CISA's New Playbook Nudges Agencies Toward Zero Trust — and Everyone Else Can Read Along
The agency's updated TIC 3.0 guidance folds Secure Access Service Edge into federal network modernisation, and the advice travels well beyond government.

Key points
- The Cybersecurity and Infrastructure Security Agency (CISA) published new guidance titled The Journey to Zero Trust – Using Secure Access Service Edge in a Modern TIC 3.0 Solution.
- The document explains how federal agencies can modernise the way staff connect to apps, data and cloud services.
- CISA says private organisations moving away from old-style network perimeters can use the same playbook.
- The guidance sits inside CISA's broader push for zero trust, a security model that assumes no user or device is safe by default.
CISA has quietly dropped another piece of its zero trust puzzle. The new guidance walks agencies through how to weave Secure Access Service Edge — a cloud-delivered way of protecting users no matter where they log in from — into the government's Trusted Internet Connections programme, now on version 3.0.
That programme, known as TIC, used to be about funnelling federal internet traffic through a small number of heavily guarded gateways. It worked when everyone sat in an office. It creaks now that staff work from kitchens, coffee shops and cloud apps their agency doesn't own.
What is CISA actually telling agencies to do?
In plain terms: stop treating the office network as a castle wall.
The old model assumed that once you were inside the network, you were trusted. Zero trust flips that. Every login, every device, every request to open a file gets checked, every time. Secure Access Service Edge — usually shortened to SASE, pronounced "sassy" — is one way to enforce those checks from the cloud rather than from a box in a server room.
CISA's document, published under its Cybersecurity Advisories channel, lays out how the two ideas fit together. TIC 3.0 sets the policy goals. SASE is one of the tools that can meet them.
Why should anyone outside government care?
Because the problem CISA is solving is the same problem most companies have.
Staff are scattered. Data lives in someone else's cloud. The firewall at head office no longer sees half the traffic that matters. Hospitals, law firms, retailers and manufacturers are all trying to work out how to protect people who never touch the corporate network anymore.
CISA states plainly that any organisation looking to modernise perimeter-based architectures, advance zero trust adoption, and improve visibility and control across distributed environments will benefit from the guidance. That is an unusually broad invitation from a federal agency.
What does this mean for ordinary users?
Probably very little day to day, and that is the point.
Done well, zero trust is invisible. You log in, your device is checked in the background, and you get to the app you need. Done badly, it means more password prompts, more multi-factor codes, and more frustrated calls to the help desk. The CISA guidance is aimed at the architects making those choices.
For citizens interacting with federal services, the practical hope is fewer breaches of the kind that have leaked personnel records and tax data in past years. For employees at private companies following the same playbook, expect single sign-on, device health checks, and more scrutiny of unusual logins from unfamiliar places.
The wider direction of travel
This is not a standalone announcement. It sits alongside the White House's 2022 zero trust strategy, the Office of Management and Budget's deadlines for agencies, and a steady drumbeat of CISA documents pushing the same direction.
Attribution caveat, of sorts: none of this stops a determined intruder on its own. Zero trust reduces blast radius. It does not eliminate risk. Agencies still need patching, monitoring, and staff who can spot a phishing email — a fake message designed to trick someone into handing over a password.
The full guidance and related zero trust materials are available on CISA's site. Feedback goes through the agency's product survey.



