For agencies, zero trust and TIC 3.0 are now mission requirements

The 2020 SolarWinds attack exposed a fundamental failure in the federal government’s IT trust model across interconnected environments. 

The attackers gained access by exploiting systems that were trusted by design. Once inside, that implicit trust enabled quiet, lateral movement at scale. The breach persisted for months because access was granted broadly and persistently, without continuous verification. 

For agencies responsible for national defense, public safety, health care, and civilian services, the lesson was clear: Cybersecurity could no longer be treated as a perimeter-based problem, and agencies needed a fundamental shift in how trust is established, enforced, and revoked across federal environments.

The end of the perimeter illusion

Earlier perimeter-based security models made sense when users sat on fixed networks. Applications lived in data centers, and “inside” and “outside” were clear boundaries. Cloud, SaaS, mobile work, and globally distributed missions wiped out that perimeter years ago. Many environments, though, continued to rely on the same assumption: authenticate once, then trust broadly. SolarWinds showed how quickly that model breaks down. Zero trust emerged as a solution to that reality. 

At its core, zero trust replaces assumed trust with evidence-based access. Every request is evaluated using real-time signals such as identity strength, device posture, application context, and behavioral indicators, and is reevaluated continuously. The objective is not perfect prevention, but limiting blast radius, constraining lateral movement, and detecting anomalies before missions are disrupted.

As zero trust becomes standard across the federal government, the next phase will tackle how to operationalize it at scale, measure its effectiveness, and integrate it into daily mission execution. Many agencies have made progress modernizing identity and access, yet still struggle with visibility gaps, lateral movement, and legacy network dependencies that quietly reintroduce implicit trust.

Where TIC 3.0 changes the equation

Zero-trust principles outline the approach, but operationalizing them across complex, hybrid environments is where Trusted Internet Connections (TIC) 3.0 becomes critical.

Earlier versions of TIC centralized security at a small number of access points, creating latency, fragility, and what many agencies called the “TIC tax.” TIC 3.0 intentionally breaks from that model, focusing on the outcomes agencies must achieve: visibility, policy enforcement, and risk reduction, instead of dictating where traffic must flow.

TIC 3.0 enables security controls to move closer to users, workloads, and data, whether on-premises, in the cloud, or at the edge, while still preserving enterprise-wide visibility through modern telemetry. The Cybersecurity and Infrastructure Security Agency’s Comprehensive Log Aggregation Warehouse (CLAW), for example, replaces reliance on static perimeter sensors with integrated signals across identity, endpoint, network, and cloud environments. TIC 3.0 forces agencies to confront where trust is enforced, how risk is managed, and how missions remain resilient when assumptions fail.

While agencies have made progress, uneven zero-trust adoption remains a major risk. Identity may be modernized while networks stay flat, or cloud workloads may be protected while legacy pathways persist. Adversaries increasingly exploit these gaps where modernization has not kept pace. 

Resilience is the new measure of success

Disruption reveals whether a security architecture can hold up. One federal agency supporting global operations modernized its architecture by distributing enforcement, reducing reliance on legacy gateways, and diversifying connectivity. When the COVID-19 pandemic forced an immediate shift to remote work, that architecture was tested overnight. It didn’t collapse. Access scaled, performance improved, and operations continued.

That experience reflects a broader shift underway. Federal cybersecurity is moving toward mission assurance. In an environment where adversaries exploit trust relationships, resilience is defined by how well agencies can limit damage, adapt quickly, and sustain operations under pressure.

Zero trust and TIC 3.0 are not products. They are architectural foundations that enable agencies to operate securely in contested environments, modernize without disruption, and deliver the services citizens depend on. The real test is whether policy, tooling, and investment translate into resilience under real-world pressure. 

Sean Connelly is the executive director for global zero trust strategy and policy at Zscaler. He previously served as the zero trust initiative director and TIC program manager at CISA.