The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has recently taken significant steps to modernize the cybersecurity posture of federal agencies by launching new guidance for transitioning from traditional internet gateways to Secure Access Service Edge (SASE) technology. This shift aligns with the broader objective of adopting a zero trust security framework, which emphasizes rigorous verification of every user and device attempting to access network resources.
On June 24, CISA published a comprehensive document detailing this transition, which is marked by the move from the outdated perimeter-based Trusted Internet Connections (TIC) 2.0 model to the more adaptive TIC 3.0 framework grounded in zero trust principles. By outlining how agencies can integrate SASE into their cybersecurity strategies, CISA aims to facilitate a smoother, more secure experience for federal entities navigating the complex landscape of modern cyber threats.
Historically, the TIC 2.0 framework required federal agencies to funnel all internet traffic through a limited number of centralized access points. While this model was beneficial for some aspects of monitoring and security, it introduced significant bottlenecks that hindered the efficiency of remote and branch users. Moreover, the rigidity of the TIC 2.0 approach stifled innovation, making it challenging for agencies to embrace modern technologies effectively. In contrast, TIC 3.0 promotes a more decentralized architecture, enabling agencies to spread their resources while maintaining critical visibility into their traffic as required by CISA.
SASE serves as a potent solution, combining various networking and security functions into a singular, predominantly cloud-based service. CISA has defined SASE to encompass a variety of tools, including software-defined wide area networking (SD-WAN) paired with a suite of security mechanisms. These comprise secure web gateways, cloud access security brokers, next-generation firewalls, and zero trust network access (ZTNA). Importantly, CISA’s guidance is vendor-agnostic, focusing on the architectural framework rather than tying agencies to specific products. This broad approach allows agencies to choose solutions that best meet their unique operational needs while still adhering to CISA’s recommended security protocols.
One noteworthy aspect of transitioning away from the Managed Trusted Internet Protocol Services (MTIPS) that agencies have long depended on is the inherent trade-off involved in ensuring security and visibility. As agencies move their traffic away from the central gateways equipped with CISA’s EINSTEIN sensors, a potential gap arises in the telemetry data that CISA relies upon to monitor federal networks effectively. To mitigate this issue, federal agencies will need to provide equivalent telemetry data to CISA’s Comprehensive Log Aggregation Warehouse (CLAW), a cloud-based service designed to compile agency-submitted telemetry.
This new guidance also marks a departure from traditional practices concerning encrypted traffic. CISA has indicated that breaking and inspecting encrypted Transport Layer Security (TLS) traffic is no longer a universally recommended methodology. The agency cited the growing complexity and latency that this process added to network communications. Instead, CISA advocates for a more nuanced approach by analyzing encrypted traffic for suspicious activity patterns using advanced technologies such as machine learning, without necessitating full decryption.
While the primary audience for this guidance is federal civilian executive branch (FCEB) agencies, it is also expected that state and local governments, along with critical infrastructure operators and other organizations, could benefit from the insights provided. This guidance is part of a broader zero trust initiative launched by CISA in the prior year, which also includes a guide on microsegmentation — another vital aspect of modern cybersecurity practices.
Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, emphasized that the guidance serves as a roadmap for agencies striving to harness the benefits of zero trust architectures. CISA underscored that the journey towards implementing a zero trust framework is not simply a matter of deploying a single product; rather, it is a sustained transformation that requires commitment and ongoing adjustments to security practices.
In conclusion, CISA’s new guidance represents a pivotal step in reshaping the cybersecurity landscape for federal agencies. By embracing SASE technology and transitioning to the TIC 3.0 model, agencies are not only enhancing their security posture but fostering a more agile and innovative environment for adapting to the evolving cybersecurity challenges of today. As the agency continues to promote zero trust principles, the emphasis on integrating modern technologies highlights CISA’s commitment to protecting federal networks and, by extension, the broader systems that underpin national security.