The success of the Defense Department’s zero trust push is inherently going to rely on the tools and services of contractors, who will help fill the gaps in the 45 security capabilities laid out in DoD’s zero trust strategy.

And for Brian Hermann, the director of cyber security and analytics for the Defense Information Systems Agency, one of the key things he needs from vendors amid DoD’s push to its “target” level zero trust architecture by 2027? Honesty.

“I think we also need everybody to be realistic about what their tools bring to the fight,” Hermann said on Federal News Network. “Because one way that I know that a vendor is not telling me the truth is if they tell me that their tool can hit the easy button for zero trust. That’s just not realistic.”

DISA is advancing DoD’s zero trust architecture push through its “Thunderdome” program, which successfully completed its prototype phase earlier this year. The agency is now looking to add other elements to the program. So far, featured two primary applications: a software-defined networking (SD-WAN) and a Secure Access Service Edge (SASE).

“Those capabilities proved themselves to be successful so that we we achieved a decision to more broadly deploy those capabilities across this terrain,” Hermann said.

Thunderdome isn’t a one-for-one replacement for DISA’s Joint Regional Security Stacks, but the program is putting in place zero trust capabilities that replace the functionality of JRSS, Hermann explained. The SASE capability puts the security stack “much closer to the customer” than the JRSS entry points, he said.

“That’s a key capability for us to be able to make critical access control decisions. I call them fine-grained access control decisions, so we can leverage information about a user, about their device and make that access control decision,” Hermann said. “And we’re using it today right now with the folks that have been successfully piloting the capabilities as part of Thunderdome.”

But that’s also where the industry piece comes back in. As the military services and other DoD components adopt zero trust capabilities, the key will be ensuring the various tools and services work together.

“I don’t necessarily care whether we use exactly the same tools, or whether we use exactly the same contracts — you’d like to try to make sure that we save money as we do this – but most importantly, I want to look for those places where we need interoperability,” Hermann said. “And it’s where, to be frank, industry is not necessarily as mature as we would like. With SASE, we’re concerned that if organizations do too many different things, the vendors’ tools don’t talk to each other yet. So we’re driving for vendors to work together and establish some standards.”

Hermann said that DISA Chief Technology Officer Steve Wallace and his team have traveled to Silicon Valley to discuss interoperability with many of the technology companies involved in the zero trust security space.

“Realistically, we are so large, so complex, it’s unlikely that one single tool is going to be the selection for the entire department,” Hermann said. “And so if you need to work together and everybody gets a piece of this, going forward, how do we make sure that these things don’t generate either a bad user experience.”

From the major cloud providers on down to specialized tool vendors, DoD officials will be looking to stitch together a zero trust architecture that’s effective in securing data, but doesn’t make the user experience a nightmare.

Christopher Day, the vice president of strategic capabilities and programs and chief technology officer at Tenable, said there are some key things DoD officials and their industry partners will need to consider as they build that architecture out.

“When I’m looking at modern products, say through a procurement, those are some of the things I start to look for,” Day said. “Can I can I make that system talk to another system? How can I move data from that system? I’m not going to be locked into some proprietary formats. Things like that. If a vendor is trying to lock me in to a weird format, or something like that, I get pretty sketchy about that. And so I think anybody who’s looking to tie multiple products together, those are some of the things you want to look for.”

Learning objectives:

  • Zero trust and cyber initiatives at DISA
  • Achieving the target level of zero trust
  • Industry analysis

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.


Brian Hermann

Cyber Security and Analytics Director

Defense Information Systems Agency

Christopher Day

Vice President of Strategic Capabilities and Programs and Deputy CTO


Justin Doubleday


Federal News Network


By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.