The US ybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help federal agencies replace their legacy internet gateways with Secure Access Service Edge (SASE) technology as part of the shift to zero trust.
Published on June 24, the guidance explains how agencies can use SASE to move from the perimeter-based Trusted Internet Connections (TIC) 2.0 model to the more flexible TIC 3.0, which CISA built around zero trust principles.
CISA said SASE can replace the Managed Trusted Internet Protocol Services (MTIPS) that agencies have long relied on.
Replacing the Perimeter With SASE
Under the older TIC 2.0 model, agencies routed all their internet traffic through a small number of central access points.
CISA said that approach created bottlenecks that slowed remote and branch users, and it held back the adoption of newer technologies. TIC 3.0, by contrast, allows agencies to build more distributed architectures, as long as they still provide CISA visibility into their traffic.
SASE bundles networking and security functions into a single, mostly cloud-based service. CISA’s definition combines tools such as software-defined wide area networking (SD-WAN) with security controls, including secure web gateways, cloud access security brokers, next-generation firewalls and zero trust network access (ZTNA).
The guidance is vendor-agnostic, focusing on the architecture rather than specific products.
Read more on CISA’s zero trust roadmap: CISA and Partners Publish Zero Trust Guidance For OT Security
Keeping CISA in the Loop
Moving off of MTIPS comes with a catch, however. As agency traffic stops flowing through the central gateways where CISA’s EINSTEIN sensors sit, the agency said it loses the telemetry it uses to monitor federal networks.
To keep that visibility, agencies must feed equivalent data to CISA’s Comprehensive Log Aggregation Warehouse (CLAW), a cloud service that collects agency-provided telemetry.
The guidance also signals a shift in a long-standing practice. CISA said breaking and inspecting encrypted TLS traffic is no longer a universally recommended approach, citing its complexity and the latency it adds. It instead pointed to analyzing encrypted traffic for suspicious patterns, including using machine learning, without fully decrypting it.
CISA aimed the guidance at federal civilian executive branch (FCEB) agencies but said state and local governments, critical infrastructure operators and other organizations may also find it useful. It joins a zero-trust series that CISA launched last year, along with a guide on microsegmentation.
Chris Butera, CISA’s acting executive assistant director for cybersecurity, said the guide “helps agencies realize the benefits of zero trust architectures.” The agency stressed that reaching zero trust is a sustained transformation rather than a single product rollout.
