Agencies moving away from VPNs as they implement TIC 3.0

TIC 3.0 lets agencies plan remote user access while shrinking trust zones around high-value assets to reduce their attack surface.
(Getty Images)

Agencies are moving from virtual private networks (VPNs) to more robust identity management solutions as they implement Trusted Internet Connections 3.0 architectures, said TIC Program Manager Sean Connelly.

VPNs allow inherited trust to be embedded in architectures, but agencies are migrating to a zero-trust security model that takes inherited trust out of the digital system.

For instance primes on the $50 billion Enterprise Infrastructure Solutions network modernization contract all have software-defined wide area network (SD-WAN), multiprotocol label switching (MPLS), and broadband or another form of internet access offerings. And all are leveraging TIC‘s recently finalized Branch Office Use Case.

“When we talk TIC 3.0, [VPNs are] really not even being discussed as a modern solution for a lot of those architectures,” Connelly said during the IT Modernization Summit presented by FedScoop on Thursday. “So you’re scaling away from the VPN, itself.”


Instead TIC 3.0 lets agencies plan remote user access while shrinking trust zones around high-value assets to reduce their attack surface.

Agencies should include Managed Trusted Internet Protocol Services (MTIPS) and TIC Access Provider (TICAP) costs when comparing an existing VPN with a fully secure, remote user solution, said Zain Ahmed, regional vice president of Lumen Technologies.

“Agencies need to be aware because VPN doesn’t inherently provide security,” Ahmed said. “To get apples-to-apples comparison, agencies should look to VPN plus the TIC costs versus remote users as they’re examining what the new solution will look like.”

The TIC program is currently working with the General Services Administration and Office of Management and Budget to adjudicate public comments on the draft version of its Remote User Use Case. A finalized version will “ideally” be released before the end of the year with work begins on Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and email-as-a-service use cases, Connelly said.

Agencies are working with the TIC program to build out pilots in those areas, and there’s interest in zero trust, Internet of Things (IoT) and unified communications use cases as well, Connelly said.


A number of Cybersecurity and Infrastructure Security Agency programs besides TIC are running pilots including the Continuous Diagnostics and Mitigation (CDM) program and the National Cybersecurity Protection System (NCPS) Cloud Log Aggregation Warehouse (CLAW). Telework accelerated such pilots, some of which are now going through the full acquisition life cycle while others merely tested proofs of concept.

Agencies submit pilot proposals to the Federal Chief Information Security Officer Council for approval, with smaller ones tending to see more success.

“We want to have an agency that has a good technical acumen, understanding of what they’re trying to do,” Connelly said. “That’s important.”

Latest Podcasts