What Is Trusted Internet Connections (TIC) 3.0?

What Are the Requirements of TIC 3.0?

TIC 3.0 de-emphasizes strict requirements compared to previous iterations of the TIC initiative. The Cybersecurity and Infrastructure Security Agency (CISA) explained this in the 2021 “TIC Core Guidance Volume 1: Program Guidebook”:

“The past iterations of the program focused on securing traffic at the physical agency network perimeter through a limited number of secured access points that had a required set of security appliances and services. With advances in technology, the federal IT landscape has shifted markedly since the TIC program’s initiation in 2007, rendering this one-size-fits-all approach inflexible and counterproductive to meet the demands to modernize and move to the cloud.”

By shifting to a guideline-based strategy, TIC 3.0 acknowledges that the varied use cases and risk profiles among different agencies warrant greater nuance and flexibility in order to lower the barriers to effective modernization.

TIC 2.0 vs. TIC 3.0

The shift from TIC 2.0 to TIC 3.0 represents a significant evolution for US federal agencies, reflecting the changing cybersecurity landscape and digital environment:

• Approach: TIC 2.0 relied on a more rigid, perimeter-based security approach, funneling all traffic through a central gateway. TIC 3.0 adopts a more flexible, risk-based approach, encouraging agencies to use cloud services and adopt zero trust, acknowledging the ways modern work environments have changed.
• Segmentation: Where TIC 2.0 had limited provisions for network segmentation, TIC 3.0 prioritizes network segmentation and the creation of trust zones to categorize and manage traffic based on risk, facilitating more granular security controls.
• Zero trust: TIC 3.0 promotes the adoption of a zero trust architecture (ZTA)—which TIC 2.0 didn’t explicitly emphasize—and with it, continuous verification of user and device, whether they’re located inside or outside the network.
• Compliance: TIC 2.0 and 3.0 both have various security standards and compliance mandates, but TIC 3.0 gives agencies more flexibility to adapt security measures to their specific needs while still aligning with broader security best practices and compliance standards.

How Will TIC 3.0 Evolve Government Security?

Building on the goal of the TIC Initiative to secure external network connections, TIC 3.0 aims to help agencies transition from perimeter-based security models to zero trust architecture. This approach assumes that no user or device should be trusted by default, granting access to resources based on continuous verification of identity, device health, and other contextual factors. This is one of many ways ZTA provides granular control and reduces the risk of unauthorized access.

What Is Zero Trust?

Zero trust is a framework for securing organizations in the cloud and mobile world that asserts no user or application should be trusted by default. Following a key zero trust principle, least-privileged access, trust is established based on context (e.g., user identity and location, the security posture of the endpoint, the app or service being requested) with policy checks at each step.

Read more in our dedicated article: What Is Zero Trust?

How Does Zero Trust Relate to TIC 3.0?

Zero trust and TIC 3.0 are inextricably tied. TIC 3.0 encourages agencies to adopt a zero trust architecture (ZTA) to improve security, particularly when leveraging cloud services and remote access. Implementing zero trust will help agencies strengthen their security posture with continuous, context-driven verification, aligning with the risk-based security approach of TIC 3.0.

What Are the Use Cases of TIC 3.0?

TIC 3.0 core guidance covers four use cases in the Use Case Handbook:

• The Traditional TIC Use Case (TIC 2.2) defines how network security can be applied when an agency routes network traffic from its campus to the web, trusted external partners, or partner government agencies through a traditional TIC access point.
• The Branch Office Use Case defines how security should be applied when an agency operates in more than one location but a central campus still provides most IT services. This use case helps agencies gain application performance, reduce costs, and improve user experience.
• The Remote User Use Case defines how security should be applied when an agency permits remote users (agency users that perform sanctioned business functions outside of physical agency premises) on their network.
• The Cloud Use Case defines how security should be applied in cloud environments. The use case addresses cloud deployments for infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and email as a service (EaaS).

What Are the Objectives of TIC 3.0?

The five security objectives of TIC 3.0, as stated in “TIC Core Guidance Volume 2: Reference Architecture,” are:

• Manage Traffic: Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny
• Protect Traffic Confidentiality: Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement
• Protect Traffic Integrity: Prevent alteration of data in transit; detect altered data in transit
• Ensure Service Resiliency: Promote resilient application and security services for continuous operation as the technology and threat landscape evolve
• Ensure Effective Response: Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures

How Can Organizations Meet TIC 3.0 Mandates?

Adopting a zero trust architecture is the most effective step agencies can take in meeting the objectives of TIC 3.0. This represents a fundamental shift in the way they secure their resources, moving away from decades of infrastructure development and accrued professional experience in legacy approaches.

Successful transformation requires coordination—across not only an agency’s networking, security, IT, and other personnel, but also with trusted technology providers offering FedRAMP Authorized services.

How Zscaler Can Help

Zscaler operates the most accredited security cloud in the world and is one of only six cloud vendors with FedRAMP Moderate, FedRAMP High JAB, DoD IL5, and StateRAMP authorization, including accreditation profiles for CJIS and HIPAA. This attests that Zscaler technologies have passed some of the industry’s most rigorous and stringent evaluations in support of government agencies’ digital transformation and security.

Zscaler’s cloud native platform enables agencies to securely connect their users to applications and data anywhere, supporting TIC 3.0 by providing:

1. Secure access to applications and data for remote users, branch offices, and mobile devices, with full inline traffic inspection to stop threats from reaching agency networks.
2. Zero trust network access (ZTNA) to ensure all users and devices are authenticated and authorized before they can access applications and data. This helps prevent unauthorized access and reduce the attack surface.
3. Cloud security and policy enforcement, with all traffic to and from the internet and different cloud environments routed through the Zscaler platform, applying consistent policies and stopping threats no matter where users or applications are located.
4. Advanced threat protection, including real-time threat intelligence, sandboxing, ML-based detection, cloud firewall, and more to help agencies detect and block known and unknown threats before they can reach the network or endpoints.
5. Compliance and granular visibility to help agencies meet TIC 3.0 and M-22-09 requirements, among other federal cybersecurity mandates, as well as understand user activity, app usage, and security events to more effectively monitor and enforce policies.

CISA CLAW

Zscaler supports the CISA Cloud Log Aggregation Warehouse (CLAW) with Cloud NSS, which allows agencies to instantly stream logs from Zscaler Internet Access™ (ZIA™) directly into a compatible cloud-based security information and event management (SIEM) system.

CISA Protective DNS

Zscaler supports CISA's Protective DNS with DNS Gateway, which translates all plaintext DNS requests to DNS over HTTPS (DoH) for privacy and security. It also directs DoH traffic to Protective DNS (PDNS) resolvers that analyze and block requests to malicious domains.

Learn more about the Zscaler DNS Security service.

How Does Zscaler Manage Traffic?

The Zscaler platform provides standards-based integration with central identity providers via SAML for authentication and leverages SCIM for provisioning and deprovisioning.

ZIA supports role-based access control in line with the principle of least privilege. Additionally, ZIA secures connectivity to the web and SaaS applications while the user is off the agency network and delivers a central point for workload traffic egress.

Zscaler Private Access™ (ZPA™) implements zero trust access to internal applications hosted in the cloud or data center by aggregating policy- and attribute-based access control policies to evaluate context and risk. To do this, ZPA utilizes microsegmentation at a policy level.

How Does Zscaler Protect Traffic Confidentiality and Integrity?

The Zscaler platform natively encrypts data-in-transit using AES-256 and FIPS-140-2 validated modules, in addition to securely connecting users to data and applications using an inside-out microsegmented tunnel that is mutually authenticated and certificate pinned.

For data in motion, Zscaler Data Protection provides cloud data loss prevention (DLP) functionality. Part of the integrated Zscaler platform, Data Protection provides visibility into all traffic from all users, anywhere, and can detect and block leakage of sensitive information.

With Zscaler Data Protection:

• Policies follow all users—on the go, in branches, and on-premises—and ensure identical protection wherever they are.
• Native TLS/SSL inspection eliminates blind spots created by encrypted traffic.
• Effectively limitless scalability enables compute-intensive techniques like Exact Data Match to be applied to all traffic without performance or capacity concerns.
• Closed-loop integrations with CASB solutions complement out-of-band DLP protection with inline enforcement for shadow IT.

Cloud DLP reduces the risk of sensitive data exposure and supports compliance efforts while optimizing operational efficiency with a common platform for policy management and reporting.

How Does Zscaler Ensure Service Resiliency?

Zscaler provides ironclad failover protection to ensure continuity of operations, with services delivered from more than 150 data centers in diverse geographic locations around the world. These locations were carefully selected so that individual natural disasters or local threats would not affect multiple sites, offering worry-free rerouting if an issue arises in one data center.

Zscaler guarantees uptime, availability, and recoverability with industry-leading service level agreements (SLAs) which, along with the data and system redundancy of the Zscaler architecture, ensure Zscaler services are highly resilient and consistently available.

Zscaler has completed FedRAMP authorization for ZIA and ZPA. Federal agencies can request the FedRAMP SSP for these services through the FedRAMP marketplace.

Private Service Edge

ZIA Private Service Edge extends the Zscaler cloud architecture to agency premises. Performing the same service as the ZIA Public Service Edge, it communicates with other nodes in the cloud, such as the Central Authority (CA) for user authentication and policy updates, and the cloud routers and Nanolog clusters for logging and reporting.

ZIA Private Service Edges, installed in an agency’s data center, are dedicated to agency traffic but monitored, managed, and maintained by Zscaler, providing a near-zero touch experience for the agency itself.

ZPA Private Service Edges are single-tenant instances that provide the complete functionality of a ZPA Public Service Edge in an agency’s environment. Agencies host them either on-site or as a cloud service, but Zscaler manages them.

As with a Public Service Edge, a Private Service Edge manages the connections between Zscaler Client Connector and App Connectors. Registered with the ZPA Cloud, a Private Service Edge can download relevant policies and configurations, enforce all ZPA policies, and cache path selection decisions.

How Does Zscaler Ensure Effective Response?

Zscaler automates the collection of threat intelligence sourced from open communities, commercial subscriptions, partner sources, customer sources, and the Zscaler ThreatLabz research team, and uses it to protect customers in near-real time. ThreatLabz also hunts for zero day vulnerabilities in software to protect customers and notify the corresponding vendors.

Customers can access a central Zscaler portal that provides a cloud overview, indicating the status of all services, including availability, disruptions, QoS degradation, planned maintenance activities, potential service impacts, and other customer advisories.

Zscaler Digital Experience (ZDX)

Delivered from the Zscaler cloud, ZDX provides end-to-end visibility and troubleshooting of end user performance issues for any user or application, anywhere. It enables continuous monitoring for network, security, application, and help desk teams with insight into device, network, and application performance issues from an end user perspective.

ZDX continuously collects and analyzes application availability, response times, network hop-by-hop performance, and device health, and other telemetry, giving IT teams broad, uninterrupted visibility that helps save time with proactive resolution of user experience issues.

Security Orchestration, Automation, and Response (SOAR)

Zscaler integrates with leading SOAR platforms to help SOC teams enforce and automate event lookups, reputation checks, and blocking actions with Zscaler. By delivering a streamlined SOAR and Zscaler workflow, security teams can ensure real-time enforcement of updated policies and better protection of users, inside or outside the network boundary.