DISA intends to incorporate post-CAC MFA solutions into Thunderdome

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Information Systems Agency has made it clear in the past that it wants to begin moving beyond the use of common access card for multifactor authentication. Christopher Barnhurst, executive deputy director for DISA, said the agency is actively experimenting with other forms of multifactor authentication, which will eventually tie into the DoD’s zero trust construct, Thunderdome.

“The common access card is really two factor authentication. … It combines basically your digital identity with a PIN, and allows you access to all sorts of DoD specific applications,” Barnhurst said during a Nov. 15 FedInsider webinar. “In today’s DoD environment, DISA provides capabilities for users to leverage Apple and Android devices, amongst others, to access their DoD email, along with DoD approved apps. And in that email, some of the emails we send are encrypted. And we’ve created the ability through partnership with industry for folks to read those encrypted emails on their government-issued cell phone. And that uses a form of multi factor authentication that is outside of the CAC card. Similarly, we’ve created some cloud identity services that leverage technology that allows us to do multi factor authentication.”

Barnhurst compared these cloud services to using a banking app at home, where a security PIN gets texted to the user and allows them to log into their account. The key, he said, is to combine multiple attributes in order to authenticate users. Other such attributes may be biometric; Barnhurst said DISA has experimented with using user-specific physical distinctions like the way they hold and look at their phones, or the way they walk. All of these attributes combine to create a risk score for that user, which then determines access.

“The technology is there to do something different than just the CAC card in ways that maybe enhance security going forward. From a Thunderdome perspective, we integrate these kinds of capabilities into what we call identity credential and access management, or ICAM. And that really underpins everything from a fundamental or zero trust perspective,” he said. “Much of zero trust is based on verifying a user’s identity and that their device is a known, good device, and it’s that ICAM solution that allows us to do that authentication and make those verifications.”

And that authentication and verification process is the first of three pillars that Thunderdome is built on, Barnhurst said. The second pillar is using those verified identities to make access and privilege conditional. That means segmenting what data users are allowed to access based on their privileges in order to stymie bad actors and insider threats. The third pillar is verifying data and apps themselves.

But Barnhurst said there’s another element that’s equally as important, that he would even refer to as a fourth pillar.

“We want to implement technologies that will segment the network in a way that makes lateral movement very hard. So in today’s environment, if an adversary penetrates that network, one of the first things we worry about is lateral movement, crossing domains, and exploiting different datasets. It becomes harder and harder to track,” he said. “There’s technologies out there that are in existence today that industry could provide that allow us to basically segment the network — add lanes to the superhighway, if you will — that makes that very, very hard for an adversary to do even if they already get past some of our initial defenses.”

One of the solutions Barnhurst said DISA is looking at to accomplish this is software-defined networking, which he said enables rapid microsegmentation of the network. That’s the kind of technology DISA will be looking for industry to bring to the table as part of Thunderdome.

Barnhurst said DISA is currently taking steps to work through internal department processes to get resources aligned behind Thunderdome.

“In other words, it’s not just a concept, but it is truly a funded effort going forward over the next three to five years,” he said. “And we’ve put together a roadmap about how we want to evolve technologies into that construct over time.”

Related Stories

Comments

On DoD

WEDNESDAYS, 11 A.M. & 2 P.M.

Each week, Defense Reporter Jared Serbu speaks with the managers of the federal government's largest department. Subscribe on PodcastOne or Apple Podcasts.