Visit our Federal Government page to learn more about how Zscaler helps federal agencies.
You can also watch our Zscaler Public Sector Summit 2023 on demand.
Trusted Internet Connections (TIC) 3.0 is a US federal government program focused on IT modernization and stronger security capabilities in federal network architectures. By encouraging adoption of cloud services and zero trust architecture for greater scalability and operational agility, TIC 3.0 fosters a more flexible, risk-based approach than previous versions of the TIC program, which depended heavily on hub-and-spoke networks and perimeter-centric security.Watch Zscaler Public Sector Summit 2023 on demand
TIC 3.0 de-emphasizes strict requirements compared to previous iterations of the TIC initiative. The Cybersecurity and Infrastructure Security Agency (CISA) explained this in the 2021 “TIC Core Guidance Volume 1: Program Guidebook”:
“The past iterations of the program focused on securing traffic at the physical agency network perimeter through a limited number of secured access points that had a required set of security appliances and services. With advances in technology, the federal IT landscape has shifted markedly since the TIC program’s initiation in 2007, rendering this one-size-fits-all approach inflexible and counterproductive to meet the demands to modernize and move to the cloud.”
By shifting to a guideline-based strategy, TIC 3.0 acknowledges that the varied use cases and risk profiles among different agencies warrant greater nuance and flexibility in order to lower the barriers to effective modernization.
The shift from TIC 2.0 to TIC 3.0 represents a significant evolution for US federal agencies, reflecting the changing cybersecurity landscape and digital environment:
Building on the goal of the TIC Initiative to secure external network connections, TIC 3.0 aims to help agencies transition from perimeter-based security models to zero trust architecture. This approach assumes that no user or device should be trusted by default, granting access to resources based on continuous verification of identity, device health, and other contextual factors. This is one of many ways ZTA provides granular control and reduces the risk of unauthorized access.
Zero trust is a framework for securing organizations in the cloud and mobile world that asserts no user or application should be trusted by default. Following a key zero trust principle, least-privileged access, trust is established based on context (e.g., user identity and location, the security posture of the endpoint, the app or service being requested) with policy checks at each step.
Read more in our dedicated article: What Is Zero Trust?
Zero trust and TIC 3.0 are inextricably tied. TIC 3.0 encourages agencies to adopt a zero trust architecture (ZTA) to improve security, particularly when leveraging cloud services and remote access. Implementing zero trust will help agencies strengthen their security posture with continuous, context-driven verification, aligning with the risk-based security approach of TIC 3.0.
TIC 3.0 core guidance covers four use cases in the Use Case Handbook:
The five security objectives of TIC 3.0, as stated in “TIC Core Guidance Volume 2: Reference Architecture,” are:
Adopting a zero trust architecture is the most effective step agencies can take in meeting the objectives of TIC 3.0. This represents a fundamental shift in the way they secure their resources, moving away from decades of infrastructure development and accrued professional experience in legacy approaches.
Successful transformation requires coordination—across not only an agency’s networking, security, IT, and other personnel, but also with trusted technology providers offering FedRAMP Authorized services.
Zscaler operates the most accredited security cloud in the world and is one of only six cloud vendors with FedRAMP Moderate, FedRAMP High JAB, DoD IL5, and StateRAMP authorization, including accreditation profiles for CJIS and HIPAA. This attests that Zscaler technologies have passed some of the industry’s most rigorous and stringent evaluations in support of government agencies’ digital transformation and security.
Zscaler’s cloud native platform enables agencies to securely connect their users to applications and data anywhere, supporting TIC 3.0 by providing:
Zscaler supports the CISA Cloud Log Aggregation Warehouse (CLAW) with Cloud NSS, which allows agencies to instantly stream logs from Zscaler Internet Access™ (ZIA™) directly into a compatible cloud-based security information and event management (SIEM) system.
CISA Protective DNS
Zscaler supports CISA's Protective DNS with DNS Gateway, which translates all plaintext DNS requests to DNS over HTTPS (DoH) for privacy and security. It also directs DoH traffic to Protective DNS (PDNS) resolvers that analyze and block requests to malicious domains.
Learn more about the Zscaler DNS Security service.
The Zscaler platform provides standards-based integration with central identity providers via SAML for authentication and leverages SCIM for provisioning and deprovisioning.
ZIA supports role-based access control in line with the principle of least privilege. Additionally, ZIA secures connectivity to the web and SaaS applications while the user is off the agency network and delivers a central point for workload traffic egress.
Zscaler Private Access™ (ZPA™) implements zero trust access to internal applications hosted in the cloud or data center by aggregating policy- and attribute-based access control policies to evaluate context and risk. To do this, ZPA utilizes microsegmentation at a policy level.
The Zscaler platform natively encrypts data-in-transit using AES-256 and FIPS-140-2 validated modules, in addition to securely connecting users to data and applications using an inside-out microsegmented tunnel that is mutually authenticated and certificate pinned.
For data in motion, Zscaler Data Protection provides cloud data loss prevention (DLP) functionality. Part of the integrated Zscaler platform, Data Protection provides visibility into all traffic from all users, anywhere, and can detect and block leakage of sensitive information.
With Zscaler Data Protection:
Cloud DLP reduces the risk of sensitive data exposure and supports compliance efforts while optimizing operational efficiency with a common platform for policy management and reporting.
Zscaler provides ironclad failover protection to ensure continuity of operations, with services delivered from more than 150 data centers in diverse geographic locations around the world. These locations were carefully selected so that individual natural disasters or local threats would not affect multiple sites, offering worry-free rerouting if an issue arises in one data center.
Zscaler guarantees uptime, availability, and recoverability with industry-leading service level agreements (SLAs) which, along with the data and system redundancy of the Zscaler architecture, ensure Zscaler services are highly resilient and consistently available.
Zscaler has completed FedRAMP authorization for ZIA and ZPA. Federal agencies can request the FedRAMP SSP for these services through the FedRAMP marketplace.
Private Service Edge
ZIA Private Service Edge extends the Zscaler cloud architecture to agency premises. Performing the same service as the ZIA Public Service Edge, it communicates with other nodes in the cloud, such as the Central Authority (CA) for user authentication and policy updates, and the cloud routers and Nanolog clusters for logging and reporting.
ZIA Private Service Edges, installed in an agency’s data center, are dedicated to agency traffic but monitored, managed, and maintained by Zscaler, providing a near-zero touch experience for the agency itself.
ZPA Private Service Edges are single-tenant instances that provide the complete functionality of a ZPA Public Service Edge in an agency’s environment. Agencies host them either on-site or as a cloud service, but Zscaler manages them.
As with a Public Service Edge, a Private Service Edge manages the connections between Zscaler Client Connector and App Connectors. Registered with the ZPA Cloud, a Private Service Edge can download relevant policies and configurations, enforce all ZPA policies, and cache path selection decisions.
Zscaler automates the collection of threat intelligence sourced from open communities, commercial subscriptions, partner sources, customer sources, and the Zscaler ThreatLabz research team, and uses it to protect customers in near-real time. ThreatLabz also hunts for zero day vulnerabilities in software to protect customers and notify the corresponding vendors.
Customers can access a central Zscaler portal that provides a cloud overview, indicating the status of all services, including availability, disruptions, QoS degradation, planned maintenance activities, potential service impacts, and other customer advisories.
Zscaler Digital Experience (ZDX)
Delivered from the Zscaler cloud, ZDX provides end-to-end visibility and troubleshooting of end user performance issues for any user or application, anywhere. It enables continuous monitoring for network, security, application, and help desk teams with insight into device, network, and application performance issues from an end user perspective.
ZDX continuously collects and analyzes application availability, response times, network hop-by-hop performance, and device health, and other telemetry, giving IT teams broad, uninterrupted visibility that helps save time with proactive resolution of user experience issues.
Security Orchestration, Automation, and Response (SOAR)
Zscaler integrates with leading SOAR platforms to help SOC teams enforce and automate event lookups, reputation checks, and blocking actions with Zscaler. By delivering a streamlined SOAR and Zscaler workflow, security teams can ensure real-time enforcement of updated policies and better protection of users, inside or outside the network boundary.
TIC 3.0 Guidance Means You Can Use Cloud to Accomplish Your Telework MissionRead the brief
Modernizing Cloud and Internet Access with SASE-Based TIC 3.0 SolutionsRead the brief
TIC 3.0 Will Remove a Significant Cloud BarrierRead the blog
Zscaler TIC 3.0 Vendor OverlayRead the brief
TIC 3.0 Core Guidance DocumentsSee the CISA page
While the original drivers from the TIC Initiative were mainly to consolidate federal networks and standardize perimeter security, TIC 3.0 reflects a need to modernize those aims. Some of the key drivers of TIC 3.0 include growing cloud adoption and reliance upon cloud service providers, the need to move to decentralized services/infrastructure for scalability and security, and the expectations of today’s hybrid workforce.
TIC 3.0 is built on a foundation of network segmentation, zero trust architecture, and modern cloud security. More specifically, it aims to improve security and flexibility in federal networks by segmenting traffic, adopting a zero trust approach, and recognizing the growing adoption of cloud services.
To say TIC 3.0 overlooks zero trust network access (ZTNA) isn’t quite accurate. Although TIC 3.0 documentation does not explicitly mention ZTNA, its use is implied in language around managing traffic and protecting traffic confidentiality—connecting users to applications and enforcement of least-privileged access are key tenets of ZTNA.
The Cybersecurity and Infrastructure Security Agency (CISA) is a division of the Office of Management and Budget (OMB) within the US Department of Homeland Security (DHS). CISA describes itself as “the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience.”