Why compliance alone doesn’t make federal networks secure
Why compliance alone doesn’t make federal networks secure
Publish Date: 2026-05-26 17:11:00
Source Domain: www.nextgov.com
Zero Trust has moved from aspirational to a mandate within federal cybersecurity.
Policies such as Executive Order 14028, OMB M-22-09 and the DoD’s Zero Trust roadmap — reinforced by the recent White House Cyber Strategy — have spurred the adoption of new solutions across civilian agencies, driving federal operators to deploy fancy dashboards, complete longer checklists and send AI-powered progress reports to senior leadership. But compliance is not the same as security; treating Zero Trust as a milestone instead of a discipline creates blind spots adversaries exploit.
Adoption is growing, but so are the gaps
Globally, roughly 63% of organizations report at least partial Zero Trust adoption, according to Gartner, but only about 21% believe they have fully implemented Zero Trust infrastructure.
In federal environments, the gaps are even more consequential because they affect systems that support national security and critical infrastructure. Agencies frequently prioritize IT modernization efforts, while operational technology (OT), legacy systems and mission-critical edge environments remain entirely outside Zero Trust controls.
OT remains the most consistent blind spot. These systems — controlling power, transportation, manufacturing and logistics — were never designed with modern cybersecurity assumptions. Agencies often respond to limited patch windows and lengthy equipment lifecycles by deferring enforcement or carving OT out of Zero Trust initiatives altogether, creating exploitable seams between IT and OT that adversaries readily abuse.
High-profile breaches such as SolarWinds demonstrated how weak segmentation between environments enables lateral movement. Adversaries rarely respect the administrative boundaries that shape compliance programs, focusing on the seams between environments where formal enforcement ends and implicit trust begins.
A full Zero Trust implementation has been shown to reduce lateral movement success by as much as…
