← Back to all briefings
Governance 5 min read Published Updated Credibility 86/100

CISA releases TIC 3.0 interim telework guidance

CISA issued interim TIC 3.0 guidance for federal agencies shifting to mass telework. The message: traditional perimeter security does not work when everyone's at home. Time to implement zero-trust principles.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Governance pillar illustration for Zeph Tech briefings
Governance, ESG, and board reporting briefings

On , CISA published Trusted Internet Connections 3.0 interim telework guidance to help federal agencies rapidly scale remote access while maintaining security visibility and policy enforcement. The guidance arrived as agencies scrambled to enable mass telework in response to COVID-19, providing architectural frameworks that balanced connectivity needs against cybersecurity requirements.

Evolution from TIC 2.0 Constraints

The interim guidance represented a significant departure from the TIC 2.0 model that had governed federal network security since 2007. TIC 2.0 required internet traffic to flow through designated TIC access points—physical network perimeters where security inspection and monitoring occurred. This model assumed most federal users worked from office locations behind TIC perimeters.

Mass telework fundamentally challenged TIC 2.0 assumptions. Remote users connecting directly to cloud services bypass TIC access points entirely. VPN concentrators routing all traffic through agency networks created bottlenecks when designed for minority remote access use cases. Agencies faced choosing between security compliance and operational capability.

TIC 3.0, announced in late 2019, began modernizing these constraints with use case-based security objectives rather than physical network boundaries. The interim telework guidance accelerated TIC 3.0 adoption for agencies needing immediate flexibility.

Security Objectives for Remote Access

The guidance organized security requirements around core objectives applicable regardless of network architecture. Visibility objectives ensure agencies maintain awareness of network traffic, authentication events, and security-relevant activities. Protection objectives address access control, data security, and malware prevention. Response objectives cover incident detection, analysis, and remediation capabilities.

Agencies must show achievement of these objectives through multiple means rather than relying solely on TIC access point inspection. Cloud access security brokers (CASBs) provide visibility and control for cloud service usage. Endpoint detection and response (EDR) tools extend protection to devices operating outside agency networks. DNS security services block malicious destinations regardless of user location.

The objectives-based approach enables architectural flexibility. Agencies can implement split-tunnel VPN configurations directing only agency-bound traffic through VPN concentrators while cloud traffic routes directly—provided alternative security controls achieve equivalent objectives for cloud-destined traffic.

Split-Tunnel VPN Architecture

Split tunneling emerged as critical enabler for pandemic-scale remote work. Full-tunnel VPN configurations route all user traffic through agency networks, creating bandwidth bottlenecks when entire workforces connect simultaneously. Split tunneling routes agency resource traffic through VPN while allowing cloud services to route directly, dramatically reducing VPN concentrator load.

Security concerns about split tunneling focus on loss of visibility and protection for directly-routed traffic. The interim guidance addresses these concerns by requiring compensating controls. DNS filtering blocks known malicious destinations. CASB solutions monitor and control cloud service access. Endpoint protection provides device-level security regardless of network path.

Implementation requires careful traffic classification. Agencies must identify which destinations require VPN routing (internal resources, agency-hosted applications) versus direct routing (sanctioned cloud services like Microsoft 365 or Salesforce). Misconfiguration risks either security gaps or performance problems.

Cloud Service Access Patterns

The guidance acknowledges increasing federal cloud adoption and provides security frameworks for cloud-native access patterns. Traditional TIC models assumed agency-hosted applications; modern workloads now run in commercial cloud environments better accessed directly from remote users.

FedRAMP authorization provides baseline assurance for cloud services, but agencies need additional visibility and control for compliant usage. CASB solutions provide session monitoring, data loss prevention, and access control for cloud services. API integrations enable deeper visibility into cloud service activity than network-level inspection alone.

Identity-based security becomes essential when network perimeters dissolve. Strong authentication using phishing-resistant methods like FIDO2 replaces network location as primary access control. Continuous session evaluation can revoke access based on risk signals even after initial authentication.

EINSTEIN and CDM Integration

The guidance addresses how agencies should maintain EINSTEIN and Continuous Diagnostics and Mitigation (CDM) program participation under modified architectures. EINSTEIN provides DHS with visibility into threats targeting federal networks; CDM provides agencies with asset and vulnerability visibility. Both programs require telemetry that modified architectures must continue providing.

Agencies implementing split tunneling must ensure EINSTEIN sensors continue receiving relevant traffic samples. Cloud-delivered security services should integrate with EINSTEIN reporting mechanisms. CDM coverage must extend to endpoints operating remotely, potentially requiring agent-based collection rather than network scanning.

Coordination with CISA's National Cybersecurity Protection System (NCPS) ensures threat detection and response capabilities remain effective. Agencies should document how modified architectures maintain EINSTEIN visibility and CDM coverage for DHS oversight purposes.

Implementation Priorities

The guidance recommends phased setup prioritizing immediate capability needs while building toward full objectives achievement. Immediate actions should enable basic secure remote access: ensure VPN capacity handles expected load, deploy MFA for all remote access, and enable endpoint protection on remote devices.

Near-term improvements add visibility and control: implement CASB for cloud service monitoring, deploy DNS security filtering, and extend EDR coverage to remote endpoints. Configure logging and alerting for remote access patterns to enable threat detection.

Longer-term maturation aligns with full TIC 3.0 framework: implement zero trust architecture principles, automate compliance monitoring, and establish continuous assessment capabilities. These investments position agencies for post-pandemic security postures that do not depend on physical network boundaries.

Applicability Beyond Federal Agencies

While written for federal agencies, the TIC 3.0 interim guidance provides valuable architecture patterns for state and local governments, critical infrastructure operators, and private sector organizations. The security objectives translate directly; compensating controls apply regardless of organizational context.

Organizations without EINSTEIN and CDM equivalents should consider commercial threat intelligence and vulnerability management capabilities providing similar functions. The guidance's emphasis on visibility, protection, and response objectives offers framework for evaluating security architectures independent of specific technology setups.

The pandemic accelerated remote work trends that will persist post-crisis. Security architectures designed for minority remote access will not support hybrid workforces. If you are affected, treat pandemic response not as temporary exception but as catalyst for permanent security architecture evolution.

See also

Selected articles on related subjects.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Board Oversight Governance Blueprint

    Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

  • Third-Party Governance Control Blueprint

    Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

  • Public-Sector Governance Alignment Playbook

    Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published
Coverage pillar
Governance
Source credibility
86/100 — high confidence
Topics
Telework · Network architecture · Federal cybersecurity
Sources cited
3 sources (cisa.gov, iso.org)
Reading time
5 min

Cited sources

  1. Trusted Internet Connections 3.0 Interim Telework Guidance — Cybersecurity and Infrastructure Security Agency
  2. CISA Alerts Archive — CISA
  3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
  • Telework
  • Network architecture
  • Federal cybersecurity
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.