Zscaler Zero Trust Branch is now available in FedRAMP Moderate. For agencies pursuing CISA’s TIC 3.0 Branch Office Use Case, this is a direct implementation path, not a roadmap item.I want to explain why that matters, and what problem Zscaler actually solves.When we built the TIC 3.0 Branch Office Use Case during my time at CISA as the Federal TIC Program Manager, we were responding to a real and persistent problem: federal agencies with dozens, sometimes hundreds, of distributed locations, all constrained by legacy architecture that demanded every packet travel back to a central access point before reaching the internet, a cloud service, or even a neighboring application.That was TIC 2. That was the “TIC Tax.”Field offices in rural counties. Regional labs. Benefits processing centers. IRS Taxpayer Assistance Centers. VA clinics. USDA service centers. Embassies, where 20 or more federal agencies may share a single facility. All forced through the same small number of Trusted Internet Connection Access Points, most concentrated in the National Capital Region, regardless of where the user was or where the application lived.Agencies knew this was unsustainable. Missions needed speed. Users needed access. The applications were already moving to the cloud. What TIC 3.0 Branch Office Actually RequiresThe TIC 3.0 Branch Office Use Case is not simply “let the branch go direct.” That was not the intent.What CISA defined was a set of architectural expectations for any branch that breaks out locally to internet, SaaS, or cloud services, or communicates with the agency campus or other branches:Policy Enforcement Points (PEPs) must exist between the branch and any external trust zoneSecurity capabilities like content filtering, malware inspection, access control, and encryption validation must be applied consistently at those enforcement pointsTelemetry must be collected and shared with both CISA and the agency’s own SOCTrust zones must be defined, with clear boundaries between the branch, the campus, and external servicesConfiguration management must ensure that enforcement points are deployed and maintained to a known baselineNone of this is optional. It is the minimum expectation for agencies adopting TIC 3.0 at the branch. Why the Branch Was StuckThe branch access problem was not a technology gap. It was a policy constraint.Under TIC 2, OMB limited each agency to a small number of approved TIC Access Points. Direct internet access from branch offices was simply not permitted under that model. Every session had to traverse one of those designated chokepoints, no matter where the user sat or where the application was hosted.The result: branch offices across the country were forced to backhaul traffic to headquarters or a regional TIC access point before reaching the internet. Latency climbed. User experience suffered. Cloud and SaaS adoption stalled at the edge, even as agencies invested in those platforms at the core.TIC 3.0 removed that constraint. It allowed agencies to define new trust zones and place Policy Enforcement Points closer to the user. But removing the policy barrier was only the first step. Agencies still needed a way to implement consistent security at every branch without recreating a true TIC access point at every location.That was the real question. How Zero Trust Branch Meets the ArchitectureZscaler Zero Trust Branch, now available in FedRAMP Moderate, directly addresses the TIC 3.0 Branch Office Use Case. Not in concept. In operation.Here is how the architecture maps:Policy Enforcement at the Edge, Without Appliance SprawlZero Trust Branch routes all internet and SaaS traffic through Zscaler Internet Access (ZIA), which serves as the Policy Enforcement Point for outbound access. Traffic from each branch connects to the nearest Zscaler data center across a network of 150+ points of presence in the U.S. and globally. That means a field office in Boise or a service center in Atlanta is connecting to an enforcement point nearby, not routing traffic back to the DC metro area. Every session is inspected, filtered, and policy-enforced through the same cloud-delivered controls that protect agency headquarters. The enforcement point is consistent. The policy is uniform. The “TIC Tax” is eliminated.Least-Privilege Access to Private ApplicationsFor branch users who need access to agency campus applications or private resources, Zscaler Private Access (ZPA) brokers connections on a per-session, per-user, per-application basis. There is no site-to-site VPN. There is no network extension. There is no implicit trust granted by virtue of being “on the branch network.” Access is earned through identity, context, and policy. That is what TIC 3.0 and Zero Trust demand.Device Segmentation to Contain Lateral MovementTIC 3.0 defines trust zones. Zero Trust Branch enforces them, including inside the branch itself. Device segmentation isolates every connected endpoint (printers, cameras, badge readers, HVAC controllers, IoT sensors) into its own micro-boundary. Lateral movement between devices is denied by default. This is increasingly critical in civilian facility environments where OT and IoT devices share physical space with user workstations.OT/IoT Discovery and IsolationFederal branches are not just offices. They are facilities with building management systems, physical access control, environmental monitoring, and operational technology. Zero Trust Branch discovers and classifies these devices automatically, without agents, without disruption, and applies policy enforcement that contains them.Telemetry and VisibilityTIC 3.0 requires agencies to share telemetry with CISA and maintain internal visibility. Zero Trust Branch provides full session-level logging: who accessed what, from where, when, and how, for every connection transiting the platform. That telemetry feeds agency SIEM and SOC workflows and supports CISA reporting obligations.Zero-Touch Provisioning and Configuration ManagementTIC 3.0 expects configuration management rigor at the branch. Zero Trust Branch delivers zero-touch provisioning: new sites come online with policy pre-applied, without sending engineers to each location, without local configuration drift, without manual baseline management. The branch inherits the agency’s security posture from day one. Architecture Over AspirationI want to be clear about something. TIC 3.0 was never intended as a theoretical framework. We built it at CISA so agencies would have concrete, implementable architecture patterns for real-world scenarios. Branch offices were one of the first use cases published precisely because the pain was so acute and so widespread.Zero Trust Branch is that implementation. FedRAMP authorized, cloud-delivered, deployable today.For agency CISOs and enterprise architects evaluating their TIC 3.0 posture at distributed sites, the path is now clear:Consistent policy enforcement for all branch internet and SaaS access via ZIA, delivered from local points of presenceIdentity-based, least-privilege access to private applications via ZPA, without VPNDevice segmentation to enforce trust zone boundaries inside the branchOT/IoT discovery and containment, without additional infrastructureCentralized telemetry for CISA reporting and internal SOC operationsZero-touch provisioning aligned to TIC 3.0 configuration management expectationsTIC 3.0 defined what agencies need. Zero Trust Branch makes direct access actionable.I want to thank the Zscaler Public Sector engineering and compliance teams for the work required to bring this capability through FedRAMP authorization, and for continuing to help agencies translate architecture guidance into something they can actually deploy.Join us for a webinar on June 17 at 1pm ET to explore Zero Trust Branch further: Modernizing Federal Branch Security in GovCloud: A zero Trust Approach to Distributed Locations.
[#item_full_content] Zscaler Zero Trust Branch is now available in FedRAMP Moderate. For agencies pursuing CISA’s TIC 3.0 Branch Office Use Case, this is a direct implementation path, not a roadmap item.I want to explain why that matters, and what problem Zscaler actually solves.When we built the TIC 3.0 Branch Office Use Case during my time at CISA as the Federal TIC Program Manager, we were responding to a real and persistent problem: federal agencies with dozens, sometimes hundreds, of distributed locations, all constrained by legacy architecture that demanded every packet travel back to a central access point before reaching the internet, a cloud service, or even a neighboring application.That was TIC 2. That was the “TIC Tax.”Field offices in rural counties. Regional labs. Benefits processing centers. IRS Taxpayer Assistance Centers. VA clinics. USDA service centers. Embassies, where 20 or more federal agencies may share a single facility. All forced through the same small number of Trusted Internet Connection Access Points, most concentrated in the National Capital Region, regardless of where the user was or where the application lived.Agencies knew this was unsustainable. Missions needed speed. Users needed access. The applications were already moving to the cloud. What TIC 3.0 Branch Office Actually RequiresThe TIC 3.0 Branch Office Use Case is not simply “let the branch go direct.” That was not the intent.What CISA defined was a set of architectural expectations for any branch that breaks out locally to internet, SaaS, or cloud services, or communicates with the agency campus or other branches:Policy Enforcement Points (PEPs) must exist between the branch and any external trust zoneSecurity capabilities like content filtering, malware inspection, access control, and encryption validation must be applied consistently at those enforcement pointsTelemetry must be collected and shared with both CISA and the agency’s own SOCTrust zones must be defined, with clear boundaries between the branch, the campus, and external servicesConfiguration management must ensure that enforcement points are deployed and maintained to a known baselineNone of this is optional. It is the minimum expectation for agencies adopting TIC 3.0 at the branch. Why the Branch Was StuckThe branch access problem was not a technology gap. It was a policy constraint.Under TIC 2, OMB limited each agency to a small number of approved TIC Access Points. Direct internet access from branch offices was simply not permitted under that model. Every session had to traverse one of those designated chokepoints, no matter where the user sat or where the application was hosted.The result: branch offices across the country were forced to backhaul traffic to headquarters or a regional TIC access point before reaching the internet. Latency climbed. User experience suffered. Cloud and SaaS adoption stalled at the edge, even as agencies invested in those platforms at the core.TIC 3.0 removed that constraint. It allowed agencies to define new trust zones and place Policy Enforcement Points closer to the user. But removing the policy barrier was only the first step. Agencies still needed a way to implement consistent security at every branch without recreating a true TIC access point at every location.That was the real question. How Zero Trust Branch Meets the ArchitectureZscaler Zero Trust Branch, now available in FedRAMP Moderate, directly addresses the TIC 3.0 Branch Office Use Case. Not in concept. In operation.Here is how the architecture maps:Policy Enforcement at the Edge, Without Appliance SprawlZero Trust Branch routes all internet and SaaS traffic through Zscaler Internet Access (ZIA), which serves as the Policy Enforcement Point for outbound access. Traffic from each branch connects to the nearest Zscaler data center across a network of 150+ points of presence in the U.S. and globally. That means a field office in Boise or a service center in Atlanta is connecting to an enforcement point nearby, not routing traffic back to the DC metro area. Every session is inspected, filtered, and policy-enforced through the same cloud-delivered controls that protect agency headquarters. The enforcement point is consistent. The policy is uniform. The “TIC Tax” is eliminated.Least-Privilege Access to Private ApplicationsFor branch users who need access to agency campus applications or private resources, Zscaler Private Access (ZPA) brokers connections on a per-session, per-user, per-application basis. There is no site-to-site VPN. There is no network extension. There is no implicit trust granted by virtue of being “on the branch network.” Access is earned through identity, context, and policy. That is what TIC 3.0 and Zero Trust demand.Device Segmentation to Contain Lateral MovementTIC 3.0 defines trust zones. Zero Trust Branch enforces them, including inside the branch itself. Device segmentation isolates every connected endpoint (printers, cameras, badge readers, HVAC controllers, IoT sensors) into its own micro-boundary. Lateral movement between devices is denied by default. This is increasingly critical in civilian facility environments where OT and IoT devices share physical space with user workstations.OT/IoT Discovery and IsolationFederal branches are not just offices. They are facilities with building management systems, physical access control, environmental monitoring, and operational technology. Zero Trust Branch discovers and classifies these devices automatically, without agents, without disruption, and applies policy enforcement that contains them.Telemetry and VisibilityTIC 3.0 requires agencies to share telemetry with CISA and maintain internal visibility. Zero Trust Branch provides full session-level logging: who accessed what, from where, when, and how, for every connection transiting the platform. That telemetry feeds agency SIEM and SOC workflows and supports CISA reporting obligations.Zero-Touch Provisioning and Configuration ManagementTIC 3.0 expects configuration management rigor at the branch. Zero Trust Branch delivers zero-touch provisioning: new sites come online with policy pre-applied, without sending engineers to each location, without local configuration drift, without manual baseline management. The branch inherits the agency’s security posture from day one. Architecture Over AspirationI want to be clear about something. TIC 3.0 was never intended as a theoretical framework. We built it at CISA so agencies would have concrete, implementable architecture patterns for real-world scenarios. Branch offices were one of the first use cases published precisely because the pain was so acute and so widespread.Zero Trust Branch is that implementation. FedRAMP authorized, cloud-delivered, deployable today.For agency CISOs and enterprise architects evaluating their TIC 3.0 posture at distributed sites, the path is now clear:Consistent policy enforcement for all branch internet and SaaS access via ZIA, delivered from local points of presenceIdentity-based, least-privilege access to private applications via ZPA, without VPNDevice segmentation to enforce trust zone boundaries inside the branchOT/IoT discovery and containment, without additional infrastructureCentralized telemetry for CISA reporting and internal SOC operationsZero-touch provisioning aligned to TIC 3.0 configuration management expectationsTIC 3.0 defined what agencies need. Zero Trust Branch makes direct access actionable.I want to thank the Zscaler Public Sector engineering and compliance teams for the work required to bring this capability through FedRAMP authorization, and for continuing to help agencies translate architecture guidance into something they can actually deploy.Join us for a webinar on June 17 at 1pm ET to explore Zero Trust Branch further: Modernizing Federal Branch Security in GovCloud: A zero Trust Approach to Distributed Locations.
