BALTIMORE — The Defense Information Systems Agency is scrubbing its budget and program plans over the next year to make sure the agency is making the right investments as flat defense budgets loom on the horizon.
The “Strategic Program Assessment” is intended to make sure every dollar DISA spends is in line with its priorities, according to DISA Director Lt. Gen. Robert Skinner. The agency just released a two-year “Strategic Plan” detailing key lines of effort, including a prioritization of command-and-control capabilities to support the Defense Department’s broader “Joint All Domain Command and Control effort.
“This is really about how do we get after and understand exactly where every single dollar and position are aligned? And are they aligned to the right priorities?” Skinner said during a media roundtable with reporters here at AFCEA’s “TechNet” conference on Thursday.
“As we look at the future of the resourcing aspect of things, I would offer the budget and the resources would probably be flat,” he added. “Just look at the nation and the many different things that we want to drive from a economic standpoint, and from a social standpoint.”
Skinner also described how the review could corral DISA programs, especially pilots, that are stretching the agency’s budget.
“Every time something is asked for, let’s do a pilot, and we’ll get a pilot out there,” he said. “The warfighter loves it, the mission partner loves it. And it never gets turned off. Nor was it properly tested, nor was it properly understood exactly how it is going to be used. As we look at these things, great initiatives, but have we done the due diligence to make sure that it can expand, that it has the right capacity, and that the right resources have been aligned?”
DISA has an $11.9 billion annual budget, with the majority — $8.5 billion — coming through the Defense Working Capital Fund. The remaining $3.4 billion is through congressional appropriations.
With the Pentagon in the late stages of developing its fiscal year 2023 budget request, Skinner said it’s likely the review will have the biggest effect on DISA’s fiscal year 2024 request and accompany five-year budget plan, the Program Objective Memorandum (POM). But DISA will look to make the necessary changes where it can before the FY 2024 budget request comes around.
“We have some flexibility there working within the department leadership to get after those things because we can’t wait until ’24 for some of the initiatives that we have going on,” Skinner said, citing the use of automation for cybersecurity and the DISA’s zero trust “Thunderdome” projects as examples.
The latter project is aimed at creating a “new zero trust and network security architecture,” according to DISA’s strategic plan. Pentagon officials want to shift the Defense Department to the new zero trust security model, while the Biden administration has directed civilian agencies to move to the new concept as well.
DOD requested $615 million in FY 2022 for implementing zero trust architectures and the associated “Comply-to-Connect” security program.
DISA plans to award an other transaction agreement for Thunderdome prototyping in November, with potential plans for a follow-on production award, according to officials.
Steve Wallace, DISA’s chief technology officer and director of the emerging technology directorate, said Thunderdome is aimed at “moving up from a network-based approach to more of a data centric approach to defending.”
“Rather than trying to sit at a network level between the user and the data that they’re trying to access, the idea behind Thunderdome is to move those protections towards the edge, but then also start to take into account other factors that are occurring with that user’s interaction,” Wallace said.
The shift to remote work has also increased the imperative to shift to a zero trust model, as opposed to the traditional castle-and-moat approach to security where data and users are centralized in networks behind firewalls and other protections. At DISA, for instance, approximately 80% of its 19,000-person roster is now working remotely.
“Especially during the pandemic, we saw a dramatic uptick in where users were accessing the data from,” Wallace said. “So those same methodologies that we employed before didn’t don’t work as well against those different patterns that we’re seeing out of the users.”
The hope is also implementing zero trust security principles along with associated identity tools will help “kill the CAC” card, as Skinner put it, referring to the Common Access Cards DoD personnel use to access department computers and networks.
“The CAC has been an amazing identity piece of the puzzle from a security standpoint — it’s 10-15 years old,” Skinner said during Wednesday’s keynote at TechNet. “There is technology out there today that is far better than the CAC to be the primary authentication mechanism for the department.”
DISA officials also stressed a major priority on using automation to help manage the increasing pace of cyber attacks on DOD’s information networks.
“The threat’s never been higher,” Rear Adm. Bill Chase, deputy commander of Joint Force Headquarters-Department of Defense Information Network, said during the roundtable. “It’s also been commoditized. Malware has been commercialized. It’s essentially organized crime on an international scale.”
Brian Herman, director for cybersecurity and analytics, said the increase in cyber attacks combined with many DoD users now accessing the department’s networks remotely is forcing DISA to rethink how it approaches buying cyber defense tools.
“We’re focused on is automation and AI and tools like that, so that we can relieve the pressure on the analysts, and get the high priority things in front of them very quickly,” Herman said.