CybersecurityInfrastructure

CISA Guides Agencies Toward SASE for Zero Trust Adoption

Analyst 207||Source: InfoSecMag
Modern office interior with laptop, monitors, and equipment, featuring abstract network representation in background.

"The guide helps agencies realize the benefits of zero trust architectures," said Chris Butera, CISA's acting executive assistant director for cybersecurity.

CISA's June 24 guidance and the move from TIC 2.0 to TIC 3.0

On June 24, the Cybersecurity and Infrastructure Security Agency published guidance aimed at helping federal civilian executive branch (FCEB) agencies replace legacy internet gateways with Secure Access Service Edge (SASE) technology as part of a broader shift to zero trust. The guidance frames the change as a migration away from the perimeter-based Trusted Internet Connections (TIC) 2.0 model toward TIC 3.0, which CISA built around zero trust principles.

Under TIC 2.0, agencies routed all internet traffic through a small number of central access points. CISA said that approach created bottlenecks that slowed remote and branch users and impeded the adoption of newer technologies. TIC 3.0, by contrast, allows agencies to build more distributed architectures, provided they still give CISA visibility into their traffic.

How the guidance defines SASE and what it replaces

CISA describes SASE as a bundled, mostly cloud-based service that combines networking and security functions. The agency's definition explicitly includes software-defined wide area networking (SD-WAN) alongside security controls such as secure web gateways, cloud access security brokers, next-generation firewalls and zero trust network access (ZTNA).

The guidance says SASE can replace the Managed Trusted Internet Protocol Services (MTIPS) that agencies have long relied on. It is vendor-agnostic, emphasizing architectural choices rather than specific products; the intent is to guide agencies on design and deployment rather than recommend particular vendors or solutions.

Telemetry consequences: EINSTEIN sensors and CLAW

CISA warned that moving off MTIPS carries a concrete trade-off: agency traffic will no longer flow through the central gateways where CISA's EINSTEIN sensors sit, and that change removes a stream of telemetry CISA uses to monitor federal networks. To preserve equivalent visibility, agencies must provide the same sort of data to CISA's Comprehensive Log Aggregation Warehouse (CLAW), a cloud service that collects agency-provided telemetry.

In short, distributed traffic paths are permissible under TIC 3.0, but only if agencies feed CLAW with telemetry that maintains CISA's ability to see and analyze traffic across the federal estate.

Encrypted traffic inspection: a shift away from universal decryption

The guidance signals a departure from long-standing practice around encrypted traffic. CISA said breaking and inspecting encrypted TLS traffic is no longer a universally recommended approach, citing the complexity of such interception and the latency it introduces. Instead, the agency pointed agencies toward analyzing encrypted traffic for suspicious patterns — including using machine learning — without fully decrypting it.

This recommendation reflects an emphasis on architectural flexibility and operational realities: agencies can adopt inspection approaches that reduce latency and operational overhead while still striving to detect anomalous or malicious activity.

What this means for FCEB agencies, state and local governments, and critical infrastructure operators

  • Federal civilian executive branch agencies: They are the primary audience. Agencies will need to plan migrations from MTIPS to SASE-capable architectures, ensure they can feed equivalent telemetry into CLAW, and treat zero trust as a long-term transformation rather than a one-time product purchase.
  • State and local governments: CISA said the guidance may also be useful to these entities. Those organizations considering distributed architectures can look to the guidance for architectural patterns while keeping in mind the specific requirement in the federal context to preserve telemetry visibility for CISA.
  • Critical infrastructure operators and other organizations: The guide is also intended to be of possible use to critical infrastructure operators and other organizations, offering a vendor-agnostic blueprint for combining networking and security functions in cloud-forward deployments.

CISA positioned the SASE guide as part of a larger zero-trust series it launched last year; it joins an earlier guide on microsegmentation. The agency repeated that reaching zero trust is a sustained transformation rather than a single product rollout, underscoring an operational and cultural shift as much as a technical one.

For agencies and organizations weighing the move, the immediate practical questions are concrete: how to design distributed architectures that avoid the bottlenecks of TIC 2.0, how to translate former MTIPS telemetry into the CLAW-compatible feeds CISA requires, and how to balance inspection, performance, and privacy when dealing with encrypted traffic. CISA's guide does not promise an instant fix — it lays out a path and the technical trade-offs that come with it.

Source: https://www.infosecurity-magazine.com/news/cisa-sase-tic-3-0-zero-trust/

CisaEmerging ThreatsFederal GovernmentZero TrustSASECybersecurity GuidanceTIC 3.0TIC 2.0Trusted Internet Connections
Related Intelligence

Continue Reading

Technologists monitor screens in a bright, modern network operations center with a large window showing natural daylight.

Network Detection and Response Gains Urgency in AI-Driven Threat Era

In today's AI-driven threat landscape, organizations need to move beyond prevention and adopt a more proactive approach, focusing on network detection and response to swiftly identify and disrupt malicious activity. By doing so, they can effectively mitigate vulnerabilities and contain threats before they escalate into full-blown breaches.

Analyst 207
Empty conference room with laptops and notebooks on a table, and a blank whiteboard on the wall, lit by natural daylight.

Confidence in Automated AI Vulnerability Scanning Plummets

Confidence in automated AI vulnerability scanning has taken a nosedive, with a recent survey revealing a dramatic drop from 29% to 9% in organizations relying solely on AI for testing. Instead, nearly half are turning to a hybrid approach, combining AI with human expertise for more reliable results.

Analyst 207
Cluttered home office desk with Mac laptop, coffee cup, and papers, conveying everyday use and vulnerability.

macOS Flaw Enables Users to Disable EDR, MDM Tools

A security flaw in macOS has been discovered that allows users to quietly disable crucial enterprise security tools, including EDR and MDM, without needing administrator privileges. This gap in endpoint security models could leave businesses vulnerable to attacks.

Analyst 207
A computer lab with generic equipment and cables shows signs of neglect, with a slightly ajar cabinet and exposed wiring.

UK School's Lax Network Security Exposes Sensitive Data

A 17-year-old student gained unrestricted access to a UK school's network, discovering sensitive leadership documents and being able to reset passwords, delete accounts, and even wipe the entire network. The alarming vulnerability was uncovered when the student connected their laptop to the school's Active Directory domain, which surprisingly required no administrator authentication.

Analyst 207