CISA signals that micro segmentation is no longer optional

The Cybersecurity and Infrastructure Security Agency (CISA) recently released the first in a series of guidance documents aimed at helping federal agencies implement microsegmentation as part of their zero trust architecture (ZTA) strategy in compliance with a 2022 White House mandate.

The document, Microsegmentation in Zero Trust, Part One: Introduction and Planning, notes that microsegmentation “reduces the attack surface, limits lateral movement and enhances visibility for monitoring smaller, isolated groups of resources.”

Considering that lateral movement and ransomware were present in 44% of all breaches reviewed as part of the 2025 Verizon DBIR, this is an important shift for organizations to note. Yet despite its importance, microsegmentation is often seen as out of reach for many organizations due to its perceived complexity. Arguably, this perception has been perpetuated by NSA and CISA and is a sentiment worth challenging.

In 2023, the NSA labeled full microsegmentation as an advanced capability, best suited only for organizations with mature architectures and highly skilled teams. In 2021, CISA published a Zero Trust Security Model that categorized microsegmentation as “optimal” in their maturity diagram.

These well-regarded guidance documents left organizations of all sizes with the impression that microsegmentation is a daunting, advanced endeavor – reserved only for the most mature organizations – even though it’s widely recognized as the best way to block lateral movement and contain threats like ransomware.

CISA’s latest guidance is a clear call for organizations to look beyond the historically manual processes of mapping dependencies, establishing access policies for different environments and troubleshooting gaps in policy enforcement in pursuit of a more automated and innovative approach.

While the latest guidance was written for federal agencies, its relevance extends far beyond the public sector. The most frequently cited challenges associated with microsegmentation – legacy systems, sprawling environments, lateral movement risks – are the same across commercial industries.

Many enterprises, particularly in healthcare, financial services, and critical infrastructure, are using CISA’s Zero Trust Maturity Model and microsegmentation strategies as de facto standards to guide their own security programs.

If organizations have been advised to save microsegmentation as a last step in the climb to network security and zero trust architecture, of course it’s going to be the last thing to be accomplished. CISA's guidance reflects an awareness of modern threats, suggesting that organizations can't afford to leave lateral movement unchecked while they move through the conventional 'crawl, walk, run' motions.

This new guidance offers a practical, phased blueprint for any organization looking to move from static controls to dynamic, identity-aware access.

Microsegmentation improves on traditional approaches such as network and application segmentation, which are effective at separating components within the network and limiting the damage from a successful attack. Microsegmentation takes that approach to a more granular level and extends it across highly distributed environments, including containers operating at the edge.

By converting components into small, distinct entities, it allows organizations to apply tailored security policies and access controls, such as least-privilege policies, to every asset on the network.

This approach assumes that any traffic anywhere on the network is suspect, and requires continual authorization and authentication to prevent unauthorized access to data and services. The focus is on the identity of a user, application, or other component (machine identities are increasingly important) rather than its location within a network perimeter.

To be sure, implementation has historically been complex—hence CISA’s release of “Part One,” focused on taking a phased approach to microsegmentation, with a more technical guide still to come. CISA’s guidance gives organizations both permission and a pathway to prioritize microsegmentation now.

Just as zero trust isn’t a single outcome with a single solution, access policies aren’t necessarily one-size-fits-all. Every request, for example, would ideally be assessed in real time, enforced by multi-factor authentication (MFA) and/or just-in-time (JIT) credentials, which limit not only who can access a resource but when.

However, many legacy applications and services aren’t built to support real-time access controls, so a ZTA must be flexible enough to allow a hybrid approach where necessary, such as enforcing JIT where feasible and applying least privilege at a static stage elsewhere.

CISA’s new guidance provides a practical framework for implementing microsegmentation, while making it clear that microsegmentation isn’t an “Advanced” capability for only the most mature zero trust environments. It is foundational to everything organizations are aiming to accomplish.

The good news is that it doesn’t have to be an excruciating process. With a phased approach and the right tools, organizations can embark now on a clear path to a comprehensive, effective zero trust environment.