SOC 2-Compliant Zero-Trust Access for Enterprise and Critical Infrastructure

Deploy NIST 800-82-compliant secure access in 20 minutes—without network changes, operational downtime, or replacing legacy systems. Works fully air-gapped or cloud. Trusted by industrial and critical infrastructure operators for mission-critical OT/ICS environments.

  • SOC 2 Type II Compliance — Third-party validated trust report eliminates 6-12 months of vendor risk assessment
  • Zero Downtime Deployment— 20-minute installation across distributed sites without network changes
  • Legacy System Support — Windows XP to modern SCADA; Modbus, DNP3, OPC protocols supported
SOC 2 Compliant
NIST 800-82
EPA AWIA
CISA BOD 23-01
TSA SD 1580/1582
Xona-The 3am Water Treatment Reality

The 3am Water Treatment Reality

It's 3am. Your water treatment SCADA system just alarmed. The chemical feed pump failed—chlorine levels are dropping below safe limits. You need vendor access NOW to diagnose the controller remotely before you wake up 500,000 residents with a boil water advisory.

But your VPN requires a 2-day IT ticket. Firewall rule changes. VPN client installation on the contractor's laptop. The SCADA vendor is standing by—your process is the bottleneck.

"Every minute of water treatment downtime affects public health and safety."

Here's the part nobody talks about: compliance mandates demand zero-trust security, but operational reality demands instant emergency access to 25-year-old SCADA systems that can't be upgraded, can't be taken offline, and can't wait for 2-day IT tickets.

"This isn't a security problem. It's an operational problem."

The Problem Nobody Talks About

Your Zero-Trust Deadline Is Non-Negotiable, But Your Legacy OT Can't Be Replaced

The CISO Reality

You have a board-mandated zero-trust deadline. CISA directives. OIG audits flagging your VPN infrastructure. And 12 remote facilities running Windows XP SCADA that cost $15M to replace.

  • Cloud ZTNA requires internet your air-gapped networks don't have

  • Agents can't run on Windows XP systems

  • Non-SOC 2 solutions need 6-12 months of security vetting

SCADA Replacement Cost

$15M+ (18 months to deploy)


Every Remote Access Solution Requires 6-12 Months of Security Vetting—Unless It's SOC 2

Procurement Nightmare

You've found an OT security solution that works. But it's not SOC 2 compliant. That means months of agency-specific assessment—while your compliance deadline approaches.

  • 6-12 months agency-specific SA&A process

  • $200K-$400K in security vetting costs

  • Zero guarantee it passes your security review

  • Missed compliance deadlines while you wait

Non-SOC 2 Procurement

6-12 months + $200K-$400K

CISA Says Move Away from VPNs—But What Works in Air-Gapped Facilities?

Air-Gap Dilemma

CISA BOD 23-01 recommends moving away from VPNs for critical infrastructure. But cloud ZTNA requires internet connectivity your facilities don't have.

  • Water treatment SCADA is air-gapped for safety

  • Rail control centers are physically isolated

  • Airport SIDA systems have zero internet by design

SCADA Replacement Cost

$15M+ (18 months to deploy)

How Xona Actually Works (In Plain Language)

You don't need a technical deep-dive to understand the difference. Here's what matters for your operations.

SOC 2-Compliant Zero-Trust Access

SOC 2 Type II Report means Xona completed federal security vetting. This eliminates 6-12 months of agency-specific assessment.

  • 30-60 day RFP to deployment (vs. 6-12 months)

  • Pre-authorized NIST 800-53 Moderate baseline

  • GSA schedule listing for streamlined procurement

  • Dual: SOC 2 cloud OR on-prem air-gap

Impact

Meet zero-trust deadline with pre-authorized security

Disconnected Access Architecture

VPN creates a tunnel to your entire OT network. Xona creates disconnected, isolated sessions to specific systems—nothing else.

  • User authenticates via CAC/PIV or federated identity

  • Isolated session to specific SCADA HMI or PLC

  • Protocol-level isolation—RDP can't reach Modbus

  • Session ends, connection disappears—no persistent tunnel

Impact

Zero lateral movement without network segmentation projects

20-Minute Deployment (Zero Downtime)

Traditional deployment means months of network changes. Xona operates as a network appliance—no firewall changes, no SCADA modifications.

  • Step 1 (5 min): Install virtual appliance, assign IP, connect IdP

  • Step 2 (10 min): Auto-discover SCADA HMIs, PLCs, historians

  • Step 3 (5 min): Users authenticate, access via web browser

Impact

18 water treatment sites in 3 days—zero service interruption

Air-Gap & On-Prem Deployment

Zero-trust without cloud connectivity. Xona deploys fully on-premises with zero cloud dependency—all identity, recording, and audit logging on-prem.

  • Gateway, identity, session recording all on-prem

  • Zero internet required—works in air-gapped SCADA

  • Complete data sovereignty—no third-party cloud

Impact

100% facility coverage—cloud ZTNA excludes 30-40% of federal OT

What This Actually Looks Like in Practice

Four real-world deployment scenarios across federal agencies, state/local government, water utilities, and transportation authorities.

Zero-Trust Access Across 12 Facilities in 2 Weeks—SOC 2 Eliminates 9 Months of Vetting

Federal CISO — Dept. of Energy Field Office

Challenge

90-day zero-trust EO deadline. 12 remote OT facilities. Windows XP SCADA. Non-SOC 2 solutions need 6-12 months SA&A.

Outcomes

  • 90-day compliance: Zero-trust EO met on deadline

  • 30-day SOC 2 procurement (not 6-12 months)

  • OIG audit success with session recording evidence

  • $15M SCADA replacement deferred

"Xona's SOC 2 compliance eliminated 9 months of security vetting. We deployed across 12 OT facilities in 6 weeks and met our CISA directive deadline."

— Federal CISO, Department of Energy Field Office

2-Person Team Secures 18 Sites in 3 Days Using IIJA Grant Funding

State IT Director — Water Utility (125K Population)

Challenge

6-month EPA AWIA deadline. 18 sites. 25-year-old Modbus SCADA. $250K budget. 2-person IT team.

Outcomes

  • EPA assessment passed—no treatment plant offline

  • 18 sites in 3 days by 2-person IT team

  • 75% IIJA grant = $37.5K net cost

  • Zero downtime—24/7 operations maintained

"Our 2-person IT team deployed Xona across 18 water treatment sites in 3 days using IIJA grant funding. Total net cost after grants: $37,500." 

— IT Director, State/Local Water Utility

EPA Assessment Passed—20-Minute Deployment, Modbus SCADA Unchanged

Water Utility Ops Director — 500K Population

Challenge

90-day EPA remediation. 4 plants, 50+ sites. 24/7 ops. Zero downtime tolerance—single failure = boil water advisory for 500K.

Outcomes

  • EPA critical finding closed

  • 20-minute deployment—zero treatment disruption

  • 2 am contractor access: 8 min (vs. 2-3 days)

  • 25-year-old Modbus SCADA works unchanged

"We passed our EPA assessment without taking treatment operations offline. Xona deployed in 20 minutes—our 25-year-old Modbus SCADA systems work unchanged."

— Operations Director, Regional Water Utility

TSA SD Compliance Across Air-Gapped Rail Control Centers—Sub-100ms Over Satellite

Transportation Security Manager — Rail Transit

Challenge

TSA SD 1582 90-day deadline. 12 control centers (10 air-gapped). 512 Kbps satellite links. 24/7 revenue service.

Outcomes

  • TSA SD 1582 compliance demonstrated

  • 10 air-gapped control centers—fully on-prem

  • Sub-100ms latency over 512 Kbps satellite

  • Zero rail delays during deployment

"TSA Security Directive required access control across our air-gapped rail control centers. Xona deployed fully on-prem with sub-100ms latency over satellite."

— Security Manager, Regional Rail Transit Authority

Your Operations Get Better

Specific outcomes for each buyer persona—because what matters to a Federal CISO is different from what matters to a Water Utility Operations Director.

Zero-Trust EO Compliance in 90 Days, OIG Audit-Ready Evidence

Federal CISO

Before

6-12 month procurement for non-SOC 2 solutions delays zero-trust compliance

After

30-60 day SOC 2 + GSA procurement—deploy in 90 days, meet directive deadlines

  • CAC/PIV integration leverages existing federal identity
  • Session recordings provide OIG/GAO audit-ready evidence
  • Windows XP SCADA secured—$15M-$50M capex deferred

Meet compliance deadlines with pre-authorized security, not 12-month vetting processes.

 

Multi-Site in Days, Manageable by 2-3 IT Generalists

State/Local IT Director

Before

Multi-site VPN takes 6-12 months, requires $30K-$80K consultants

After

3-day deployment across 18 sites by 2-person team—no consultants

  • IIJA/FEMA grants cover 75-100% of deployment cost
  • Self-service—no firewall rules, no VPN concentrators
  • $50K-$200K annual VPN cost elimination

Secure multi-site with grant funding and existing staff—not consultants and multi-year projects.

24/7 Treatment Maintained, Contractor Access in 8 Min

Water Utility Operations Director

Before

Emergency contractor access: 2-3 day IT ticket, firewall changes, VPN install

After

Self-service contractor access in 8 minutes—automatic expiration, session recorded

  • Zero downtime—20 min deployment, no treatment offline
  • Modbus/DNP3 SCADA secured without replacement ($5-15M deferred)
  • EPA AWIA compliance demonstrated with audit trails

Maintain 24/7 treatment operations while securing vendor access and passing EPA assessments.

TSA SD Compliance, Air-Gapped, Sub-100ms Over Satellite

Transportation Security Manager

Before

Air-gapped centers exclude cloud ZTNA; low-bandwidth excludes VPN video

After

Fully on-prem with sub-100ms latency over 512 Kbps satellite

  • TSA SD 1580/1582 compliance—audit trails for TSA
  • Air-gap compatible—10 control centers, zero internet
  • Revenue service maintained—zero rail delays

Meet TSA directives across air-gapped facilities with technology that works where cloud can't.

Six Benefits: Economic ROI for Government & Critical Infrastructure

Quantified value for federal CISOs, state/local IT directors, water utility operators, and transportation security managers

SOC 2 Eliminates 6-12 Months of Procurement Delays

Deploy pre-authorized security instead of 6-12 month agency-specific SA&A. GSA schedule + SOC 2 reduces vendor evaluation to 30-60 days                                                      

 

$200K-$400K

Security Vetting Costs Eliminated

20-Minute Deployment Across Distributed Sites

No network changes, no firewall rules, no consultants. IT generalists deploy via virtual appliance. 18-site deployment in 3 days by 2-person team.

 

99% Faster

vs. VPN/Network Segmentation

30-50% TCO Reduction vs. VPN/Jump Servers

Eliminate VPN licensing, firewall management overhead, jump server maintenance. Browser-based access reduces IT support burden.

 

$150K-$270K

3-Year Savings

NIST 800-82 Audit Prep: 6 Months → 3 Weeks

Pre-mapped compliance controls, automated evidence collection, forensic-grade session recordings for OIG/GAO/EPA/TSA audits.

 

$27K-$108K

Audit Prep Savings Per Cycle

Air-Gap Compatible—100% Federal OT Coverage

Fully on-prem deployment with zero cloud dependency. Complete data sovereignty. Works where cloud ZTNA can't reach.

 

30-40% More

Federal OT Facilities Covered vs. Cloud ZTNA

Grant-Eligible: IIJA & FEMA (75-100% Funding)

State/local agencies leverage federal grants for 75-100% cost coverage. $150K deployment → $37.5K net cost with IIJA grant.

 

75-100%

Federal Grant Cost Coverage

Technical Specifications

System Requirements

  • VMware ESXi 6.5+, Hyper-V 2016+, KVM
  • 4 vCPU, 8GB RAM, 100GB storage
  • Chrome, Edge, Firefox, Safari (no plugins)
  • CAC/PIV, Okta, Entra ID, AD/LDAP

Security & Compliance

  • SOC 2 Moderate
  • NIST 800-82, NIST 800-53
  • CISA BOD 23-01 aligned
  • EPA AWIA, TSA SD 1580/1582

OT/ICS Protocols

  • Modbus TCP/RTU, DNP3
  • OPC Classic/UA, BACnet
  • RDP, SSH, VNC, X11
  • Proprietary SCADA protocols

Performance

  • Sub-100ms latency (512 Kbps+ satellite)
  • 99.99% SLA for critical infrastructure
  • 5-50+ distributed sites
  • Forensic-grade session recording

What Sets Xona Apart

The SOC 2-compliant OT zero-trust platform—eliminating 6-12 months of security vetting that competitors require.
Capability
SOC 2 Compliance
Federal Procurement
Air-Gap Deployment
Legacy Windows XP
Deployment Time
OT Protocol Support
CAC/PIV Identity
Session Recording
Data Sovereignty
VPN/Jump Servers
N/A
On-prem (no SA&A needed)
Complex (VPN concentrator)
Agent issues
3-12 months
Limited (RDP/VNC only)
VPN client required
Logs only (insufficient for OIG)
On-prem (complex)
Cloud ZTNA
IT only (Zscaler, Fortinet)
SOC 2 (IT only)
Not supported (cloud-only)
Requires agent (Win 7+)
Weeks (agent install)
Not supported
Limited federal identity
Limited (web sessions)
No (cloud-dependent)
OT Specialists
Not authorized (Dispel, Xage, Claroty, Cyolo)
6-12 months SA&A per vendor
Limited
Limited
2-6 months (pro services)
Modbus, DNP3 (varies)
Limited CAC support
Varies
Varies

Xone-Logo-White@2x

 

SOC 2 Moderate (OT)
30-60 days (GSA + SOC 2)
Fully on-prem/air-gap
Zero agent—Win XP to modern
Vendor Access Management
Modbus, DNP3, OPC, proprietary
Native CAC/PIV + Federal PKI
Forensic-grade (video, protocol, keystroke)
100% on-prem, complete sovereignty

ROI Calculator: Government & Critical Infrastructure

For budget justification and procurement approval, these operational outcomes translate to measurable cost impacts.

(Federal Agency)

Current VPN/Jump Server Cost
  • VPN Licensing $50K-$100K/yr
  • Firewall Management $30K-$50K/yr
  • Jump Server Infrastructure $20K-$40K/yr
  • Audit Prep Labor $30K-$120K/yr

(Federal Agency)

Xona Annual Savings
  • VPN Elimination $50K-$100K
  • Firewall Savings $25K-$40K
  • Jump Server Elimination $20K-$40K
  • Audit Prep Savings $27K-$108K

(State/Local)

Current VPN Cost (18 Sites)
  • VVPN Licensing $30K-$80K/yr
  • Firewall Management $20K-$40K/yr
  • Consultant Fees $30K-$80K/yr
  • EPA Audit Prep $15K-$30K/yr

(State/Local)

Xona Annual Savings

  • VPN Elimination $30K-$80K

  • Firewall Savings $15K-$30K

  • Consultant Elimination $30K-$80K

  • Audit Prep Savings $13.5K-$27K

(Critical Infrastructure)

Current Cost (50+ Sites)
  • VPN Infrastructure $50K-$150K/yr
  • Downtime Risk (per incident) $100K-$500K
  • SCADA Replacement (capital) $5M-$15M
  • Emergency Access Labor $10K-$20K/yr

(Critical Infrastructure)

Xona 3-Year Savings
  • VPN Elimination (3-yr) $150K-$450K
  • Downtime Avoidance $100K-$500K
  • SCADA Capex Deferred $5M-$15M
  • Emergency Access Savings $28.5K-$57K
$80K-$210K
Total Annual Savings (Federal Agency)
40-65% cost reduction vs. VPN/jump server baseline + 6-9 months procurement acceleration
$37,500
Net Cost After IIJA Grant (75% Federal Share)
75-85% cost reduction vs. VPN baseline + $45K-$130K annual savings (50-65%)
$5.5M-$15.8M
Total 3-Year Savings (Critical Infrastructure)
97% savings including SCADA capital deferral + zero operational downtime

FAQ: What Government Teams Ask Us

Can Xona work in air-gapped federal facilities?

Yes, fully on-premises or air-gapped with zero cloud dependency. All components (gateway, identity, session recording, audit logging) deploy within your facility perimeter. Use cases include classified federal facilities, water treatment SCADA, rail control centers, airport SIDA areas, and defense installations. Dual deployment option: SOC 2 cloud for enterprise IT AND on-prem air-gap for OT/ICS—single platform, unified audit trail.

Does Xona support CAC/PIV card authentication?

Yes, native CAC/PIV authentication with Federal PKI integration. Users authenticate via CAC/PIV card + PIN (multi-factor). Validates certificates against Federal Bridge CA, DoD Root CA. Also supports Microsoft Entra ID (SAML 2.0), Okta, Active Directory/LDAP, and RADIUS (RSA SecurID, Duo). Audit trails map access to individual federal employees for OIG/GAO audits.

 

Will this work with our 20+ year old SCADA systems?

Yes—Windows XP to modern SCADA, no modifications required. Supports Windows XP/Server 2003, legacy Unix/Linux, proprietary SCADA OS. Protocols include Modbus TCP/RTU, DNP3, OPC Classic, proprietary vendor protocols. Browser-based access—no agent, no OS upgrade, no configuration changes. Real-world: 25-year-old Modbus water treatment PLCs and Windows XP HMIs secured without replacement. Defer $5M-$50M SCADA replacement capital.

 

Can we deploy without taking 24/7 operations offline?

Yes—20 minutes per site during normal operations, zero downtime. Install virtual appliance (5 min), auto-discover OT assets (10 min), grant user access (5 min). No firewall changes, no VPN concentrator config, no network modifications. Water treatment, rail control, and power generation all deploy during live operations. Single water treatment downtime = $100K-$500K + boil water advisory for 100K-500K residents.

How quickly can we deploy across 10+ distributed sites?

20 minutes per site—10 sites in 3-4 hours, 50 sites in 2-3 days. 2-person IT teams deploy without specialized training or consultants. Parallel deployment supported. Self-service user onboarding via web portal. Comparison: VPN/firewall projects take 3-12 months; OT specialists (Dispel, Xage) take 2-6 months; Xona delivers 99% time reduction.

Is this eligible for IIJA or FEMA cybersecurity grant funding?

Yes—eligible for IIJA, FEMA HSGP, EPA WIIN, and TSA/DHS grants. IIJA: 75-100% federal cost share for state/local cybersecurity. FEMA HSGP: 75% for critical infrastructure protection. EPA WIIN: 75-100% for water utility SCADA security. Real-world: $150K Xona deployment covered 75% by IIJA = $37.5K net cost. Apply through state homeland security office (IIJA/FEMA) or state EPA office (WIIN grants).

 

Does Xona meet TSA Security Directive requirements?

Yes—supports TSA SD 1580/1582 compliance for rail, transit, and pipeline. Provides identity-based access control, forensic-grade audit logging, disconnected access (network segmentation equivalent), and session recordings for incident response evidence. Works in air-gapped rail control centers and transit SCADA without internet connectivity.

 

What's the total cost of ownership compared to our current VPN?

30-50% TCO reduction vs. VPN/jump server infrastructure. 3-year comparison (50-user federal agency): VPN/Jump Server = $380K-$1.36M vs. Xona = $174K-$366K. Savings of $206K-$994K (30-73%). Hidden VPN costs eliminated: client troubleshooting ($10K-$20K/yr), firewall complexity ($8K-$16K/yr), credential rotation ($4K-$8K/yr). Plus zero-trust compliance, OIG audit success, and 20-minute deployment vs. 3-12 months.

Trusted by Federal Agencies & Critical Infrastructure

— Federal CISO Department of Energy Field Office ISO, 35-Substation Municipal Utility
"Xona's SOC 2 compliance eliminated 9 months of security vetting. We deployed zero-trust access across 12 OT facilities in 6 weeks and met our CISA directive deadline. Our Windows XP SCADA systems work unchanged, and OIG auditors praised our session recording evidence."
— IT Director State/Local Water Utility — 125,000 Population Served
"Our 2-person IT team deployed Xona across 18 water treatment sites in 3 days using IIJA grant funding. We passed our EPA AWIA assessment without taking a single treatment plant offline. Total net cost after grants: $37,500."

Stop Fighting Your Zero-Trust Deadline. Start Protecting Critical Infrastructure Faster.

Federal agencies and critical infrastructure operators don't have time for 12-month security vetting or 6-month network segmentation projects. Your deadline doesn't move. Your SCADA can't wait.

30-60 days

6-12 months →
Federal Procurement

20 min

3-12 months →

Deployment Time

8 min

Emergency Access
Emergency Access
 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions