One of the most popular tools for cyberattackers is lateral movement: after gaining access to a network, they explore the system to map it out and find data to steal. Lateral movement is especially dangerous in cloud environments, where traditional boundaries are blurred and trust is often implicit within VPCs, containers, and service accounts. The textbook solution for stopping lateral movement is network segmentation or microsegmentation: dividing your network into individually protected segments so that if an attacker gains access to one piece, their ability to explore and cause damage is limited.
Unfortunately, microsegmentation can be difficult to implement across large, distributed, and dynamic enterprise networks. It requires strategic planning, coordination, and thoughtful architecture to avoid disrupting performance or exposing new gaps.
Microsegmentation, when done right, limits how far an attacker can go, ensures visibility into business-critical traffic paths, and allows enforcement to align with actual workflows. It goes beyond security to operational resilience and breach cost containment.
CISA’s new publication, “The Journey to Zero Trust: Microsegmentation in Zero Trust – Part One: Introduction and Planning,” empowers organizations to implement a zero trust microsegmentation strategy by offering practical guidance. It introduces a more rigorous and integrated way of thinking about segmentation in the context of modern threats, compliance mandates, and cloud evolution.
CISA’s 2025 guidance isn’t just about modernizing firewall rules — it’s about modernizing how organizations think about containment, continuity, and control. With rising threats from ransomware, insider abuse, and cloud misconfigurations, most enterprises now operate with thousands of dynamic micro-perimeters.
What You’ll Learn:
Why CISA released this guidance now
What’s new in “The Journey to Zero Trust: Microsegmentation in Zero Trust – Part One: Introduction and Planning”
What this means for enterprises
What to watch for next
What Is this New Publication?
CISA has released a planning guide for implementing microsegmentation within Zero Trust environments. This is part of CISA’s “Journey to Zero Trust” initiative, which expands practical guidance beyond general maturity models. Future documents will include technical implementation guidance; this first part is all about strategy, planning, and leadership buy-in.
What Drove This New Publication?
Several interlocking drivers explain why CISA released this now: Compliance Pressure CISA’s new guidance builds directly on Executive Order 14028 (2021) and OMB Memo M-22-09 (2022), which mandated federal agencies adopt zero trust. It takes time, energy, resources, and good planning to implement zero trust, so CISA is beginning to help organizations turn it from a theory into a reality. CISA’s own Zero Trust Maturity Model v2.0 (ZTMM) emphasized microsegmentation in the Network Pillar. This document is the practical follow-through on those policy foundations.
Threat Landscape
This publication addresses the growing risk of lateral movement highlighted in recent CISA advisories involving advanced persistent threat (APT) groups like Salt Typhoon, Volt Typhoon and other state-sponsored actors. CISA emphasizes that microsegmentation can “reduce the blast area that a compromised resource can impact,” limiting how far attackers can move once inside.
Shift from Perimeters to Contextual Controls
CISA’s guide emphasizes enforcement via Policy Enforcement Points (PEPs), or systems that apply access policies at key control points across cloud, endpoint, container, and network layers. These PEPs use identity, device, and behavioral attributes to make real-time decisions, enabling dynamic, context-aware segmentation that moves beyond static perimeters and aligns with how resources are accessed in today’s distributed environments.
Cloud and Hybrid Modernization
The publication reflects the architectural realities of hybrid, cloud-native, containerized, and SaaS-based environments. It explicitly supports IaaS, PaaS, SaaS, SASE, OT, and IoT environments. It also offers examples and phased guidance for both brownfield and greenfield environments. This is a much broader scope than older segmentation guidance.
What’s New or Substantially Different
Legacy Thinking | CISA's 2025 Guidance |
VLANs, ACLs, subnets | Dynamic PEP-based enforcement with identity and behavior context |
Static zones | Attribute-based, policy-controlled microsegments that shift with workload workflows |
Firewall-first | PEPs at multiple OSI layers: endpoint, network, container, cloud-native, hypervisor |
One-size-fits-all architecture | Tailored segmentation approaches across IT, OT, IoT, cloud, and legacy systems |
"Lift and shift" segmentation in cloud | Advocates for cloud-native, workflow-aware segmentation instead |
The guidance references CISA’s TIC 3.0 evolution, noting that microsegmentation is now a recognized network security capability under the TIC program — and key to building trust zones for modern architectures.
Key Takeaways
Here are some big-picture ideas from the document:
Microsegmentation is now considered foundational to Zero Trust, not a niche best practice.
Static zones and VLANs are no longer sufficient — segmentation must be dynamic and context-aware, factoring in identity, device posture, and behavior signals.
Policy Enforcement Points (PEPs) are distributed enforcement controls that operate at multiple OSI layers — including endpoint, container, hypervisor, and cloud-native services.
Microsegmentation plays a dual role: it contains threats during an incident and supports operational continuity by minimizing blast radius.
CISA provides phased transition strategies for both brownfield and greenfield environments, helping orgs evolve segmentation without breaking existing systems.
The guidance builds on Executive Orders and Zero Trust mandates, signaling that microsegmentation maturity may soon become a compliance and audit expectation.
What This Means for Enterprises (Beyond Federal)
Although it targets FCEB agencies, this guidance extends to private sector organizations, especially in regulated industries. If you’re in finance, healthcare, or critical infrastructure, this guidance could serve as the new expectation bar for audits, vendor assessments, and due diligence.
For cloud-first orgs, it signals that cloud-native microsegmentation will increasingly rely on enforcement types outlined by CISA, including containers, endpoints, hypervisors, and cloud-native tools like CWPP, CNAPP, and service mesh architectures. These support dynamic segmentation aligned to modern application workflows. With the number of known vulnerabilities exploding, built-in solutions like microsegmentation can help relieve the pressure on security teams to respond to thousands of alerts.
What to Watch For Next
Part Two of CISA’s guide will be a technical implementation guide, likely focused on integrating vendor solutions and modern cloud-native enforcement models. Expect alignment and references to vendors who support fine-grained, policy-based workload segmentation, especially SASE, CSPM, CNAPP, and identity-aware NGFW platforms. Future compliance audits may begin mapping maturity and capability to this guidance (just like they did with the Zero Trust Maturity Model).
What Should You Do Next?
CISA’s microsegmentation guidance impacts multiple stakeholders across security, infrastructure, and application teams. Here’s what each persona should focus on next:
CISOs & Security Executives
Why it matters: Microsegmentation is now a foundational Zero Trust requirement — not a niche tactic. CISA’s framing signals that enforcement maturity will become a future audit and compliance benchmark.
What to do:
Assign a segmentation program owner with cross-functional authority.
Ensure budget includes enforcement-layer investments (PEPs, runtime, telemetry).
Add lateral movement controls to executive-level risk dashboards.
Cloud Security Architects
Why it matters: You are the linchpin between policy and implementation. CISA’s model demands dynamic enforcement that understands context, not just IPs and VLANs.
What to do:
Map PEP coverage across endpoints, containers, cloud-native workloads.
Integrate identity and behavior signals into enforcement decisions.
Use the phased approach (brownfield/greenfield) in CISA’s guidance to build your roadmap.
Cloud & Platform Architects
Why it matters: CISA includes IaaS, PaaS, SaaS, OT, and containerized environments. Your architecture must enable segmentation that adapts to elastic, ephemeral workloads.
What to do:
Validate segmentation coverage across hybrid, multi-cloud, and containerized systems.
Embed segmentation logic into service mesh and Kubernetes design.
Eliminate static trust zones and “lift-and-shift” segmentation from past architectures.
DevOps & App Teams
Why it matters: You build and deploy the workloads segmentation is meant to protect. Poorly aligned enforcement can break builds, delay rollouts, or block service discovery.
What to do:
Use consistent tagging/taxonomy to support dynamic policy enforcement.
Collaborate with security teams to define app-aware segmentation boundaries.
Test microsegmentation changes in staging environments before production rollout.
Compliance & Risk Officers
Why it matters: This guidance ties directly to Executive Orders, OMB memos, and ZTMM 2.0 — which are increasingly used as audit references.
What to do:
Track microsegmentation maturity as part of Zero Trust assessment frameworks.
Ensure controls map to TIC 3.0, ZTMM Network Pillar, and NIST 800-207 guidelines.
Document segmentation controls and enforcement logic for audit readiness.
What to Watch For Next
Part Two of CISA’s guide will be a technical implementation guide, likely focused on integrating vendor solutions and modern cloud-native enforcement models. Expect alignment and references to vendors who support fine-grained, policy-based workload segmentation, especially SASE, CSPM, CNAPP, and identity-aware NGFW platforms. Future compliance audits may begin mapping maturity and capability to this guidance (just like they did with ZTMM).
Want to learn more about adopting zero trust principles?
Discover how zero-trust encryption can help you address network security blind spots.
Explore the role of encryption in a zero trust adoption strategy.
Check out five common zero trust blind spots.
References
Aflac, “Aflac Incorporated Discloses Cybersecurity Incident,” June 20, 2025, https://www.aflac.com/docs/aflac-cyber-incident-6-24-2025.pdf.
CISA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” February 7, 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a.
CISA, “Trusted Internet Connections (TIC),” accessed August 1, 2025, https://www.cisa.gov/resources-tools/programs/trusted-internet-connections-tic.
Secureframe, “20 Recent Cyber Attacks & What They Tell Us About the Future of Cybersecurity,” July 15, 2025, https://secureframe.com/blog/recent-cyber-attacks.
