The Cybersecurity and Infrastructure Security Agency released the first half of its microsegmentation guidance on July 29, 2025: Microsegmentation in Zero Trust, Part One. Part One covers the concepts, the challenges, and the benefits. It signposts Part Two as a technical guide for implementation teams. Part Two has not been released as of mid-2026.
The federal cyber teams waiting for Part Two are losing implementation runway against the zero-trust maturity targets OMB Memorandum M-24-14 directs agencies to pursue. The Part One signposting language is specific enough to begin technical implementation. CISA’s Operational Technology (OT) zero-trust guide, released April 29, 2026, contains technical detail that previews many of the Part Two recommendations. The federal microsegmentation projects that closed in 2025 have produced operational lessons that fill the remaining gaps. Waiting is a choice the calendar does not support.
This article builds the microsegmentation federal zero trust roadmap on Part One’s concepts plus the technical moves Part Two is most likely to recommend, drawn from CISA’s preview language and the OT zero-trust guide CISA released in April 2026. It is written for the federal Chief Information Officer whose agency is at Initial maturity and cannot afford to wait.
Bottom Line Up Front. CISA released the first half of its microsegmentation guidance in July 2025 and signposted Part Two for technical leaders. Federal cyber teams waiting for Part Two are losing implementation runway. This article builds the microsegmentation roadmap on Part One’s concepts plus the technical moves Part Two is most likely to recommend, drawn from CISA’s preview language and the OT zero-trust guide CISA released in April 2026. It is written for the federal CIO whose agency is at Initial maturity and cannot afford to wait.
What Part One Actually Says
Part One establishes microsegmentation as a foundational capability in the Network pillar of the Zero Trust Maturity Model. The Network pillar’s Advanced and Optimal stages require both macro-segmentation (separating major network zones) and micro-segmentation (isolating individual workloads or services), with encrypted inter-segment traffic and identity-aware policies enforcing the boundaries.
The conceptual framework Part One provides has four elements. The first is the segmentation taxonomy: macro-segments are large zones (production versus development, sensitive-data zones versus general-purpose zones), micro-segments are small (individual services, workloads, or even processes). The second is the policy model: identity-aware, attribute-driven, default-deny. The third is the visibility requirement: continuous discovery of assets, traffic flows, and policy violations. The fourth is the enforcement architecture: distributed enforcement points rather than a single chokepoint.
Part One identifies the challenges that have stalled federal microsegmentation projects. Legacy applications that assume flat networks. Unmapped east-west traffic flows that surprise the team when policies are applied. Operational Technology environments that cannot tolerate the latency or complexity of identity-aware enforcement. Identity infrastructure that does not extend to all workloads. Each challenge has a remediation pattern, and the Part Two technical guidance is expected to detail those patterns.
Why the Wait Is Costly
OMB Memorandum M-24-14 directs agencies to document target zero-trust maturity levels for high-value assets to be achieved by end of FY26, with most federal cyber leadership targeting Advanced maturity in their highest-value pillars by year-end 2026. The specific target is agency-defined, not a uniform government-wide mandate; agencies with prioritized high-value assets and adequate resources should target Advanced in the Network pillar while lower-priority systems may remain at earlier stages. The Network pillar is the most operationally complex, and microsegmentation is the most technically demanding capability within it.
Published federal zero-trust implementation case studies and commercial program timelines consistently describe federal microsegmentation projects at 12 to 24 months from initiation to Advanced-maturity coverage, with well-resourced agencies on the lower end and resource-constrained agencies on the higher end. An agency that begins implementation in mid-2026 has perhaps six months to reach Advanced maturity on high-value assets. That is operationally infeasible for any agency that has not already completed the discovery and policy-design work. An agency that began in early 2026 has 12 months and is at the edge of feasibility. An agency in implementation since 2025 is on the realistic path to maturity by year-end.
The Part Two-wait calculus is the wrong calculus. The agency maturity target is not delayed by Part Two’s release date. The agency that waits for Part Two before beginning loses calendar time it cannot recover. The agency that begins now using Part One concepts and the April 2026 OT zero-trust technical detail can adjust to Part Two’s specifics when they arrive without losing the runway.
The Six-Phase Roadmap
The roadmap below assumes a federal civilian agency at Initial maturity targeting Advanced on high-value assets by the end of 2026. The phases are sequential but overlap; some discovery work continues throughout the project. Each phase has a deliverable that supports the agency’s Federal Information Security Modernization Act (FISMA) reporting and the FY2026 Inspector General FISMA metrics aligned to the Zero Trust Maturity Model.
| Phase | Months | Primary Activities | Deliverable |
|---|---|---|---|
| 1. Discovery | 1-3 | Asset inventory, traffic-flow mapping, identity-source analysis | Network and application architecture map |
| 2. Macro-Segmentation | 2-5 | Define and enforce major-zone boundaries | Macro-segment policy and enforcement |
| 3. Identity Foundation | 3-6 | Workload identity, service identity, identity-aware policy | Identity-aware policy framework |
| 4. Pilot Micro-Segmentation | 5-9 | One or two priority workloads to micro-segment with policy and enforcement | Pilot workload report with lessons learned |
| 5. Scale Micro-Segmentation | 8-15 | Apply pilot lessons to broader workload portfolio | Phased rollout completing high-value workloads |
| 6. Continuous Monitoring | 12+ | Visibility, policy compliance, drift detection | Operational microsegmentation program |
Phase 1: Discovery
Discovery is the phase agencies most often shortchange. The temptation is to begin segmentation policy design immediately. The result is policies that fail because the underlying network and application reality is different from what was assumed. Discovery should run in parallel with policy concept work but must be substantively complete before enforcement begins.
The asset inventory covers servers, workloads (containerized and bare-metal), endpoints, network devices, identity sources, and operational technology. The traffic-flow mapping captures actual east-west and north-south flows through network telemetry, agent-based observation, or both. The identity-source analysis identifies which workloads have machine identities and which rely on shared credentials or static keys.
The deliverable is a network and application architecture map that names the zones, the workloads in each zone, the inter-zone flows, and the identity infrastructure. The map drives the macro-segment design and surfaces the gaps that must be addressed before micro-segmentation is feasible.
Phase 2: Macro-Segmentation
Macro-segmentation defines and enforces the major zone boundaries: production versus non-production, sensitive-data versus general-purpose, internet-facing versus internal, OT versus IT. The macro-segments are usually small in number (five to fifteen) and large in scope.
The enforcement is typically network-level (firewalls, virtual private clouds, network segmentation in the cloud, VLANs in legacy environments) and policy is coarse: deny inter-zone traffic by default; permit named flows. CISA’s OT zero-trust guide, released April 29, 2026, provides specific guidance on OT-zone separation that previews much of what Part Two is expected to cover on OT environments.
The deliverable is documented macro-segments with enforcement in place and a policy register listing permitted inter-zone flows. This deliverable supports FISMA reporting and is independently valuable even before micro-segmentation begins.
Phase 3: Identity Foundation
Micro-segmentation requires identity-aware policy. Identity-aware policy requires every workload to have an identity. Most federal environments have inconsistent workload identity coverage; some workloads have machine identities through service-principal mechanisms, others authenticate using shared keys or rely on network-level trust.
Phase 3 establishes workload identity coverage, service-to-service authentication, and the identity-aware policy framework. The framework typically uses a service mesh (for containerized workloads), a workload identity service (for cloud workloads), and identity-aware proxy services (for legacy applications). Federal agencies often use CISA Zero Trust Maturity Model identity-pillar guidance to align this phase.
The deliverable is the identity-aware policy framework documented and operational for the workloads targeted in Phase 4 pilot. Coverage expands across Phase 5 as more workloads are micro-segmented.
Phase 4: Pilot Micro-Segmentation
Pilot micro-segmentation applies the framework to one or two priority workloads. The pilots should be chosen for value (high-sensitivity workloads where micro-segmentation produces material risk reduction) and tractability (workloads with good documentation, predictable traffic, and engaged owners).
The pilot exercises the policy design, the enforcement, and the operational discipline (monitoring, alerting, exception handling). The pilot will surface implementation challenges that the broader rollout must address. The pilot duration should include at least one full operational cycle, including a software release cycle if the workload supports it.
The deliverable is a pilot report with the policy applied, the enforcement architecture used, the operational lessons learned, and the recommendations for broader rollout.
Phase 5: Scale Micro-Segmentation
Scale rollout applies the pilot lessons to the broader workload portfolio. The scaling should be value-prioritized: high-sensitivity workloads first, broad-impact workloads next, less-sensitive workloads last. Some workloads may not be micro-segmented at all in the initial program; legacy applications with deep architectural assumptions about flat networks may require remediation before they can be segmented, and the remediation may exceed the program’s scope.
The scale-out timeline depends on the agency’s portfolio size and complexity. A medium-sized agency with 200 to 500 workloads typically achieves 60 to 80 percent micro-segmentation coverage in six to nine months once Phase 4 is complete.
Phase 6: Continuous Monitoring
Continuous monitoring is the operational discipline that maintains the program. Visibility into network traffic, policy compliance, and drift detection are the three core capabilities. Drift is the slow erosion of policy as workloads change, exceptions accumulate, and operational pressure pushes for permissive policies.
The monitoring tooling should produce a periodic report showing the policy posture, the exception inventory, and the drift indicators. The report supports both internal program management and external reporting to the FY2026 IG FISMA metrics process.
What Part Two Is Likely to Add
Part Two is expected to provide technical-implementation detail. The likely contents, inferred from Part One’s signposting and from CISA’s adjacent publications, fall into four categories.
The first category is enforcement-architecture patterns. Specific guidance on agent-based versus agent-less enforcement, service-mesh implementations, identity-aware proxy patterns, and the trade-offs between different enforcement points. CISA’s April 2026 OT zero-trust guide includes substantial detail on enforcement architecture for OT environments; Part Two is likely to extend the discussion to IT environments.
The second category is policy-design methodology. Concrete guidance on how to author micro-segmentation policies, how to handle exceptions, and how to prevent policy explosion (the tendency for micro-segment policies to multiply beyond manageability).
The third category is operational-discipline guidance. Specific recommendations on monitoring, drift detection, exception management, and integration with security operations centers.
The fourth category is migration patterns from Initial through Optimal. Concrete sequencing for agencies at different maturity stages, with explicit advice on which capabilities to prioritize at each stage.
An agency executing the six-phase roadmap can absorb each of these four categories as Part Two is published. The roadmap structure is robust to the specific recommendations; the discovery work, the macro-segmentation, the identity foundation, and the pilot are valid regardless of what Part Two says about specific implementation patterns.
Frequently Asked Questions
Should we wait for Part Two before starting?
No. The agency maturity targets OMB M-24-14 establishes for high-value assets do not extend with Part Two’s release date. The discovery, macro-segmentation, and identity-foundation work are valid regardless of Part Two’s specific recommendations.
What about Operational Technology environments?
CISA released a dedicated OT zero-trust guide on April 29, 2026 (“Adapting Zero Trust Principles to Operational Technology”) providing substantial OT-specific guidance. OT environments require different enforcement patterns than IT environments because of latency sensitivity, deterministic behavior requirements, and legacy protocol constraints. The roadmap above applies, but the OT-specific patterns should be drawn from that April 2026 guide rather than from generic IT microsegmentation guidance.
Which tooling categories should we evaluate?
Network detection and response, service mesh platforms, workload identity services, identity-aware proxies, and microsegmentation enforcement platforms. The agency’s existing tooling often determines the natural starting point; greenfield deployments are rare in federal environments.
How does microsegmentation interact with FedRAMP-authorized cloud services?
Cloud-native microsegmentation (security groups, network policies, service meshes) is appropriate for cloud-deployed workloads. The agency’s micro-segmentation policy should integrate with the cloud provider’s controls rather than duplicate them.
What about east-west traffic in cloud environments?
East-west traffic visibility is one of the harder problems. Cloud-native flow logs, service-mesh observability, and workload-identity-aware monitoring together produce the visibility microsegmentation requires. Network detection and response tools designed for cloud environments contribute coverage that cloud-native flow logs do not provide alone.
Is microsegmentation worth the cost?
The benefits are real (reduced lateral movement, contained breach impact, improved visibility) and the cost is substantial. The cost-benefit calculation favors microsegmentation in federal environments because of the regulatory expectation, the threat profile, and the long-term operational value of the visibility produced.
The verdict. The Part Two wait is the most expensive form of inaction in federal zero-trust execution today. The Part One concepts plus the OT zero-trust technical detail CISA published in April 2026 are sufficient to begin substantive implementation. The agencies that are at Advanced maturity on high-value assets by year-end 2026 are the agencies whose discovery work was complete by Q3 2025 and whose pilot was operational by Q1 2026. The agencies that begin implementation in mid-2026 are unlikely to reach Advanced before mid-2027. The roadmap above is the closest thing to a pre-publication Part Two; the alternative is to wait, and the calendar does not reward waiting.
