New CISA guide helps agencies with next steps on zero trust

Originally published New CISA guide helps agencies with next steps on zero trust on July 30, 2025 03:43 by https://federalnewsnetwork.com/cybersecurity/2025/07/new-cisa-guide-helps-agencies-with-next-steps-on-zero-trust/ at Federal News Network

Agencies looking to stop hackers from moving laterally within their networks should pay close attention to new “zero trust” guidance from the Cybersecurity and Infrastructure Security Agency.

CISA today released its latest guide, “Microsegmentation in Zero Trust, Part One: Introduction and Planning.” The document explains how to embrace a key principle of modern cybersecurity: preventing a breach of one device or account from being used as a jumping off point to spread malware, steal data and compromise accounts across an organization.

Microsegmentation is a key aspect of CISA’s zero trust maturity model. The new guidance is the first in a “journey to zero trust” series that CISA is producing to help federal agencies and other organizations dive deeper into a complex cybersecurity concept, according to Shelly Hartsook, an acting associate director in CISA’s cybersecurity division.

The Biden administration initiated the governmentwide push to the new cybersecurity architecture with a zero trust strategy in January 2022. The Trump administration has largely continued those efforts.

“So many organizations, both on the federal side and in the private sector, we saw make early investments in zero trust network access tools, or SASE tools –  secure access service edge –as part of their early implementation,” Hartsook said in an interview. “And there is a value in those bringing those tools into the toolbox and initially implementing them. This guidance can help organizations make the most of those technology investments and how they’re configured and really used across the enterprise.”

The initial microsegmentation guidance is geared toward non-technical management positions. CISA will follow up with a second guide that’s more technically focused.

But Hartsook said adopting microsegmentation requires careful organizational level planning from the start.

“Most organizations have spent years and enormous effort trying to create, for their intended users, a really frictionless and smooth experience,” Hartsook said. “We’re trying to create barriers and friction and gates to slow down the adversary and limit the impact if they are able to get in. But that can have some really unintended consequences for your regular users within the environment. So really understanding how to apply it and having a deliberate strategy architecture and planning is critical to doing this in a way that achieves the cybersecurity intent without mucking up your just normal business with your organization.”

Microsegmentation pools resources – like databases, web servers and user devices – into smaller groups, “reducing the attack surface, limiting lateral movement and increasing visibility for better monitoring of the microsegmented environment,” CISA explains in the new guide.

Hartsook said that can be a “tricky pivot” for many organizations.

“How a network is architected, traditionally that has been driven largely by your IP address or network location, and that is baked into some of our traditional models,” she said. “Whereas as we look at microsegmentation and use of the tools that support it, we’re looking at a larger number of attributes, either about the resources being protected, how a user is accessing and allows us to apply what we call ‘fine grained access controls’ in the way that we apply security policies across the network.”

CISA’s guidance provides several implementation examples and other considerations to help organizations plan for what will likely be an incremental implementation.

Hartsook said when the federal zero trust strategy first come out three years ago, most senior managers at federal agencies were unfamiliar with the concept. Zero trust security leads needed help getting their leadership to understand zero trust so they could get the required attention and resources.

“I think we’ve evolved past that point,” Hartsook said. “And I think the place where we’re at with something as big and complex as zero trust is moving to, this isn’t a single project. ‘Why aren’t we done yet? What’s next?’ And that’s really what we’re carving off and trying to provide these more targeted guidance resources. It really is a journey. It’s going to require many years and a heavy level of investment.”

Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Originally published New CISA guide helps agencies with next steps on zero trust on July 30, 2025 03:43 by https://federalnewsnetwork.com/cybersecurity/2025/07/new-cisa-guide-helps-agencies-with-next-steps-on-zero-trust/ at Federal News Network

Originally published Federal News Network