zlacker

It says that VPNs and other network tunnels should not be relied on.

Where does it say they should go away?

>>MattPa+(OP)
"Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near-term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model."

"Actions … 4. Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet."

>>nybble+z7
Which is saying that agencies have to stop relying on / requiring VPNs for authorization and access control, not that any user has to stop using VPNs.

>>shkkmo+Hk
It's true that they didn't mandate detecting and blocking accesses from VPNs, if the user chooses to connect through one. However, they pretty clearly are saying that the application should be exposed to the public Internet, which is the opposite of what enriquto claimed[0] earlier in this thread:

> As I understand it, this sentence says that the application should be safe even if it was exposed to the public internet, not that it needs to be exposed.

[0] https://news.ycombinator.com/item?id=30103558

>>nybble+z7
Yes, good point.

I wonder if that applies to all infrastructure, or just enterprise applications.