Civilian federal agencies and public sector organizations do not deliver mission outcomes from a single headquarters. A great deal of work happens across field offices, regional hubs, public-facing service centers, labs, depots, and temporary sites that stand up fast when priorities change.But branch security has not kept pace. Many agencies are still managing a mix of firewalls, VPNs, MPLS, NAC, and traditional SD-WAN that was built for a different era. That legacy model creates three recurring problems: expanding attack surface, growing operational overhead, and too much implicit trust inside and between sites. In a world where ransomware spreads fast and agencies support more devices than ever, that combination is difficult to sustain.Today, we are announcing that Zscaler Zero Trust Branch is available in FedRAMP Moderate. This milestone helps civilian agencies extend the Zscaler Zero Trust Exchange to distributed locations to secure internet access with Zscaler Internet Access (ZIA), secure private application access with Zscaler Private Access (ZPA), and reduce lateral movement inside sites with device segmentation. Accelerating TIC 3.0 for the Modern Branch For federal agencies, this availability provides a direct path to meeting CISA’s Trusted Internet Connections (TIC) 3.0 Branch Office Use Case. By moving security to the edge, Zscaler Zero Trust Branch enables the local breakout architecture patterns defined by CISA. This allows branch users to securely access the web and agency-sanctioned CSPs directly, ensuring policy parity with the main campus without the latency and complexity of backhauling traffic. What Zero Trust Branch isZero Trust Branch replaces complex, hardware-heavy branch designs with a simpler approach: connect the site to the Zscaler Zero Trust Exchange and enforce policy in the cloud. It is designed for zero-touch provisioning, aligning with TIC 3.0’s emphasis on automated configuration management. You define a site, activate the appliance, and it establishes secure outbound connectivity to the Zero Trust Exchange.From there, agencies can apply consistent ZIA and ZPA policies by location, fulfilling TIC 3.0 segmentation architectures. This approach effectively isolates networks and limits lateral Use cases agencies can put to workUse case 1: Secure internet and SaaS access from every location (ZIA)Branches need direct access to the internet and SaaS applications, but legacy designs often force a tradeoff between performance and consistent security. With Zero Trust Branch, site traffic can be forwarded to ZIA for cloud-delivered inspection and policy enforcement, scoped by location.Where this helps:Regional offices and public-facing service centers that need consistent web controlsSmall field sites that need enterprise-grade protection without enterprise-grade complexityTraining facilities and shared workspaces where user populations change frequentlyUse case 2: Replace VPN sprawl with least-privilege access to private apps (ZPA)Site-to-site VPNs and routed overlays tend to connect more than intended. They expand access, complicate audits, and increase blast radius. With Zero Trust Branch and ZPA, agencies can provide access to private applications based on policy, rather than extending network trust to broad subnets.Where this helps:Field offices that need access to specific mission applications, not entire networksTemporary and surge locations that need fast, tightly scoped connectivityPartner and contractor-connected environments where least privilege is non-negotiableUse case 3: Contain incidents by stopping lateral movement inside the siteMany branch incidents escalate because once a device is compromised, attackers move east-west across the local network. Branches also contain devices that cannot run agents or be managed like standard endpoints.Zero Trust Branch supports device segmentation by acting as a DHCP server to discover devices and place each device into a network of one using a /32 approach when possible, with support for variable subnet lengths when needed. Administrators can tag devices and write policy so only required communications are allowed, while everything else is blocked by default.Where this helps:Citizen-facing service centers with shared workstations, printers, and kiosksRegional offices where one compromised endpoint should not reach peer systemsHigh device-density sites where VLAN-based segmentation becomes hard to maintainZero Trust Branch also supports a Ransomware Killswitch concept. Policies can be color-coded, and during suspicious activity, teams can quickly tighten enforcement to reduce blast radius and limit lateral spread.Use case 4: OT and IoT segmentation in civilian agency facilitiesOT and IoT are now part of the civilian agency footprint: cameras, badge systems, kiosks, building management, environmental sensors, and specialized devices that are hard to patch and must stay online. These systems are often essential to facility operations, but they can also become an easy pivot point when they share space with user networks.Zero Trust Branch helps agencies discover these devices, group them with tags, and enforce least-privilege communications so OT and IoT can operate without becoming a lateral movement path.Where this helps:Public-facing facilities with kiosks, cameras, and mixed device populationsAdministrative buildings with physical security and building management systemsLabs and specialized sites where equipment has limited patch windowsUse case 5: SD-WAN modernization with simpler operationsZero Trust Branch can be deployed in one-arm mode alongside an existing SD-WAN, or in gateway mode to terminate multiple internet links and load balance traffic.Unlike traditional approaches, Zero Trust Branch establishes outbound tunnels to the Zero Trust Exchange and does not rely on publicly exposed routes at each site. That reduces what attackers can discover and target and supports a cleaner branch model.Where this helps:Remote and rural field sites that need resilient connectivity across multiple internet linksAgencies modernizing from MPLS and site-to-site VPNs toward simpler, cloud-first connectivityLocations with limited on-site IT that need standardized operations and faster troubleshootingUse case 6: Private apps hosted at the branch, without adding infrastructureSome agency locations still host local applications or services. But not every site has servers available to run additional components.With Zero Trust Branch, each appliance can run an App Connector, supporting ZPA access to branch-hosted applications without adding separate infrastructure and without shifting back to inbound access models.Where this helps:Small offices and clinics that need access to branch-hosted systems but have no virtualization footprintSites with legacy applications that cannot move to the cloud yet, but still require least-privilege accessTemporary or space-constrained locations where adding servers is not practical The bottom line With Zero Trust Branch available in FedRAMP Moderate, civilian agencies can modernize how they secure distributed locations with a policy-driven model that is easier to roll out, easier to operate, and built to reduce lateral movement. It is a practical path away from firewall sprawl and VPN complexity, and toward consistent security outcomes across the places where government work actually gets done.Want to learn more about FedRAMP Authorized Zero Trust Branch? Contact our sales team and we’ll walk through the capabilities and your specific requirements.
[#item_full_content] Civilian federal agencies and public sector organizations do not deliver mission outcomes from a single headquarters. A great deal of work happens across field offices, regional hubs, public-facing service centers, labs, depots, and temporary sites that stand up fast when priorities change.But branch security has not kept pace. Many agencies are still managing a mix of firewalls, VPNs, MPLS, NAC, and traditional SD-WAN that was built for a different era. That legacy model creates three recurring problems: expanding attack surface, growing operational overhead, and too much implicit trust inside and between sites. In a world where ransomware spreads fast and agencies support more devices than ever, that combination is difficult to sustain.Today, we are announcing that Zscaler Zero Trust Branch is available in FedRAMP Moderate. This milestone helps civilian agencies extend the Zscaler Zero Trust Exchange to distributed locations to secure internet access with Zscaler Internet Access (ZIA), secure private application access with Zscaler Private Access (ZPA), and reduce lateral movement inside sites with device segmentation. Accelerating TIC 3.0 for the Modern Branch For federal agencies, this availability provides a direct path to meeting CISA’s Trusted Internet Connections (TIC) 3.0 Branch Office Use Case. By moving security to the edge, Zscaler Zero Trust Branch enables the local breakout architecture patterns defined by CISA. This allows branch users to securely access the web and agency-sanctioned CSPs directly, ensuring policy parity with the main campus without the latency and complexity of backhauling traffic. What Zero Trust Branch isZero Trust Branch replaces complex, hardware-heavy branch designs with a simpler approach: connect the site to the Zscaler Zero Trust Exchange and enforce policy in the cloud. It is designed for zero-touch provisioning, aligning with TIC 3.0’s emphasis on automated configuration management. You define a site, activate the appliance, and it establishes secure outbound connectivity to the Zero Trust Exchange.From there, agencies can apply consistent ZIA and ZPA policies by location, fulfilling TIC 3.0 segmentation architectures. This approach effectively isolates networks and limits lateral Use cases agencies can put to workUse case 1: Secure internet and SaaS access from every location (ZIA)Branches need direct access to the internet and SaaS applications, but legacy designs often force a tradeoff between performance and consistent security. With Zero Trust Branch, site traffic can be forwarded to ZIA for cloud-delivered inspection and policy enforcement, scoped by location.Where this helps:Regional offices and public-facing service centers that need consistent web controlsSmall field sites that need enterprise-grade protection without enterprise-grade complexityTraining facilities and shared workspaces where user populations change frequentlyUse case 2: Replace VPN sprawl with least-privilege access to private apps (ZPA)Site-to-site VPNs and routed overlays tend to connect more than intended. They expand access, complicate audits, and increase blast radius. With Zero Trust Branch and ZPA, agencies can provide access to private applications based on policy, rather than extending network trust to broad subnets.Where this helps:Field offices that need access to specific mission applications, not entire networksTemporary and surge locations that need fast, tightly scoped connectivityPartner and contractor-connected environments where least privilege is non-negotiableUse case 3: Contain incidents by stopping lateral movement inside the siteMany branch incidents escalate because once a device is compromised, attackers move east-west across the local network. Branches also contain devices that cannot run agents or be managed like standard endpoints.Zero Trust Branch supports device segmentation by acting as a DHCP server to discover devices and place each device into a network of one using a /32 approach when possible, with support for variable subnet lengths when needed. Administrators can tag devices and write policy so only required communications are allowed, while everything else is blocked by default.Where this helps:Citizen-facing service centers with shared workstations, printers, and kiosksRegional offices where one compromised endpoint should not reach peer systemsHigh device-density sites where VLAN-based segmentation becomes hard to maintainZero Trust Branch also supports a Ransomware Killswitch concept. Policies can be color-coded, and during suspicious activity, teams can quickly tighten enforcement to reduce blast radius and limit lateral spread.Use case 4: OT and IoT segmentation in civilian agency facilitiesOT and IoT are now part of the civilian agency footprint: cameras, badge systems, kiosks, building management, environmental sensors, and specialized devices that are hard to patch and must stay online. These systems are often essential to facility operations, but they can also become an easy pivot point when they share space with user networks.Zero Trust Branch helps agencies discover these devices, group them with tags, and enforce least-privilege communications so OT and IoT can operate without becoming a lateral movement path.Where this helps:Public-facing facilities with kiosks, cameras, and mixed device populationsAdministrative buildings with physical security and building management systemsLabs and specialized sites where equipment has limited patch windowsUse case 5: SD-WAN modernization with simpler operationsZero Trust Branch can be deployed in one-arm mode alongside an existing SD-WAN, or in gateway mode to terminate multiple internet links and load balance traffic.Unlike traditional approaches, Zero Trust Branch establishes outbound tunnels to the Zero Trust Exchange and does not rely on publicly exposed routes at each site. That reduces what attackers can discover and target and supports a cleaner branch model.Where this helps:Remote and rural field sites that need resilient connectivity across multiple internet linksAgencies modernizing from MPLS and site-to-site VPNs toward simpler, cloud-first connectivityLocations with limited on-site IT that need standardized operations and faster troubleshootingUse case 6: Private apps hosted at the branch, without adding infrastructureSome agency locations still host local applications or services. But not every site has servers available to run additional components.With Zero Trust Branch, each appliance can run an App Connector, supporting ZPA access to branch-hosted applications without adding separate infrastructure and without shifting back to inbound access models.Where this helps:Small offices and clinics that need access to branch-hosted systems but have no virtualization footprintSites with legacy applications that cannot move to the cloud yet, but still require least-privilege accessTemporary or space-constrained locations where adding servers is not practical The bottom line With Zero Trust Branch available in FedRAMP Moderate, civilian agencies can modernize how they secure distributed locations with a policy-driven model that is easier to roll out, easier to operate, and built to reduce lateral movement. It is a practical path away from firewall sprawl and VPN complexity, and toward consistent security outcomes across the places where government work actually gets done.Want to learn more about FedRAMP Authorized Zero Trust Branch? Contact our sales team and we’ll walk through the capabilities and your specific requirements.
