge devices fully in scope?
• Do we maintain continuous visibility into all assets, including unmanaged devices?

If the answer to any of these questions is “partially,” then Zero Trust remains incomplete.

Critically, the misconception that “Zero Trust doesn’t apply to OT” needs to be set aside. In both defense and civilian agencies, OT supports essential services, logistics, manufacturing and critical infrastructure. Excluding it from Zero Trust initiatives creates blind spots at the most sensitive layers of federal operations.

Compliance is the floor, not the ceiling

Compliance frameworks provide structure, establish baselines and drive accountability, but they are starting points, not endpoints.

Federal agencies that treat Zero Trust principles as a strategic security transformation, grounded in continuous visibility, adaptive enforcement and full environmental coverage, will build resilience. On the other hand, those that treat Zero Trust as a compliance milestone risk satisfying auditors while leaving adversaries pathways to exploit. “Green” dashboards won’t guarantee safety in cybersecurity, but continuous verification, segmentation and least-privilege enforcement do. 

In practice, this means extending Zero Trust principles into environments that have historically been treated as exceptions. Visibility into all connected assets, stronger governance of remote access pathways and risk-based prioritization of exposure allow agencies to reduce attack surface without disrupting mission operations. Security improves not because more tools are deployed, but because enforcement and evidence extend across the full operational environment.

As Vice President of Government Affairs at Forescout, Alison King leads relationships with Congress and the Executive Branch, driving federal policy, legislative initiatives and strategic partnerships, with Forescout deployed across more than 70 U.S. federal entities. Her background offers over a decade of federal service with the U.S. Navy, the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyberspace Solarium Commission (CSC). At the CSC she served as Strategic Communications and Legislative Affairs Director.