Cybersecurity and Infrastructure Security Agency
The Journey to Zero Trust series covers cybersecurity capabilities and architecture supporting organization adoption of modern zero trust (ZT) principles. ZT’s core concept of never trust and always verify evolved from prior cybersecurity models. This current ZT series supports an organization’s ZT journey and supplements other resources.
Implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes. An organization should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its highest value data assets.
Microsegmentation is a networking control that limits connections to a zone or segment. Traditionally, organizations accomplished networking control using Internet Protocol (IP) address ranges, virtual local area networks (VLANs) and devices or services that can accept or reject the connections based on static rules. In this context, microsegments are simply smaller zones or address ranges possessing more granular, manually created and managed access rules. This approach is typically accomplished in static rules and routing applied to network devices, virtualized networking or perimeter defense equipment, such as firewalls, routers and switches.
This document provides background, references and initial planning guidance that apply the principles from traditional network microsegmentation to the challenges associated with zero trust architectures (ZTAs) and dynamic policy enforcement. In the context of dynamic policy enforcement and ZT, microsegmentation is more than a network discussion or capability. It includes not only the current, state of the art network capabilities and controls but also capabilities implemented in hosts or other workflow-aware policy enforcement mechanisms, commonly called policy enforcement points (PEPs).
This is an evolving set of capabilities that can be applied at the host, application, database, operating system, virtualization platform or in dedicated devices to accomplish the objectives of microsegmentation for ZT. When applying microsegmentation in ZT at the PEPs, the parameters for the access rules move beyond IP addresses and include contextual information about the connection. This additional contextual information is referred to as attributes and can include a wide range of information to support the dynamic policy decisions for both initial access and continued access.
Year published: 2025
URL: https://www.cisa.gov/sites/default/files/2025-07/ZT-Microsegmentation-Guidance-Part-One_508c.pdf