With federal agencies moving to zero trust security architectures, the Cybersecurity and Infrastructure Security Agency (CISA) has released a guide to help them make the transition.
Published on June 24, the guide is aimed at supporting federal civilian agencies as they advance zero trust capabilities and adopt modern architectures supported under the Trusted Internet Connections (TIC) 3.0 Initiative, CISA said in a press release.
Following the guide, CISA said, will enable agencies to better understand, plan, and mature to zero trust architectures, while increasing visibility and control.
“CISA continues to support federal agencies and the broader cybersecurity ecosystem with their continued adoption of zero trust network capabilities to meet mission needs and the evolving cyber threat landscape,” said Chris Butera, the agency’s acting executive assistant director for cybersecurity. “With this guide, CISA helps agencies realize the benefits of zero trust architectures and the flexibilities of TIC 3.0.”
While federal agencies have been moving toward adopting zero trust security since former President Joe Biden’s 2021 executive order on cybersecurity, the government had introduced the TIC initiative in 2007.
Initially, TIC tried to standardize network security and consolidate data circuits across federal agencies, a centralized approach considered effective at the time in safeguarding web, email, and network perimeters.
But with workloads, applications, and access migrated to the web, TIC 3.0 was introduced in 2019 to acknowledge the shift.
TIC 3.0 “facilitates agencies’ transition from traditional perimeter-based solutions, such as Managed Trusted Internet Protocol Service (MTIPS) and legacy VPNs and firewall stacks, to modern SASE and Security Service Edge (SSE) platforms,” Sean Connelly, a former CISA TIC program manager who is now a senior official at Zscaler, wrote in 2024.
Yet many legacy architectures still rely on perimeter-based security models such as TIC 2.0 that route traffic through centralized controls. CISA said those legacy models have “shortcomings” that make it challenging to keep up with “today’s rapidly evolving threat landscape and organizations’ shift to more distributed business models with cloud capabilities and remote workforces.”
The new guide, CISA said in the press release, “helps agencies transition away from the limitations of using TIC 2.0 and capitalize on TIC 3.0 flexibilities to employ Secure Access Service Edge (SASE) solutions.”
While the guide was based on CISA’s work with federal agencies, CISA said it could also benefit state and local governments and critical infrastructure entities as they transition to zero trust.