By Stephen Kovac, Vice President, Global Government

Head of Corporate Compliance, Zscaler, Inc.

Today’s workplace functions on the expectation of mobility – work from any device at any location.  While legacy data center infrastructures and strict security requirements made it difficult for Federal agencies to meet these expectations in the past, the Office of Management and Budget’s newly released Trusted Internet Connections (TIC) 3.0 policy paves a path to the modern workplace.

The TIC policy’s original goal was to standardize network security across agencies by requiring all federal internet traffic to run through a TIC.  It was not designed for the bandwidth-intensive requirements of a Cloud-First, Mobile-First government.

TIC 3.0 guidance provides the necessary flexibility to secure modern cloud environments and mitigate evolving cyber threats.  TIC 3.0 moves beyond a “one-TIC-fits-all” approach to allow agencies to create alternative TIC solutions that meet the spirit and intent of the original TIC guidelines. Agencies can develop new network security approaches outside of the traditional perimeter-based TICAP and MTIPS.  In addition, the new guidance provides a catalog of use cases for agencies to reference as they develop TIC solutions with more comprehensive security for their hybrid environment.

This is a tremendous opportunity to modernize cybersecurity and improve user experiences.  What should agencies consider as they develop new TIC solutions?

Adopt a “TIC-in-the-Cloud”

With the new policy’s outlined cloud solutions – including as-a-service models, we can expect to see agencies accelerate cloud deployments.

Following the guidance of the Federal Cloud Computing Strategy, agencies will need to consider TIC cloud solutions that enhance security postures, meet mission needs, and consider intended outcomes and capabilities.

The industry will come forward with many different solutions, but agencies should be wary of lift-and-shift approaches or fancy marketing solution names.  An agency that simply moves a physical TIC to the cloud will only move challenges in current data center environments to the cloud.

Solutions should move TIC functions away from the perimeter, to a globally-balanced multi-tenant cloud security software-as-a-service model that can scale up and down on demand – a “TIC-in-the-Cloud”.  By moving the TIC security stack from data centers to cloud, agencies can route federal employee traffic directly to internally and externally managed applications and internet destinations, while maintaining security and access controls.

Agencies need to take advantage of the important benefits cloud service providers can offer through this ‘cloud effect’.  Don’t miss the opportunity to deploy a cloud solution that will improve security and user experience.  With the right TIC cloud solution specified to each agency’s needs and collaboration with providers, agencies will be able to globally implement hundreds of patches a day with security updates and protections.

Modernize Access/Security Controls with Zero Trust Networking

Agencies also have the opportunity to modernize security and access controls as they develop new TIC solutions.

While TIC helps to ensure the security of external connections to government networks, zero-trust networking can provide more security, improved usability, and reduced costs.

This connectivity approach provides granular, context-based access to applications, regardless of whether they are in agencies’ data centers or in a destination cloud, creating better user experience while maintaining full security and visibility into the environment.

With the massive influx of data from emerging technologies and the sensitive nature of government data, a FedRAMP-authorized zero trust solution can provide the right level of access and security controls to protect mission-critical data, while meeting TIC requirements.

Customize a Solution to Drive Mission Goals

TIC 3.0 identifies three new use cases beyond the traditional TIC – cloud, agency branch offices, and remote user solutions. Agencies should review and test these proven options for environments with security requirements similar to their own.

Think of the TIC use case solution development as a similar process to FedRAMP’s “certify once and use many” approach.  Agencies should learn from and build off each other’s pilots (successful and otherwise).

While there will be many different options for TIC 3.0 solutions, the next step for each agency will be to have a clear understanding of short and long-term goals.

By working with the Department of Homeland Security and General Services Administration to approve new TIC use cases, and collaborating with industry service providers, agencies can develop new TIC solutions that strengthen cybersecurity, improve user experience and productivity, and ultimately, accelerate their mission.

About the Author

Stephen R. Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler. Stephen has responsibility for overall strategy, productizing, and certification of the Zscaler platform across all global governments.  He also runs the global compliance efforts for all of Zscaler.  His primary focus over the last years is FedRAMP, TIC/MTIP Policies, and ZTN for Federal.  Under Stephen’s leadership, Zscaler became the first FedRAMP certified ZTN Platform and Secure Web Gateway. He is a 27-year veteran of the information technology and security industry with extensive experience in the public sector and compliance.  Prior to Zscaler, Stephen served as EVP of Strategy and Public Sector for VAZATA, a FedRAMP certified cloud provider.  He also served as VP/CSO for BT Security, Vice President at Terremark Federal, a Verizon Company, and as Vice President of Verizon Public Sector. Mr. Kovac is a frequent speaker on the federal circuit, blogger, and highly quoted author on federal security and certifications. Stephen can be reached online at and at our company website