Detailed Workshop Overview
Zero Trust Architecture for Federal Agencies is a workshop-first GovAcademy microcredential focused on zero-trust access control, network segmentation, identity assurance and continuous verification. Participants do not only study concepts; they convert a real agency problem into an implementation artifact, evidence package and executive-ready decision brief. The course is organized around public-sector constraints: compliance, procurement, accessibility, privacy, cybersecurity, data stewardship, continuity and interagency accountability. The course assumes technical or governance experience and emphasizes architecture choices, risk trade-offs and implementation evidence. By the end of the course, participants have a reviewable artifact that can support a pilot, internal approval, audit preparation or transformation roadmap.
Short, narrow and evidence-oriented module built for continuous professional development.
Mapped to a six-area digital-competence model for public-sector roles.
The learner completes a concrete artifact, not only a passive knowledge quiz.
CISOs, security officers, IT administrators, continuity planners, risk teams and agency managers responsible for protecting public systems.
Basic understanding of agency IT operations, user access, systems, vendors or incident responsibilities is recommended.
secure a mission service against realistic cyber, continuity and data-protection risks
Public Problem and Service Context
Government teams need a practical way to protect mission services, citizen data and operational continuity against realistic cyber threats while preserving service delivery. This course frames zero-trust access control, network segmentation, identity assurance and continuous verification as an operational capability, not a theoretical topic.
The course can be used by a single agency unit, an interagency cohort or a central digital academy. Typical use cases include modernization planning, internal policy refresh, new service launch, audit readiness, procurement preparation, incident readiness or executive portfolio review.
Who Should Attend
Pre-work Before the Workshop
Participants receive better results when they bring a real agency problem. The course therefore begins before the live session with a short evidence-gathering assignment.
- Select one real agency workflow, service, system, policy or risk area connected to zero-trust access control, network segmentation, identity assurance and continuous verification.
- Bring one existing document if available: policy, SOP, process map, audit finding, spreadsheet, intake form, vendor requirement or leadership memo.
- Identify the decision owner, operational owner, data owner and security/privacy reviewer for the selected case.
- Define the desired improvement in one measurable sentence: faster service, lower risk, clearer evidence, better user experience or stronger governance.
- List constraints that cannot be ignored: statute, procurement rule, data classification, budget, legacy system, workforce capacity or stakeholder resistance.
What Participants Will Be Able To Do
- Explain the institutional purpose and risk context of zero-trust access, segmentation, identity assurance and continuous verification for agency systems.
- Identify mission-critical assets and threat paths.
- Map controls to operational risk.
- Produce a defensible security artifact.
- Brief leadership on residual risk and next steps.
- Package the completed work as evidence for a GovAcademy microcredential.
Prototype Lab
This module uses a practical studio model. Participants work through the scenario: secure a mission service against realistic cyber, continuity and data-protection risks. The lab toolset includes threat model, incident workflow, control map and agency readiness checklist. The expected output is a security implementation package that can be reviewed by CISO, compliance and operations teams.
- Threat model canvas
- Control evidence matrix
- Incident decision tree
- Security requirement checklist
- Executive risk brief
Technology Stack and Templates
The course is designed so that participants can work without advanced programming skills while still producing implementation-grade evidence.
- Asset criticality worksheet
- Threat path map
- Control implementation matrix
- Incident escalation script
- Executive cyber-risk memo
Applied Case Study
A public agency is attempting to improve zero-trust access control, network segmentation, identity assurance and continuous verification while maintaining continuity, legal defensibility and public trust.
The current state has fragmented ownership, incomplete documentation, unclear evidence and inconsistent decision paths around zero-trust access control, network segmentation, identity assurance and continuous verification.
- Which process, system or user group should be prioritized first?
- Which control, dataset, policy or workflow must be documented before implementation?
- Which stakeholder can approve the next phase and what evidence will convince them?
- Which risk is acceptable, which risk must be mitigated and which risk requires escalation?
reduced exposure of priority systems and documented evidence that critical controls can be verified by leadership.
Minute-by-Minute Session Plan
Participant action: Define the agency mission problem behind zero-trust access control, network segmentation, identity assurance and continuous verification.
Facilitator output: Validated scope statement and measurable public-value goal.
Participant action: Map the existing workflow, system, policy or risk path.
Facilitator output: Visible map of actors, handoffs, data, decisions and evidence gaps.
Participant action: Connect the case to relevant standards, controls, policies and governance requirements.
Facilitator output: Initial compliance and accountability map.
Participant action: Draft the first artifact using the provided template.
Facilitator output: Working prototype or decision artifact version 0.1.
Participant action: Challenge assumptions, missing users, risk gaps and implementation barriers.
Facilitator output: Prioritized improvement backlog.
Participant action: Revise the artifact with governance, risk and operational details.
Facilitator output: Implementation-ready artifact version 0.2.
Participant action: Prepare evidence for evaluator review and credential issuance.
Facilitator output: Credential evidence package with artifact, rationale and review checklist.
Participant action: Present decision brief, trade-offs, risks and next-step recommendation.
Facilitator output: Final evaluator notes, pass/fail evidence and 30-day implementation plan.
Hands-on Labs
Task: Convert zero-trust access control, network segmentation, identity assurance and continuous verification into a concrete service, policy or risk problem with named users and owners.
Output: One-page public-value canvas with scope, users, constraints and success signal.
Evaluated for clarity, realistic scope and mission relevance.
Task: Draw the operational flow from intake to decision, including documents, systems, approvals, data and audit evidence.
Output: Workflow map with bottlenecks, evidence gaps and control points.
Evaluated for completeness, ownership and traceability.
Task: Build a draft implementation artifact for zero-trust access control, network segmentation, identity assurance and continuous verification using the course templates.
Output: a security implementation package that can be reviewed by CISO, compliance and operations teams
Evaluated for usability, governance alignment and implementation realism.
Task: Compress the artifact into a leadership-ready brief with risk, options, resources and next step.
Output: Decision memo, implementation sequence and credential evidence checklist.
Evaluated for executive clarity, trade-off analysis and measurable next action.
Workshop Agenda
Clarify the operational problem, user group and expected outcome for zero-trust access, segmentation, identity assurance and continuous verification for agency systems.
Map actors, data, approvals, risks, compliance duties and decision points.
Build the first version of the artifact, service workflow, checklist, dashboard or decision memo.
Review security, privacy, ethics, accessibility, procurement and operational constraints.
Finalize the artifact, present the result and prepare the evidence package for evaluation.
Detailed Module Structure
Participants define the institutional problem behind zero-trust access, segmentation, identity assurance and continuous verification for agency systems, identify the affected users and convert the need into measurable public value.
Produce a one-page problem statement and stakeholder map.
The current process is decomposed into actors, decisions, data fields, approvals, documents, systems and audit evidence.
Build a workflow map with handoffs, bottlenecks and control points.
The cohort creates a practical artifact using threat model canvas, control evidence matrix, incident decision tree and links it to operational requirements.
Build a draft prototype, checklist, dashboard, policy memo or control matrix.
Participants test the artifact against cybersecurity, privacy, accessibility, ethical, legal and operational constraints.
Document at least five risks with owner, mitigation and review trigger.
The result is translated into a concise decision brief for supervisors, procurement, legal, technology or executive stakeholders.
Prepare a briefing note with recommended next step, resources and success metric.
The learner packages the artifact, reflection, evidence and evaluation result for the GovAcademy credential record.
Submit the final artifact and evidence checklist for evaluation.
Required Deliverables
Completion is based on visible evidence. The participant or cohort must produce a practical package that can be reviewed internally by a supervisor, CDTO office, compliance lead or programme owner.
- Problem statement for zero-trust access, segmentation, identity assurance and continuous verification for agency systems.
- Workflow map with users, decisions, data fields, documents, approvals and responsible owners.
- Security control matrix with risk owner, evidence source and mitigation priority.
- a security implementation package that can be reviewed by CISO, compliance and operations teams
- risk register, control evidence matrix and incident response decision memo
- Executive briefing note with recommended next step, required approvals, risks and success metrics.
- Credential evidence package prepared for evaluator review.
Governance Checks
Every artifact is reviewed against practical governance requirements, not only technical correctness. The goal is to make the output usable inside an actual public institution.
MFA/PIV/CAC requirement, privileged-role register and access review cadence.
Classification rule, encryption expectation, retention owner and evidence source.
Escalation contacts, severity levels, communication rules and after-action review owner.
Third-party access, SLA, logging responsibility and contract control requirement.
Portfolio Evidence Package
The credential is backed by submitted work product. The evidence package is intended to support supervisor review, internal capability tracking and digital credential verification.
- Completed public-value canvas with mission problem, target users and measurable outcome.
- Current-state and target-state workflow map with owners, handoffs and decision points.
- Prototype or implementation artifact for zero-trust access control, network segmentation, identity assurance and continuous verification.
- Governance checklist covering security, privacy, accessibility, compliance, ethics and operational ownership.
- Executive decision brief with options, risks, dependencies, resources and recommended next step.
- Evaluator review record showing rubric scores, feedback and pass threshold evidence.
90-Day Implementation Path
Action: Confirm owner, scope and internal sponsor; circulate the artifact for factual validation.
Result: Validated artifact and named implementation owner.
Action: Run one internal review with legal, security, privacy, procurement or operations stakeholders.
Result: Updated evidence package and approved pilot conditions.
Action: Pilot the workflow, checklist, policy or prototype with one controlled user group or service line.
Result: Initial performance evidence and backlog of improvements.
Action: Prepare scale decision: continue, revise, procure, integrate, train or retire the approach.
Result: Executive decision memo and roadmap for the next phase.
Quality Bar
- The artifact must be specific enough that another team could understand how to use it.
- Every major risk must have an owner, mitigation path and review trigger.
- Data, system, policy and human decision points must be visible, not implied.
- The final brief must show trade-offs, not only benefits.
- The credential evidence must prove practical capability through work product, not attendance.
Competency Map
This course is mapped to a public-sector digital competence model, including data navigation, communication, content creation, cybersecurity, problem solving and strategic transformation.
- Area 4: protect devices, accounts, databases and operational environments.
- Area 5: solve non-standard security incidents using structured digital tools.
- Area 6: connect security controls with transformation governance and executive accountability.
Expanded Assessment Documentation
This course includes a full assessment documentation package so that evaluators can score consistently, administrators can preserve an audit trail and learners can understand exactly what evidence is required for credential release.
Assessment documentation package
This assessment documentation pack defines how GA-001 — Zero Trust Architecture for Federal Agencies is evaluated, recorded and certified. It converts the course from attendance-based training into evidence-based capability verification. The learner must demonstrate that the a security implementation package that can be reviewed by CISO, compliance and operations teams is usable, documented, reviewable and defensible in a public-sector operating environment.
The assessor reviews the submitted work as if it were going to an internal agency approval meeting. The review focuses on practical usability, governance evidence, public value, risk ownership, documentation quality and whether the learner can defend implementation choices under realistic constraints. Primary reviewer profile: CISO office / security evaluator.
Weighted scoring model
Terminology, statutory/compliance context and public-sector relevance are accurate.
Short-answer responses, standards mapping and oral clarification where needed.
The learner diagnoses the operational problem, stakeholders, constraints, risks and decision path.
Scenario worksheet, problem statement, stakeholder map and decision assumptions.
The main artifact is complete enough to support internal review or pilot preparation.
risk register, control evidence matrix and incident response decision memo
The documentation covers security-control evidence, incident readiness and identity/access assumptions.
Governance checklist, control notes, review log, owner matrix and mitigation plan.
The learner explains trade-offs, residual risk, next steps, implementation sequence and success metrics.
Five-minute defense, evaluator notes and final decision memo.
Evidence requirements
- The artifact must be tied to a named public-sector service, policy, system, workflow, risk area or leadership decision.
- The submission must show current state, target state, responsible owners, constraints, assumptions and implementation risks.
- All claims must be supported by a visible evidence source: workshop template, control map, interview note, process map, checklist, dataset inventory, policy excerpt or decision memo.
- The learner must identify what remains unverified, what needs legal/security/privacy review and what decision is required before implementation.
- The evidence package must align with the 5-hour Cybersecurity Microcredential and support future wallet-ready credential verification.
Integrity controls
- Use learner-specific cases or agency-specific scenarios to reduce generic copy-paste submissions.
- Require versioned files and evidence references so that changes after assessor review are traceable.
- Apply peer challenge before final submission to detect unsupported assumptions and missing stakeholders.
- Require evaluator comments for every score below the satisfactory band.
- Keep a minimal audit trail: date, assessor, rubric version, score, decision, evidence links and remediation status.
- Do not issue the credential when attendance is complete but artifact evidence is incomplete.
Documentation pack
Purpose: Identifies learner, cohort, course code, artifact title, evaluator, pass score and certification decision.
Minimum standard: All required identity, course, evaluator and version fields completed.
Purpose: Documents the core evidence for Zero Trust Architecture for Federal Agencies.
Minimum standard: Each major recommendation is linked to an owner, evidence source, risk and next action.
Purpose: Shows how the learner interpreted the public-sector problem and operating constraints.
Minimum standard: Includes user group, agency value, affected process, constraints and decision points.
Purpose: Confirms that security, privacy, accessibility, legal, procurement, ethics and operational ownership were considered.
Minimum standard: Every relevant control has status, owner, evidence note and unresolved issue flag.
Purpose: Compresses the assessment output into a leadership-ready recommendation.
Minimum standard: Clear recommendation, options, risks, dependencies, KPI, owner and 30/60/90-day next step.
Purpose: Creates an audit-ready review record for internal QA and credential issuance.
Minimum standard: Scores, comments, remediation notes, date, assessor identity and final decision are recorded.
Review workflow
Owner: Programme coordinator
Action: Verify learner identity, course code, required files and consent for credential processing.
Record: Submission receipt and checklist status.
Owner: Assessment administrator
Action: Check that all mandatory documents, templates and evidence links are present.
Record: Complete / incomplete decision with missing-item notes.
Owner: CISO office / security evaluator
Action: Score the artifact against the rubric, review assumptions and mark unresolved risks.
Record: Rubric scores, evaluator comments and evidence references.
Owner: Lead facilitator or panel
Action: Ask the learner to defend choices, trade-offs, adoption path and residual risks.
Record: Defense notes and final clarification requests.
Owner: Credential officer
Action: Confirm pass threshold, remediation status and credential release eligibility.
Record: Pass / revise / fail decision and credential metadata.
Scoring scale
Score range: 90–100%
Descriptor: Artifact is implementation-ready, governance evidence is complete, risk ownership is clear and the executive defense is strong.
Score range: 80–89%
Descriptor: Artifact is usable with minor revisions; documentation is mostly complete and the learner can explain trade-offs.
Score range: 75–79%
Descriptor: Minimum capability is demonstrated, but the evaluator must record required corrections before or after credential release depending on programme policy.
Score range: 60–74%
Descriptor: Core understanding exists, but documentation, risk controls or artifact quality are insufficient for certification.
Score range: 0–59%
Descriptor: Submission does not demonstrate practical capability or cannot be linked to defensible public-sector evidence.
Remediation policy
- One remediation cycle is recommended for scores from 60% to 74%.
- The evaluator must specify exactly which document, control, assumption or artifact component must be corrected.
- The revised submission should be reviewed against the same rubric version unless the cohort rules state otherwise.
- A learner who fails to submit mandatory evidence cannot receive a credential even if the knowledge check is passed.
- Repeated generic or unsupported submissions should be escalated to programme QA review.
Certification decision rules
- Credential eligible: final score at or above 80% and all mandatory evidence accepted.
- Conditional pass: score meets minimum threshold but minor corrections must be recorded in the learner file.
- Revise: score below threshold or major evidence gap; no credential until resubmission is accepted.
- Fail: artifact is unusable, unsupported, non-original or disconnected from the assessment scenario.
- Panel review: required when the evaluator and facilitator disagree on the final certification decision.
Audit trail
- Learner name or learner ID, cohort ID, course code and assessment version.
- Submission timestamp, file list, version numbers and evidence links.
- Rubric scores by component, assessor comments and total score calculation.
- Remediation requests, resubmission timestamp and final decision.
- Credential metadata: issuer, credential type, course code, issue date, expiry/renewal rule if applicable and verification reference.
Documentation quality bar
- The documentation can be understood by a supervisor who did not attend the workshop.
- The main artifact can be reviewed by legal, security, privacy, procurement or operations without rewriting the submission from zero.
- Every key recommendation has at least one evidence source and one responsible owner.
- Metrics are operational, not decorative: time saved, risk reduced, adoption rate, compliance status, service quality or implementation readiness.
- The final package shows what is ready now, what needs review and what cannot be implemented yet.
Assessor notes
- Score the artifact, not the confidence of the presentation.
- Reward clear ownership, documented constraints and realistic implementation sequencing.
- Penalize vague strategy language that has no workflow, data, evidence or decision owner behind it.
- Ask for clarification when a risk is named but no mitigation or owner is assigned.
- Use the executive defense to test whether the learner understands consequences and trade-offs.
Minimum passing result is 80%. A learner below the threshold receives a remediation decision rather than a credential release. A credential can only be issued when the final artifact, governance documentation and assessor record are complete.
Assessment Forms and Templates
The following forms define the operational documentation used during intake, scoring, executive defense and credential release.
- Learner ID
- Course code
- Cohort
- Artifact title
- Submission date
- Consent for credential processing
- Assessor assigned
- Public-sector problem
- Affected user group
- Current-state workflow
- Target-state change
- Constraints
- Risks
- Decision required
- Component score
- Weight
- Evidence reference
- Assessor comment
- Correction required
- Final weighted result
- Trade-off explained
- Residual risk
- Owner named
- Metric defined
- Implementation sequence
- Panel notes
- Final score
- Pass threshold
- Decision
- Credential type
- Issuer metadata
- Verification reference
- Release date
Assessment Rubric
Clear user group, agency need, measurable benefit and realistic scope.
Accurate process map, required data fields, owners, approvals, evidence and dependencies.
Usable artifact that can support implementation, procurement, policy adoption or operational review.
Documented risks, mitigations, privacy/accessibility/security controls and accountability model.
Concise decision brief with next steps, metrics, owner and adoption path.
Delivery Model and Credential
live workshop, prototype studio, peer review, final artifact and verifiable credential issuance. Pass threshold: 80%. Successful completion may qualify the learner for a Professional Certificate record in the GovAcademy credential registry. The target credential model is Verifiable Credential / EUDI Wallet-ready record, suitable for a digital portfolio, wallet-based presentation and institutional verification.
Instructor Playbook
This block is included so agency academies, CDTO offices and internal facilitators can run the course consistently across cohorts.
- Start with the participant’s real agency problem and prevent the discussion from becoming generic theory.
- Force early scoping: one workflow, one service, one risk pathway or one policy implementation problem.
- Use peer review as a control mechanism: every team must challenge assumptions from another team.
- Require evidence language: owner, data source, approval route, risk, control, metric and next step.
- End with an executive defense so participants practice explaining the artifact under time pressure.
Course FAQ
Is this course lecture-based?
No. The course uses short briefings only where needed. Most time is spent mapping, prototyping, reviewing and preparing a credential evidence package.
Does the participant need programming skills?
No programming is required unless the agency chooses to extend the artifact into a technical prototype. The course is designed for officials, managers, analysts and transformation teams.
Can an agency cohort use its own internal case?
Yes. The strongest format is an agency cohort working on a real service, workflow, policy, risk or modernization challenge that can continue after the course.
What proves successful completion?
Completion requires attendance, artifact submission, evaluator review, minimum pass score and a usable evidence package for the credential record.