The U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched on Tuesday a new ‘The Journey to Zero Trust’ series covering cybersecurity capabilities and architecture supporting organization adoption of modern zero trust (ZT) principles. Addressing microsegmentation in zero trust, CISA provides federal agencies with foundational guidance on implementing microsegmentation as part of zero trust architecture. It outlines key concepts, challenges, and benefits, emphasizing that microsegmentation reduces attack surfaces, limits lateral movement, and improves monitoring. Rather than replacing existing security measures, it strengthens defense-in-depth by enabling more precise, risk-based protections.
In the first part titled ‘Microsegmentation in Zero Trust, Part One: Introduction and Planning,’ the CISA outlines key guidance to help federal civilian executive branch (FCEB) agencies advance zero trust architectures. The document offers a high-level overview of microsegmentation, detailing its core concepts, implementation challenges, and security benefits. It emphasizes microsegmentation as a foundational element of zero trust architecture that reduces the attack surface, limits lateral movement, and enhances visibility for monitoring smaller, isolated groups of resources.
CISA explains that microsegmentation protects smaller groups of resources, reducing the attack surface, limiting lateral movement, and enhancing visibility for more effective monitoring. Microsegmentation does not replace defense-in-depth and the proper management of data, assets, configuration, and vulnerabilities through various controls and cybersecurity tools. Rather, microsegmentation augments the organization’s ability to apply targeted risk- and threat-appropriate protections when it is used in conjunction with existing capabilities.
Applicable across technology environments including IT, OT (operational technology), ICS (industrial control system), IoT (internet of things), as well as any implementation model, including cloud, on premise and hybrid, microsegmentation enables applying risk- and threat-appropriate protections and visibility capabilities for the specific system(s) or data within the microsegment. The approach can significantly enhance the security of systems and data and help reduce the blast area that a compromised resource can impact.
Microsegmentation is a networking control that limits connections to a zone or segment. Traditionally, organizations accomplished networking control using IP (internet protocol) address ranges, VLANs (virtual local area networks), and devices or services that can accept or reject the connections based on static rules. In this context, microsegments are simply smaller zones or address ranges possessing more granular, manually created, and managed access rules. The approach is typically accomplished in static rules and routing applied to network devices, virtualized networking, or perimeter defense equipment, such as firewalls, routers, and switches.
“When implemented as part of ZTAs, microsegmentation solutions utilize additional characteristics at the time of access to protect target resources instead of relying on implicit trust based on network location,” CISA said in the document. “PEPs use these characteristics to authorize initial access and validate that continued access remains necessary and authorized while the connection to the resource exists.”
“In the context of this document, microsegmentation is more than network segmentation. The solutions used to implement microsegmentation span multiple technical capabilities and are implemented in multiple layers of the Open Systems Interconnection (OSI) model. Transitioning an organization from existing traditional segmentation, which relied on large-scale perimeters with limited technical capabilities, to fine-tuned microsegmentation requires a paradigm shift that leaders must champion. Successful adoption of microsegmentation will improve enterprise cybersecurity and availability.”
The document identifies that the TIC Reference Architecture Section 4.3 describes trust zones and levels of trust associated with them. These zones are based on network location and can be defined internally or externally to the organization’s perimeter. As described, this trust zone and trust level concept also permits a more fine-grained approach (e.g., aligning with the concepts of ZT), depending on how an organization might best understand and describe their environment. A trust zone does not necessarily inherit trust and security from an adjacent trust zone, nor do the trust and the subsequent security capabilities depend on the trust of the adjacent zone.
Moreover, levels of trust may also factor into deployment options for services or data. By deploying security capabilities and ensuring a rigor of implementation commensurate with the level of trust designated to a zone, an agency may use the increased assurance as an opportunity to deploy services or more sensitive data to the zone.
Using microsegmentation to support ZTAs builds upon this approach. Organizations moving to ZT should work from the assumption that all communications are potentially malicious until proven proper and authorized. ZTA’s core concept of ‘Never trust, always verify’ can work in conjunction with the concept of trust zones and levels of trust through PEPs.
Another key point the document highlights is that, due to the diversity of environments within an organization’s enterprise architecture, a one-size-fits-all approach to microsegmentation is neither practical nor effective. “For most enterprise architectures, organizations will need to combine multiple microsegmentation capabilities, potentially through a combination of preexisting capabilities and one or more vendor products, applying each where appropriate to align with the identified use cases, needs, and objectives. Organizations will need to understand the available options and how best to apply them in their environment.”
In alignment with the National Institute of Standards and Technology (NIST) Planning for a Zero Trust Architecture, organizations should assess their current systems, resources, infrastructure, personnel, and processes before investing in ZT capabilities. “Given the complexity involved in transitioning an existing organizational enterprise from traditional network segmentation to a microsegmentation approach, organizations should use a phased approach, transitioning portions of their enterprise over time. This document provides a high-level approach that can help inform an organization’s approach; however, each organization needs to determine the approach that best meets its needs.”
The document listed four phases. The first phase of implementing microsegmentation involves identifying candidate resources for segmentation. The organization evaluates its applications, workflows, data, assets, and environments to determine which resources are suitable for transitioning to microsegmentation. Prioritization is based on organization-specific criteria such as criticality, security needs, or ease of transition. For instance, during the initial implementation phase, the organization may prioritize resources that are easiest to transition. Later, with more experience, it may focus on more critical or high-value assets.
In the second phase, the organization identifies dependencies for the selected candidate resources. This includes understanding what other applications, workflows, data, assets, or environments are necessary for each resource to function properly. Engaging relevant stakeholders in this process is essential to ensure that all necessary dependencies are captured.
Next, the organization moves to determine the appropriate segmentation policies. This involves exploring various segmentation options that would still allow the candidate resource to carry out its business function. The final policy selection is based on criteria such as security effectiveness, ease of implementation, and long-term maintainability. Including users in this phase helps the organization assess the impact of policies on workflows and better understand potential risks.
Finally, the organization deploys the updated segmentation policies. It begins by testing the policies to validate their accuracy, often using a permissive mode that flags policy violations without enforcement to catch any overlooked dependencies. Once validated, the policies are fully deployed. The organization ensures that proper monitoring is in place to confirm the effectiveness of the deployment. It also provides public documentation detailing the changes, the current enforcement level, and a clear channel for user feedback and support.
CISA identified that the phases outlined are not one-time tasks and would need to be repeated by the organization during the transition. “These can be repeated while legacy segmentation approaches remain in use, as well as where more advanced segmentation has been adopted. Through iteration, the organization gains experience and insight into where changes to organization applications or environments, the technology landscape, threats, or attacker techniques necessitate updates. This knowledge can improve already-deployed microsegments.”
The document also emphasizes that transitioning from traditional network segmentation to microsegmentation is a complex process best managed through a phased approach. “Even organizations that can leverage the opportunity to use a greenfield approach (e.g., a project free from previous project constraints, a blank slate) can benefit from using a phased approach. By executing a phased transition, the organization can identify unknown challenges and conflicts and develop strategies to resolve them, enabling the organization’s attainment of ZT objectives while minimizing the risk to operational missions.”
“OT, IoT, and legacy environments, devices, and applications may not be as amenable to microsegmentation solution deployment,” CISA detailed. “For example, agent-based segmentation solutions may not be available for these devices, necessitating the deployment of network-based segmentation solutions.”
At the same time, it added that these resources may have limited security protections, increasing the need for segmentation to protect these resources and limiting the potential for their misuse if compromised. “While organizations should consider replacement solutions, if available, they will need to account for these resources when defining segmentation policies. This might entail limiting access, as much as feasible, both to and from these resources.”
CISA also included a set of microsegmentation scenarios drawn from its work with agencies transitioning to zero trust architectures. These examples illustrate how different organizations approached their initial implementation of microsegmentation, each integrating it into their broader ZTA strategy. While the scenarios highlight high-level starting points, CISA notes that individual agencies likely employed additional methods tailored to specific applications, environments, or mission needs as their zero trust implementations matured.
In conclusion, the guidance identified that supporting ZTA through microsegmentation implementation requires a significant shift in the technology, policy, and security culture of an organization. “Organizations should leverage technology updates and the transition to the cloud to move from macrosegmentation to microsegmentation. This document provides high-level guidance and recommendations as organizations begin planning and scoping their transition to microsegmentation as part of a ZTA. CISA plans to release a subsequent technical guide to support implementation teams during this transition,” it added.
This isn’t the first time CISA has addressed microsegmentation. The concept is also featured in the Network Pillar of its Zero Trust Maturity Model (ZTMM) Version 2.0. The ZTMM serves as a practical roadmap for federal agencies as they shift toward zero trust architectures, offering guidance for developing strategies and implementation plans. It also outlines how CISA services can support agencies at different stages of zero trust adoption.
