Modernizing Cybersecurity at the Defense Department

Thunderdome must clear an operational assessment and red team tests. DISA also faces the hurdles of scaling a new security tool and processes across enterprise DoD networks. We talk with DISA’s Drew Malloy about the challenges ahead.

Register
Speakers

3 speakers

Date & Time

On Demand

Webinar

Duration: 1 hour
Cost: 
No Fee

The Defense Information Systems Agency’s zero trust security model, Thunderdome, is moving toward the end of its pilot stage with a fielding decision scheduled for January 2023. First, the prototype needs to pass some tests before DISA can move on to the challenge of scaling it across Defense Department networks.

DISA awarded the Thunderdome other transaction agreement to Booz Allen Hamilton in January 2022. The OTA was extended for six months in July to work on a prototype to meet the requirements of the classified Secure Internet Protocol Router Network (SIPRNet), in addition to the original unclassified capabilities.

Drew Malloy, technical director for DISA’s cybersecurity and analytics directorate, says Thunderdome is now in “operational assessment” phase. The program will go through red teaming — where testers simulate adversarial activity — before going to a fielding decision in January.

Thinking beyond the perimeter to gain end-to-end, cyber perspective

The zero trust model uses commercial capabilities like Secure Access Service Edge and software defined-wide area networks.

“The SASE solution is really top of mind as one of the big ones. We have our SD-WAN component that has security kind of built into our SD-WAN product so that we have more of a security stack that we can take and push down to the customer edge — get it closer to the data so that it’s more performant,” Malloy said.

“Then, we are taking a look at the application and our application security stacks that we have, as well as looking at from a cyber situational awareness perspective, how we do defensive cyber operations in the cloud? We’ve been very network-centric in our defensive posture for a lot of what we’re doing,” he continued. “So we wanted to take a look at all of the telemetry that’s being thrown off of some of the things that we’re putting out as part of Thunderdome. How do we look at that from an end-to-end perspective? Now, we aren’t just defending the perimeter or defending an application stack, we’re actually looking at end-to-end, user session–based security.”

Malloy said beyond getting Thunderdome’s capabilities organized, certified and tested, his team is also focused on the task of scaling

“The high-level strategy has remained relatively consistent, but we’ve looked at the actual implementations and what they’re going to look like,” he said. “We have such a huge footprint. How many different sites are we going to have? How are we going to manage those sites? What’s the provisioning going to look like? What’s the sustainment tail going to look like? Things of that nature have really been top of mind for how we push things out.”

Thunderdome’s zero trust prototype is intended to eventually meet the security needs of DoD’s fourth estate, agencies that aren’t a part of the military services. Malloy said DISA is open to partnering with other mission partners.

“But as a department, we have a pretty consistent track record of not agreeing on what one single solution is,” he added. “So we wanted to operate with that as a design constraint in mind to say, ‘There are going to be other solutions out there. How do we make sure that we work well together? How do we interoperate?’ That comes down to things as basic as identity, credential and access management. And then, how do we federate that solution to make sure that there’s really that consolidated view of identity within the department? And then moving to some of the capabilities within Thunderdome itself, how do we make sure that we aren’t isolating ourselves and/or having to stand up duplicative systems in order to achieve the same goal?”

Defense organizations move toward ‘quasi-enterprise’ zero trust

The military services typically have their own set of priorities and programs, and that’s no different with DoD’s zero trust security push so far.

“You’re not going to look at the Air Force, Navy, Marines, Army and tell them, ‘Wait for DISA to solve this for you,’ ” said Gram Slingbaum, federal solutions engineer at CyberArk. “The identity programs that are coming out of all the different services, they’re kind of having to stand up their own. And so they’re all quasi-enterprise. It’s not DoD-wide, but it’s maybe for a specific branch.”

The Pentagon has set a goal of reaching zero trust maturity across the vast U.S. military enterprise by 2027, while the White House Office of Management and Budget’s Federal Zero Trust Strategy directs civilian agencies to work toward adopting a zero trust architecture by the end of fiscal 2024.

The deadlines have agency IT teams moving out quickly to establish zero trust capabilities that can one day be implemented across their enterprises, trying to balance both speed and scale.

“We’re seeing pockets where it’s been highly successful and then grows into a bigger program,” Slingbaum said. “We’re also seeing folks that are on a smaller scale but have lost funding because it wasn’t an enterprise program. They pushed up the chain and were told to wait in line until the larger system comes on. So there’s not a one-size-fits-all here.”

Learning Objectives:

  • Thunderdome and Zero Trust
  • What’s after Thunderdome?
  • Industry analysis

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.

Speakers
Gram Slingbaum
Federal Solutions Engineer, CyberArk
Drew Malloy
Technical Director for the Cyber and Analytics Directorate, Defense Information Systems Agency
Justin Doubleday
Reporter, Federal News Network
Sponsors

Please register using the form on this page.
Have questions or need help? Visit our Q&A page for answers to common questions or to reach a member of our team.