Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Sean McNiff
Project Manager

Progress update - February 2026

Security Services Edge (SSE) Onboarding Project

SSE continues to mature as an enterprise service offering. Recent sprints focused on validating technical readiness, refining agency onboarding steps, and developing the agendas and paths forward for agency cohorts to successfully adopt the enterprise service.

Here's our February update:

  • Cohort 1 is underway! The state Department of Revenue, state Investment Board, state Department of Services for the Blind, and state Office of Financial Management are currently onboarding the SSE service!
  • WaTech has begun to remove users from the User SSL VPN pool as the WaTech SSE administrator defines applications and workloads for users across our agency.
  • Ecology became the first partner agency to complete its SSE implementation project!

 

SSE timeline

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project is developing policies, procedures, and integration requirements for the SSE service. It is piloting onboarding with five agencies and transitioning the onboarding and maintenance processes to operations.

Gantt chart for project

Vision

Establish Security Service Edge (SSE) as a core enterprise service that strengthens Washington’s IT infrastructure, improves resilience, and ensures secure, efficient delivery of state services. 

Project goals

  • Deploy SSE to 100% of WaTech, Department of Fish & Wildlife (DFW), Employment Security Department (ESD), and Department of Ecology by December 31, 2025. Begin migrating DSHS and ESD by January 2026.
  • Ecology has completed 100% of its migration.
  • Completed: WaTech will offer SSE as an enterprise service to all state agencies starting July 1, 2025.
  • Note: The project was briefly delayed by initial configuration issues, now resolved. The original goal was full SSE deployment to WaTech, the Department of Social and Health Services (DSHS), DFW, ESD, and Ecology by August 7, 2025.

Key features and benefits

Zero Trust Network Access (ZTNA)

Verifies user identity and device posture before granting application access. This eliminates implicit trust and reduces the attack surface.

Benefits:

  • Enhance security by allowing only authenticated users access to specific applications.
  • Uses micro-segmentation to restrict access to necessary data only.
  • Enables real-time threat detection and response through continuous monitoring.

Secure Web Gateway (SWG)

Protects against web-based threats such as malware and phishing. Provides full visibility into encrypted traffic and uses User and Entity Behavior Analytics (UEBA) to detect anomalies.

Benefits:

  • Enables seamless app access from any device, anywhere—no VPN required.
  • Strengthens threat protection.
  • Reduces downtime with adaptive controls and real-time monitoring.

Borderless Wide Area Network (BWAN)

Combines zero-trust security with network optimization to ensure secure, high-performance access for remote users and cloud services.

Benefits:

  • Automates access management.
  • Improves response to security threats through ongoing monitoring.
  • Reduces reliance on legacy VPNs, cutting maintenance costs.

Rate for SSE Service

The SSE service rate is $12.50 per user, per month.

This rate includes license costs, tax, professional services, Virtual Machines, and WaTech overhead. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.

Billing for SSE follows a flat rate model, where agencies provide their total user count and receive a monthly flat rate fee based on total number of users. A user count evaluation will be conducted after the first year to determine if any adjustments are required. 

Agencies can begin deprecating SSL VPN as they onboard to SSE. The SSL VPN service will remain available to support use cases not yet compatible with SSE.

Each agency will receive two publishers by default. WaTech will provide additional publishers at no extra cost as agency needs grow.