Federal & State Government Security FAQ

Technical answers to common questions about AppGate ZTNA architecture, deployment models, VPN migration, and Zero Trust strategy for Federal, DoD, and State & Local networks.

last updated March 5, 2026

Department of Defense (DoD)

What are the key cybersecurity requirements for DoD networks?
DoD networks must comply with NIST 800-171, DFARS, and CMMC 2.0, requiring protection of CUI, strict least-privilege access controls, and continuous monitoring. Solutions must also minimize exposure and reduce attack surface across mission-critical environments.
How does AppGate support CMMC 2.0 and NIST compliance?

AppGate ZTNA enforces identity-based, least-privilege access with detailed logging and policy enforcement that directly map to required controls. Its direct-routed architecture reduces unnecessary exposure by preventing full network access.

Why is direct-routed ZTNA important for DoD environments?
Unlike cloud-proxied ZTNA that routes traffic through external infrastructure, AppGate ZTNA connects users directly to authorized applications. This reduces latency, avoids dependency on public cloud intermediaries, and maintains tighter operational control for mission-critical systems.
Can AppGate ZTNA provide resilient access to mission-critical DoD applications?

Yes. AppGate ZTNA's direct-routed architecture supports multiple distributed gateways, eliminating single cloud choke points and improving availability and performance during disruptions. Learn more about AppGate Federal.

Is AppGate ZTNA authorized for use in IL6+ environments?

Yes. AppGate ZTNA has achieved ATO (Authority to Operate) in IL6+ environments, validating its suitability for highly sensitive and classified DoD workloads while maintaining zero-trust enforcement.

Has AppGate ZTNA been independently tested and certified?
Yes. AppGate ZTNA has undergone extensive security validation, including: U.S. Military Command Pen Tested: Tested by U.S. Cyber Command, Army Cyber, and Air Force Cyber with a high-mission impact/low-risk rating. NIAP Common Criteria EAL: Only solution certified to meet the most stringent government security requirements. FIPS 140-3 Compliant: Meets NIST cryptographic standards. Certificate to Field (CtF) for Platform One: Mission application-level accreditation for specific DoD environments. NCCoE and NIST Contributions: Select contributor to Zero Trust implementation guides. NIAP Protection Profile (Client 6.4): Trusted solution for handling classified data in secure U.S. Government environments.

Defense Industrial Base (DIB)

How does AppGate protect controlled unclassified information (CUI) in DIB networks?
AppGate ZTNA cloaks internal infrastructure and provides direct, identity-based access only to authorized applications storing CUI. Users never gain broad network visibility, significantly reducing lateral movement risk.
How does direct-routed architecture benefit DIB organizations?

AppGate ZTNA direct-routed architecture allows contractors and suppliers to securely access required applications without backhauling traffic through third-party clouds. This improves performance, reduces complexity, and supports tighter data control.

How does AppGate support secure access for contractors and vendors?
AppGate ZTNA enables granular, role-based, and time-bound policies that restrict contractors to only the applications they need, delivered through secure direct connections rather than full network tunnels.
Can AppGate be fully deployed on-premises for DIB compliance?
Yes. AppGate ZTNA can operate entirely on-premises, allowing DIB organizations to maintain strict data sovereignty while leveraging direct-routed zero-trust access.

State & Local Government

How can AppGate secure access to state and local government applications?
AppGate ZTNA provides identity-based access directly to authorized applications, eliminating traditional VPN-style network exposure and reducing the attack surface.
How does direct-routed ZTNA improve performance for public sector users?
By connecting users directly to applications instead of routing traffic through centralized cloud proxies, AppGate ZTNA reduces latency and improves user experience for distributed agencies.
Can AppGate support hybrid or cloud environments common in state and local IT?
Yes. AppGate ZTNA supports hybrid deployments and enforces consistent zero-trust policies across on-premises and cloud systems without forcing all traffic through a third-party cloud intermediary.
How does AppGate enable secure remote work for government employees?

With AppGate ZTNA employees authenticate via identity and device posture verification, then connect directly to authorized applications through secure gateways — without exposing the broader network.

Air Gapped, DDIL & Intermittent Environments

How does AppGate operate in intermittent connectivity environments?
In intermittent connectivity environments, AppGate ZTNA enforces access locally at the gateway once entitlements have been issued by the controller. Because traffic is direct-routed between client and gateway, session traffic does not require continuous communication with a centralized cloud proxy. Policy distribution occurs through the controller, while gateways handle active session enforcement. Deployment design and redundancy planning determine resilience during degraded network conditions.
Can policies be cached?
AppGate ZTNA distributes policy and entitlement information from the controller to enforcement gateways. Once policies are received, gateways apply those rules to session establishment and traffic flow. This distributed enforcement model allows access decisions to be evaluated locally based on previously synchronized policy state. Specific caching behavior depends on deployment configuration and operational design.
How are credentials validated offline?
Authentication typically occurs through the configured identity provider prior to entitlement issuance. In constrained or disconnected environments, access continuity depends on previously validated identity state and active session conditions. New authentication events generally require communication with the identity provider and controller. Architectural planning should consider identity validation dependencies in DDIL scenarios.
What happens during long controller disconnects?
During controller disruption, gateways continue to enforce existing policies for active sessions based on previously issued entitlements. The controller is responsible for distributing new or updated policies, while gateways manage established connections. Extended controller unavailability may prevent new entitlement issuance or policy changes until connectivity is restored. High-availability controller design and redundancy strategies are recommended for mission-critical environments.
Can entitlements persist temporarily?
Entitlements are defined and issued by the controller and enforced at the gateway. Active sessions continue to operate according to their established entitlements until policy reevaluation or session termination occurs. Temporary persistence of session state depends on deployment configuration and timeout settings. Organizations operating in DDIL environments should design policy lifetimes and reevaluation intervals in alignment with mission requirements.

AI-Specific Architecture

Can AppGate isolate model-to-model communication?
Yes. AppGate ZTNA can isolate model-to-model communication by enforcing identity-based, application-specific access policies between services. Each workload or model can be treated as a distinct identity within the policy framework, with entitlements defined for specific API endpoints or services. Because connections are established only when policy conditions are satisfied, unauthorized east-west communication between models can be restricted. This supports segmentation within AI environments without relying solely on network-level controls.
Can AI agents be segmented from human users?
Yes. AI agents can be segmented from human users through identity-defined policies that distinguish between user identities and non-human service identities. AppGate ZTNA evaluates identity attributes, device or workload context, and policy conditions before granting access to applications or APIs. By assigning distinct entitlements to agents and human operators, organizations can prevent privilege overlap and reduce unintended access exposure. This supports controlled interaction between automation systems and user populations.
How does ZTNA protect inference APIs?
ZTNA protects inference APIs by requiring identity verification and policy evaluation before establishing application-level connectivity. AppGate ZTNA cloaks protected services until authentication and entitlement checks are satisfied, reducing exposure to unauthorized scanning or direct access attempts. Because access is defined per application rather than per network segment, inference endpoints can be limited to approved identities and workloads. This reduces the risk of overexposed AI services.
Can AI workloads be cloaked from unauthorized networks?
Yes. AppGate ZTNA’s use of Single Packet Authorization and identity-bound session establishment allows applications and services to remain effectively invisible until trust conditions are met. AI workloads and APIs are not broadly exposed on the network and respond only to authenticated, policy-compliant connection attempts. This cloaking approach reduces unsolicited discovery attempts and narrows the visible attack surface within AI environments.
How does AppGate enforce least privilege for non-human identities?

AppGate ZTNA enforces least privilege for non-human identities by defining explicit entitlements tied to service accounts, workloads, or automation agents. Access policies evaluate identity attributes and contextual conditions before allowing communication with specific applications or APIs. Because entitlements are granular and application-scoped, non-human identities receive only the permissions required for their defined function. This supports Zero Trust enforcement across both human and machine actors.

Strategic Considerations

Why move from VPN to ZTNA now?
Organizations are moving from VPN to ZTNA because traditional network-based access models grant broad connectivity that no longer aligns with modern threat conditions or distributed work patterns. VPN places users on the network, increasing lateral movement exposure and operational complexity. ZTNA replaces implicit network trust with identity-centric, application-specific access controls. As enterprises adopt hybrid work, cloud infrastructure, and third-party collaboration, granular Zero Trust access becomes more aligned with risk management objectives.
What business risks does ZTNA reduce?
ZTNA reduces business risk by limiting unnecessary network exposure, constraining lateral movement, and enforcing least-privilege access at the application level. By replacing broad connectivity with identity-bound entitlements, organizations reduce the potential impact of credential compromise and ransomware propagation. This model supports stronger governance, auditability, and compliance alignment. Reduced attack surface and improved visibility contribute to operational resilience.
How does direct-routed architecture impact resilience?
Direct-routed architecture supports resilience by avoiding mandatory centralized traffic backhaul through external proxy infrastructure. AppGate ZTNA’s deployment model allows enforcement gateways to be placed close to applications and users, reducing dependency on single inspection hubs. Distributed policy enforcement can improve performance predictability and reduce architectural bottlenecks. Resilience outcomes depend on redundancy design and deployment planning.
What is the strategic difference between SASE and ZTNA?
SASE is a broad framework that combines networking and security services, while ZTNA focuses specifically on identity-centric access to applications. ZTNA can be deployed independently or as part of a broader architecture strategy. The strategic distinction lies in whether an organization prioritizes application-level Zero Trust enforcement as a standalone control layer or consumes access as one component of a bundled service. Architectural decisions depend on control requirements, sovereignty needs, and operational design preferences.
Why choose AppGate over bundled SASE vendors?
An enterprise may choose AppGate ZTNA over bundled SASE offerings when it requires direct control over access enforcement, data routing, and deployment topology. AppGate’s direct-routed, controller-based architecture allows organizations to place gateways within their own environments rather than relying solely on vendor-managed cloud proxies. This can support data sovereignty, performance control, and architectural flexibility. Selection criteria should align with risk tolerance, regulatory constraints, and infrastructure strategy.

Got a question?

Want to know more about AppGate and our solutions? Want to become an AppGate partner? Just want to say hello? Drop us a line and we'll get back to you as soon as possible.

Get In Touch