CISA's binding operational directive requires all U.S. federal civilian agencies to implement Zero Trust Architecture by December 31, 2026 — and the specific technical milestone closest to identity is unambiguous: by Q3 2026, all internal applications must be reachable only through identity-aware proxies. This isn't a planning exercise; it's a federally mandated deadline with a defined enforcement mechanism, and agencies still running legacy network-level access are now working against the clock.
The mandate explicitly extends beyond human users. Federal zero-trust strategy now has to apply the same visibility, authentication, and policy controls to machine identities — service accounts, APIs, automated workloads — as it does to human staff, since these non-human identities increasingly operate with broad privileges and minimal centralized governance inside agency environments.
Several identity vendors serving the federal market — including some of the largest names in privileged access management — have invested heavily in FedRAMP authorization, a rigorous certification process spanning hundreds of NIST SP 800-53 controls. Whiteswan is not currently FedRAMP authorized. Federal agencies evaluating Whiteswan for environments requiring FedRAMP-authorized vendors should weigh that directly, and we'd rather be upfront about it now than have it surface as a surprise mid-evaluation.
For state, local, and government-adjacent environments not gated by a FedRAMP requirement, Whiteswan's architecture maps directly onto the Zero Trust Maturity Model's identity pillar: privileged human sessions governed in-line, legacy and on-prem infrastructure brought under the same engine through endpoint agents rather than left outside zero-trust scope, and — critically, given the federal mandate's explicit reach — machine identities and AI agents governed with the same policy logic and audit trail as human users, not bolted on as an afterthought once the human side is done.
This page describes the federal zero-trust mandate and how Whiteswan's general platform architecture maps to its identity requirements. It does not represent FedRAMP authorization or a specific government customer deployment — agencies should confirm current authorization status directly before evaluating Whiteswan for FedRAMP-gated environments.
See how one engine governs every identity in your estate.
Contact →See how Whiteswan decides, in-line, at the moment of action.
See how it works →