AWS Public Sector Blog

ZTAG-I, a reference zero trust architecture for the US federal government

AWS Branded Background with text "ZTAG-I, a reference zero trust architecture for the US federal government""

Today we’re introducing AWS Zero Trust Accelerator for Government – Integrated (ZTAG-I), a reference architecture that aligns with federal zero trust guidance. ZTAG-I accelerates adoption of zero trust architecture by providing a tested example of a fully integrated technology stack that solves key challenges that arise when adopting zero trust. ZTAG-I is part of the AWS Zero Trust Accelerator for Government (ZTAG) program, introduced in our previous blog. ZTAG aims to accelerate zero trust adoption through resources such as assessment processes and works with AWS Partners to streamline deployment, integration, and procurement.

For background, the 2021 executive order to improve the nations cybersecurity pushed for the adoption of zero trust architecture and sparked a new wave of cybersecurity efforts across the federal government. Thought leadership from the National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Defense (DoD) and resulted in CISA’s Zero Trust Maturity Model and DoD’s Zero Trust Strategy which are references for zero trust adoption in federal civilian and DoD agencies respectively.

Challenges in adopting zero trust

Federal zero trust guidance supplements other cybersecurity practices and compliance requirements, creating a patchwork of standards and documents to consider. A zero trust implementation typically combines multiple security components working together to meet objectives. Depending on the components you have selected, it can lead to complex integrations and inconsistent results. Full value is not realized until components are integrated and coherent. There is no one-size-fits-all solution increasing the challenge of scaling zero trust across large organizations.

The ZTAG-I approach

Figure 1. ZTAG-I overview

ZTAG-I is an opinionated, one-size-fits-many approach to zero trust architecture. It is designed primarily for running workloads on AWS, but can be extended for other use cases. We selected and integrated AWS and AWS Partner security components that align with federal zero trust guidance and existing compliance requirements that can be deployed at scale. Our zero trust lab team has worked to resolve integration challenges between selected vendors, aiming to reduce the time and resources required for customer implementations and improve interoperability among security components where needed.

Selected AWS Partners:

ZTAG-I can support consistent, scalable deployments to get to a full zero trust stack. You can customize the architecture to incorporate your existing security investments or another solution and are not limited to the selected AWS Partners.

Differences in zero trust pillar models

The CISA Zero Trust Maturity Model and DoD Zero Trust Strategy both use pillars as organizing models for zero trust. DoD treats Visibility and Analytics and Automation and Orchestration as distinct pillars, while CISA integrates these as capabilities across all pillars. Despite this visual difference, in practice we did not see this having an impact on an architecture that can align to either model.

Figure 2. DoD and CISA Zero Trust pillar models

The ZTAG-I architecture

Figure 3. ZTAG-I AWS reference architecture

ZTAG-I implements zero trust through an integrated approach that streamlines the implementation of zero trust controls while supporting DoD and CISA zero trust objectives.

The reference architecture integrates solutions from AWS, CrowdStrike, Okta, Zscaler, Splunk, and XQ, bringing together capabilities in identity management, endpoint protection, and network security to address all zero trust pillars.

The following sections detail how each partner contributes to specific zero trust pillars within the ZTAG-I architecture:

User (Identity & Access Management)

Okta handles the ongoing authentication and access needs of your workforce. It verifies user identity at each sign-in and monitors active sessions for security risks. Okta automatically enforces access policies and responds to suspicious activities such as unusual login locations or unexpected behavior patterns.

Device

CrowdStrike Falcon protects endpoints—including laptops, workstations, and AWS compute—by detecting threats, blocking malware, and enabling incident response. It assigns each device a Zero Trust Assessment (ZTA) score based on security status and configuration assessments. Crowdstrike shares this score with ZTAG-I Partners like Okta and Zscaler to enforce comply-to-connect policies, enhancing overall network security.

Network

Zscaler establishes secure connections between users and resources. It monitors network traffic and enforces security policies based on risk assessments of users, devices, and applications. By creating direct, segmented connections to only authorized resources, Zscaler helps prevent lateral movement between different parts of the network.

Data

AWS and XQ Message combine their strengths to protect data at multiple levels. AWS offers encryption services for stored data, while XQ adds encryption for sensitive information and communications. The combined solution monitors data access, enforces encryption policies, and assesses access risk levels to help protect against unauthorized access.

Application & Workload

AWS serves as the foundational infrastructure for applications and workloads within ZTAG-I. AWS protects mission-critical applications through native security services while providing flexible deployment options to meet diverse operational requirements.

Visibility & Analytics

AWS and Splunk provide centralized security monitoring across all ZTAG-I components. Teams get real-time visibility into threats, security posture, and operational performance through unified dashboards, enabling faster threat detection and response.

Automation & Orchestration

AWS and Splunk provide automated security workflows within ZTAG-I. These workflows handle routine threat detection, process security alerts, and execute initial response actions through pre-configured playbooks.

Demonstration

Modular design: Build your zero trust journey

You can progress in your zero trust journey based on your priorities and resources and do not need to adopt the full stack to start seeing the benefits. You control the pace and scope of deployment. Most agencies are not starting from zero and having existing security investments. In addition to the AWS partners described above, the security component-based design lets you substitute or add your own security components, but may require additional effort. We will be adding additional validated ZTAG partners for both security components and consulting and implementation listed on our partnership site to further our goal of making zero trust adoption easier.

Zero trust outside of the US government

While designed to align with US federal zero trust guidance, ZTAG-I’s component-based approach is a useful reference for zero trust globally. The reference architecture helps organizations understand the impact of investing in specific security areas and how these investments work together to create stronger overall security. Organizations can customize ZTAG-I’s design patterns to meet their specific regulatory, risk, and operational requirements.

Conclusion

In this article we explained how the AWS Zero Trust Accelerator for Government – Integrated (ZTAG-I) reference architecture provides a practical blueprint for zero trust that helps federal agencies move from planning to deployment. We also provided a use case-based demonstration of ZTAG-I to show some of the problems it can address.

Whether you are pursuing a full-stack zero trust approach or plan to build up iteratively, ZTAG-I provides a reference to reduce the complexity and accelerate your adoption of zero trust architecture.

Next steps

  1. Get a zero trust assessment. Our assessment can help you identify priorities and options aligned with DoD or CISA frameworks by emailing mipa-aws@amazon.com.
  2. Learn more about our AWS Security partners, and AWS implementation partners for zero trust by using the contact us on the zero trust partnership site.
TAGS: , , , ,
Sean Phuphanich

Sean Phuphanich

Sean is a principal technologist at AWS focused on solving complex challenges for industry. He leads public sector zero trust partnerships and the public sector zero trust lab team. Sean is also a technical leader in the AWS Storage community and ISV partnerships, and has a wide background IT, development, security, and AI.

Jose Alvarez

Jose Alvarez

Jose is a partner solutions architect at AWS working with worldwide public sector cybersecurity partners. Prior to joining AWS, he served in various cybersecurity roles and programs within the Department of Defense (DoD). At AWS, he spends his time working with partners to support customers in working toward their security objectives.

Gina McFarland

Gina McFarland

Gina is a partner solutions architect at AWS, supporting ISV partners with solutions for the public sector. Her background spans tech and defense industries, with experience in cloud computing, machine learning, analytics, and weaponeering.