Service Design Strategy for Federal Zero Trust Integration

Zero Trust is a countercurrent to traditional perimeter-based security practices. Published CISA guidance helps us get better at employing accurate, least privileged, per-request access in information systems and services facing a network assumed to be compromised. This guidance means that every resource should be untrusted until proven otherwise. Most of what’s published on ZTA dives into the technical requirements and engineering processes that flow toward a given Zero Trust Maturity (ZTM) level while offering instruction on what it may take to reach the successive maturity level.

However, challenges arise when organizations open the console or the conference room to start making changes to existing security workflows, governance documentation, or working processes. All guidelines acknowledge that every organization has a different starting block depending on its existing configurations. Implementing Zero Trust principles with existing SecOps is not a monolithic operation but an ongoing and, often zigzag process involving identity, infrastructure, networking, applications, and more. It quickly becomes evident that moving toward a Zero Trust Architecture (ZTA) requires cross-functional, interdisciplinary collaborations between DevSecOps experts, governance specialists, and business process influencers. How might we approach the challenge?


The batCAVE Zero Trust strategy builds on existing security practices but evolves them through an agile collaboration between leadership, DevSecOps, governance, and human-centered service design. We begin with the end in mind and view security from the inside out (starting from data, network, and resources) rather than the outside in (starting from the perimeter). We separate our efforts into three swim lanes, People, Platform, and Playbook, navigating change management and software implementation in four design phases: Discover, Define, Develop, and Deliver.

Contact me for the case study or download it from