Request Demo

TAC and CISA TIC 3.0

Federal Architecture Alignment Guide

TAC and CISA TIC 3.0

How TAC delivers Policy Enforcement Point security capabilities for the Trusted Internet Connections 3.0 trust-zone model — particularly the Remote User and Branch Office use cases that define modern federal access.

Note: TIC 3.0 is a federal architecture program overseen by CISA, OMB, and GSA. It is descriptive, not prescriptive — agencies have significant discretion in how they meet each security capability. TIC 3.0 spans many Policy Enforcement Point (PEP) capability areas, including some — email protection, DNS, content inspection, intrusion detection — that fall outside an access control platform. This guide describes the PEP capabilities TAC delivers for the access path, especially in the Remote User and Branch Office use cases. CISA telemetry-sharing obligations remain an agency responsibility; TAC produces the access telemetry that supports them but does not transmit to CISA on the agency’s behalf.

From network perimeter to trust zones

The most fundamental change in TIC 3.0 is the shift away from a single physical network perimeter toward trust zones — logical boundaries defined around applications, services, and environments rather than around the agency’s physical network edge. As agencies adopt cloud and support remote users, traffic no longer flows through one consolidated access point, so security must be enforced at the boundary of each zone.

TIC 3.0 organizes this through a Security Capabilities Catalog — Universal capabilities that apply across the enterprise, and Policy Enforcement Point (PEP) capabilities that secure traffic between specific zones — applied within use cases such as Traditional, Branch Office, Remote User, and Cloud.

TAC is purpose-built to be a Policy Enforcement Point at the boundary of a trust zone. Its reverse-proxy architecture authenticates, evaluates, and authorizes every request crossing into a protected zone, on a single encrypted port, regardless of where the user or the application sits. This is exactly the model TIC 3.0 envisions for the Remote User and Branch Office use cases — and a natural fit for agency cloud migration.

PEP Security Capabilities

Where TAC Delivers Primary Coverage

TAC delivers the access-path PEP capabilities from the TIC 3.0 Security Capabilities Catalog — the ones concerned with who reaches a zone, how they authenticate, and what crosses the boundary.

Access Control & Identity PEP

Authentication & Authorization — Primary Coverage

TIC 3.0 Security CapabilityHow TAC Delivers
AuthenticationEvery user and entity is authenticated before crossing into a protected zone. TAC federates with Active Directory, LDAP, SAML, OIDC, RADIUS, and SQL identity sources, and enforces multi-factor authentication — FIDO2, hardware tokens, push, OTP, SMS, and more — on every session.
Authorization & access controlPer-user, per-application, per-protocol authorization is enforced at the proxy on every request. Access decisions reflect identity, device posture, and policy — not network location.
Least privilege / segmentationEach protected application is its own trust zone, reachable only by authorized identities meeting policy. There is no flat network behind TAC for an attacker to traverse.
Hardened access pathTAC exposes a single encrypted inbound port (TLS 1.2 or TLS 1.3 with FIPS 140-2 compliant cryptographic modules). All other inbound ports to the protected zone are closed.
Connection & Data Protection PEP

Encryption & Boundary Enforcement — Primary Coverage

TIC 3.0 Security CapabilityHow TAC Delivers
Encryption in transitAll traffic crossing the zone boundary through TAC is encrypted end-to-end, protecting data in transit between the user and the protected application.
Zone boundary enforcementTAC is the enforcement point at the boundary of each trust zone. Every request is inspected, authenticated, and authorized before it reaches anything inside the zone; unauthorized traffic is dropped at the proxy.
Application-layer enforcementAs a reverse proxy, TAC enforces policy at the application layer — including for legacy, thick-client, RDP, SSH, and forms-based applications — without modifying those applications.
Logging & Telemetry

Audit & Visibility — Primary Coverage

TIC 3.0 Security CapabilityHow TAC Delivers
Logging & auditingEvery authentication, authorization decision, session, and policy event at the zone boundary is logged with full attribution — a high-fidelity record of all access crossing into protected zones.
Telemetry for CISA reportingTAC logs export to SIEM, where agencies aggregate the telemetry TIC 3.0 expects them to share with CISA. TAC produces the access telemetry; the agency’s reporting pipeline transmits it.
Use Cases

Strongest Fit: Remote User & Branch Office

TIC 3.0 use cases describe TIC implementation where traffic does not flow through a traditional access point. TAC fits the access-driven use cases directly.

Remote User Use Case

TAC authenticates remote users, evaluates device posture, and brokers access to agency applications on a single encrypted port — no VPN, no open inbound ports, no agent required. Remote users reach only the applications they are authorized for, with policy enforced on every request, exactly as this use case envisions.

Branch Office Use Case

For remote offices accessing agency resources, TAC enforces the trust-zone boundary without backhauling traffic through a central access point. Each branch reaches protected applications through the same identity-, posture-, and policy-based enforcement, regardless of where those applications are hosted.

Out of Scope

PEP capabilities TAC does not provide

TIC 3.0’s Security Capabilities Catalog spans Policy Enforcement Point areas beyond access control — including email protection (anti-phishing, anti-spam), DNS filtering, web content inspection and filtering, intrusion detection and prevention, and data loss prevention. TAC does not provide these capabilities. It secures the access path into trust zones and produces access telemetry; agencies combine TAC with email, DNS, content-inspection, and IDS/IPS tooling to address the full catalog. Universal capabilities such as the agency’s overarching security policy, incident response program, and contingency planning are organizational responsibilities outside any access control platform.

A natural fit for federal cloud migration and zero trust

TIC 3.0 was designed to help agencies securely adopt cloud and support remote work — and to establish a foundation for zero trust. TAC advances all three goals at once. Because TAC abstracts application location, an agency can migrate a workload from a data center to the cloud without changing access policy or disrupting users: the trust-zone boundary moves with the application, and the user experience is unchanged.

The same enforcement that satisfies TIC 3.0 PEP capabilities also advances the agency’s zero trust posture under OMB M-22-09 and NIST SP 800-207. The access decisions, authentication records, and audit telemetry are shared evidence across all three.

For agencies pursuing TIC 3.0 and zero trust together, see the companion TAC and NIST Alignment Guide and TAC and FedRAMP Guide.

Implementing TIC 3.0 at Your Agency?

Our team can map your trust-zone architecture against the TIC 3.0 Security Capabilities Catalog and show how TAC delivers the access-path PEP capabilities for the Remote User and Branch Office use cases.

Talk to a SpecialistBack to Resources

This website uses cookies

We use cookies to personalize content, provide social media features, and analyze our traffic. We also share information about your use of our site with our analytics partners. You can change your preferences at any time. For more information, please see our Privacy Policy and Cookie Policy. Privacy Policy Cookie Policy