Zero Trust Branch Is Now Available in FedRAMP Moderate

Civilian federal agencies and public sector organizations do not deliver mission outcomes from a single headquarters. A great deal of work happens across field offices, regional hubs, public-facing service centers, labs, depots, and temporary sites that stand up fast when priorities change.

But branch security has not kept pace. Many agencies are still managing a mix of firewalls, VPNs, MPLS, NAC, and traditional SD-WAN that was built for a different era. That legacy model creates three recurring problems: expanding attack surface, growing operational overhead, and too much implicit trust inside and between sites. In a world where ransomware spreads fast and agencies support more devices than ever, that combination is difficult to sustain.

Today, we are announcing that Zscaler Zero Trust Branch is available in FedRAMP Moderate. This milestone helps civilian agencies extend the Zscaler Zero Trust Exchange to distributed locations to secure internet access with Zscaler Internet Access (ZIA), secure private application access with Zscaler Private Access (ZPA), and reduce lateral movement inside sites with device segmentation.

Accelerating TIC 3.0 for the Modern Branch 

For federal agencies, this availability provides a direct path to meeting CISA’s Trusted Internet Connections (TIC) 3.0 Branch Office Use Case. By moving security to the edge, Zscaler Zero Trust Branch enables the local breakout architecture patterns defined by CISA. This allows branch users to securely access the web and agency-sanctioned CSPs directly, ensuring policy parity with the main campus without the latency and complexity of backhauling traffic.

What Zero Trust Branch is

Zscaler Zero Trust Branch securely connects and segments your branches and campuses without the complexity of
VPNs or overlay routing. It enables zero trust access from users and OT/IoT devices to applications based on your
organization’s security policies. By combining the power of Zscaler’s industry-leading Zero Trust Exchange platform
with an integrated Branch Appliance deployed in branches and campuses, organizations can embrace a secure access
service edge (SASE) framework, segment critical OT/IoT devices and enable a café-like branch.

Zero Trust Branch replaces complex, hardware-heavy branch designs with a simpler approach: connect the site to the Zscaler Zero Trust Exchange and enforce policy in the cloud. It is designed for zero-touch provisioning, aligning with TIC 3.0’s emphasis on automated configuration management. You define a site, activate the appliance, and it establishes secure outbound connectivity to the Zero Trust Exchange.

From there, agencies can apply consistent ZIA and ZPA policies by location, fulfilling TIC 3.0 segmentation architectures. This approach effectively isolates networks and limits lateral movement.

Use cases agencies can put to work

Use case 1: Secure internet and SaaS access from every location (ZIA)

Branches need direct access to the internet and SaaS applications, but legacy designs often force a tradeoff between performance and consistent security. With Zero Trust Branch, site traffic can be forwarded to ZIA for cloud-delivered inspection and policy enforcement, scoped by location.

Where this helps:

• Regional offices and public-facing service centers that need consistent web controls
• Small field sites that need enterprise-grade protection without enterprise-grade complexity
• Training facilities and shared workspaces where user populations change frequently

Use case 2: Replace VPN sprawl with least-privilege access to private apps (ZPA)

Site-to-site VPNs and routed overlays tend to connect more than intended. They expand access, complicate audits, and increase blast radius. With Zero Trust Branch and ZPA, agencies can provide access to private applications based on policy, rather than extending network trust to broad subnets.

Where this helps:

• Field offices that need access to specific mission applications, not entire networks
• Temporary and surge locations that need fast, tightly scoped connectivity
• Partner and contractor-connected environments where least privilege is non-negotiable

Use case 3: Contain incidents by stopping lateral movement inside the site

Many branch incidents escalate because once a device is compromised, attackers move east-west across the local network. Branches also contain devices that cannot run agents or be managed like standard endpoints.

Zero Trust Branch supports device segmentation by acting as a DHCP server to discover devices and place each device into a network of one using a /32 approach when possible, with support for variable subnet lengths when needed. Administrators can tag devices and write policy so only required communications are allowed, while everything else is blocked by default.

Where this helps:

• Citizen-facing service centers with shared workstations, printers, and kiosks
• Regional offices where one compromised endpoint should not reach peer systems
• High device-density sites where VLAN-based segmentation becomes hard to maintain

Zero Trust Branch also supports a Ransomware Killswitch concept. Policies can be color-coded, and during suspicious activity, teams can quickly tighten enforcement to reduce blast radius and limit lateral spread.

Use case 4: OT and IoT segmentation in civilian agency facilities

OT and IoT are now part of the civilian agency footprint: cameras, badge systems, kiosks, building management, environmental sensors, and specialized devices that are hard to patch and must stay online. These systems are often essential to facility operations, but they can also become an easy pivot point when they share space with user networks.

Zero Trust Branch helps agencies discover these devices, group them with tags, and enforce least-privilege communications so OT and IoT can operate without becoming a lateral movement path.

Where this helps:

• Public-facing facilities with kiosks, cameras, and mixed device populations
• Administrative buildings with physical security and building management systems
• Labs and specialized sites where equipment has limited patch windows

Use case 5: SD-WAN modernization with simpler operations

Zero Trust Branch can be deployed in one-arm mode alongside an existing SD-WAN, or in gateway mode to terminate multiple internet links and load balance traffic.

Unlike traditional approaches, Zero Trust Branch establishes outbound tunnels to the Zero Trust Exchange and does not rely on publicly exposed routes at each site. That reduces what attackers can discover and target and supports a cleaner branch model.

Where this helps:

• Remote and rural field sites that need resilient connectivity across multiple internet links
• Agencies modernizing from MPLS and site-to-site VPNs toward simpler, cloud-first connectivity
• Locations with limited on-site IT that need standardized operations and faster troubleshooting

Use case 6: Private apps hosted at the branch, without adding infrastructure

Some agency locations still host local applications or services. But not every site has servers available to run additional components.

With Zero Trust Branch, each appliance can run an App Connector, supporting ZPA access to branch-hosted applications without adding separate infrastructure and without shifting back to inbound access models.

Where this helps:

• Small offices and clinics that need access to branch-hosted systems but have no virtualization footprint
• Sites with legacy applications that cannot move to the cloud yet, but still require least-privilege access
• Temporary or space-constrained locations where adding servers is not practical

The bottom line 

With Zero Trust Branch available in FedRAMP Moderate, civilian agencies can modernize how they secure distributed locations with a policy-driven model that is easier to roll out, easier to operate, and built to reduce lateral movement. It is a practical path away from firewall sprawl and VPN complexity, and toward consistent security outcomes across the places where government work actually gets done.

Want to learn more about FedRAMP Authorized Zero Trust Branch? Contact our sales team and we’ll walk through the capabilities and your specific requirements.