Enhancing Military and Veteran Health IT Security With TIC 3: Transformation and Lessons Learned

As someone who has spent decades in federal IT cybersecurity—most notably at CISA, where I had the chance to lead the TIC 3 initiative—my career has been a front-row seat to the evolving challenges federal agencies face in keeping networks secure. Despite rapid advancements, the gaps between outdated legacy infrastructure and the shape of modern cybersecurity have remained all too obvious. For military and veteran health IT professionals, the stakes are even higher: the challenge is not only to secure critical government data but to do so while maintaining an unwavering focus on mission resilience and public service.

It was with these challenges in mind that we designed the Trusted Internet Connections 3 (TIC 3) framework. Since rolling it out, I’ve seen firsthand how this architecture is transforming how federal agencies protect their systems while seamlessly advancing their missions. Let me walk you through how TIC 3 is changing the game, highlight lessons learned along the way, and illustrate one agency’s journey through this complex but rewarding transformation.

The Desperate Need for Change

In the mid-2000s, when the White House initiated a data call to assess agencies' external internet connections, the outcome was startling: agencies reported over 4,000 individual connections. This degree of sprawl reflected a fragmented cybersecurity environment, where security protocols and technologies varied widely from agency to agency. The numbers immediately raised red flags, and the government acted quickly to develop the first wave of the Trusted Internet Connections framework—TIC 1.

TIC 2 expanded upon these measures in 2012 by instituting stronger, centralized controls through fixed access points. However, the solution introduced its own set of constraints. TIC 2 created what many industry experts call the "TIC Tax"—a bottleneck effect, where agencies had to route traffic through a small number of access points, often located on the East Coast. This caused latency and operational inefficiency, particularly for remote offices and mobile users. To compound the issue, TIC 2 wasn’t built to accommodate emerging modern technologies such as cloud computing and mobile architectures.

I observed this firsthand during my tenure at CISA. As cloud adoption accelerated and interagency collaboration became increasingly digital, it became clear that TIC 2 was no longer sustainable. Enter TIC 3: the modern, flexible framework officially announced in OMB Memo 19-26 in 2019.

TIC 3’s Game-Changing Approach

At its core, TIC 3 builds on its predecessors but sacrifices rigidity for flexibility and agility. Agencies are no longer required to force all traffic through central aggregation points. Instead, they can adopt distributed architectures with the flexibility and freedom to design security perimeters and access points tailored to their specific needs, whether for remote users, edge computing, or cloud-based systems.

One of TIC 3's primary strengths lies in its alignment with other modernization efforts, such as the Zero Trust cybersecurity model, a key focus of CISA during my time at the agency. The TIC 3 framework syncs with OMB Memo 22-09 and CISA’s Zero Trust Maturity Model, seamlessly integrating into agencies’ broader efforts to deploy scalable, secure, and reliable systems.

Moreover, TIC 3 empowers scalability and transformation while reducing costs. Agencies transitioning from expensive, private MPLS networks are finding that TIC 3 allows them to adopt broadband connections, thereby lowering costs while simultaneously improving performance for remote and international users. According to a 2023 report by Deloitte, cloud adoption by public sector organizations is estimated to save agencies between 30% and 40% in IT infrastructure costs. This is a promise TIC 3 delivers on in measurable ways.

A Real-World TIC 3 Deployment: Lessons from the Trenches

During the webinar, Joe Swanson, President of Implicit Solutions, and I detailed one real-world example of a federal agency's journey through TIC 3 adoption. This agency, burdened with a fragmented, outdated MPLS framework that served over 1,500 locations globally, faced significant user experience challenges. Internal users on the West Coast were required to route traffic to East Coast access points, resulting in slow load times. The cumbersome process of making even small changes to their network required coordination with multiple layers of bureaucracy.

This agency began with a clear vision: improve performance for end users, enhance flexibility, and slash costs. Defining these goals upfront was critical, as implementing TIC 3 involves a phased approach. Their first step was setting up interconnection points (ICPs) on the East and West Coasts, allowing them to route regional traffic more effectively. To begin lessening their reliance on MPLS circuits, they transitioned to broadband internet and piloted 4G LTE, fiber, and satellite options.

When the COVID-19 pandemic hit, the changes underwent a major stress test—150,000 employees, originally working on-premises, had to go remote virtually overnight. Their newly installed TIC 3 architecture—with Zscaler Private Access (ZPA) replacing the traditional VPN—handled the sudden traffic surge without major disruption. Employees from either coast could seamlessly connect to the nearest data center or a private Zscaler node, dramatically improving performance.

But the benefits of TIC 3 went beyond pandemic resilience. As the agency progressed, it replaced cumbersome proxies and optimized traffic routing through secure, cloud-first solutions such as Zscaler Internet Access (ZIA). The financial payoff was as clear as the performance gains: spending on circuits and TIC infrastructure dropped substantially, and the agency was able to reinvest those cost savings by upgrading their broadband connections to achieve even higher capacities.

Adapting to a Cultural Shift

As with any transformation, it wasn’t all smooth sailing, and some of the challenges we faced during this transition were cultural rather than technical. Moving away from hardware firewalls, MPLS circuits, and traditional monitoring solutions like packet capture required IT teams to adapt a different mindset. Some employees, for example, were skeptical about using zero trust frameworks like ZPA because there was a common misconception that employing zero trust principles would blind them. My advice? Strong leadership and consistent training help to mitigate this hesitation and build trust in the new systems.

Enabling Mission Resilience

For agencies adopting TIC 3, security no longer has to be an “add-on” that slows down operations. TIC 3 is not just a reframing of security—it’s a platform for mission resilience. Whether by providing seamless experiences for remote users, enabling agencies to better collaborate across networks, or enhancing compliance with visibility requirements through solutions like CISA’s CLAW logging system, TIC 3 ensures that agencies can protect what’s important while focusing on their core missions.

TIC 3, paired with zero trust policies and cloud-forward strategies, will continue to provide federal agencies with both flexibility and robust security for years to come. Though the path to modernization requires significant effort and overcoming cultural hurdles, the journey is worth it—and it’s one I’m proud to have been part of.

If you couldn’t attend the live webinar, you can watch it on demand. This webinar is the first session in the Federal Health Webinar Series. Don’t miss the second webinar, Zero Trust: Reinforcing Cyber Resilience for Military and Veteran Health Systems, on November 13, 2025, at 1:00 PM ET. You can register for this webinar here.

Thank you for joining us as we shape the future of secure and resilient technology for military and veteran health systems. Let’s continue this conversation and build solutions that strengthen our government’s cybersecurity for years to come.

References:

1. OMB M-19-26, "Update to the Trusted Internet Connections (TIC) Initiative"
2. Deloitte 2023 Public Sector Cloud Report, "Cloud Cost Savings in Government"
3. CISA Zero Trust Maturity Model
4. OMB Memo 22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles"