The Defense Information Systems Agency issued a multimillion dollar award Tuesday to start building the foundations of what could become an entirely new cybersecurity and network architecture for the Defense Department, starting to move DoD toward the concept of zero trust.
DISA said it chose Booz Allen Hamilton for the $6.8 million zero trust prototype project, which the agency calls Thunderdome. The company will spend the next six months building the first testbed implementation of a zero trust reference architecture DISA first published nearly two years ago.
“Thunderdome reflects a substantial shift to a next generation cybersecurity and network architecture for DoD,” Chris Barnhurst, DISA’s deputy director said in a statement. “Rooted in identity and enhanced security controls, Thunderdome fundamentally changes our classic network-centric defense-in-depth security model to one centered on the protection of data and will ultimately provide the department with a more secure operating environment through the adoption of zero trust principles.”
DISA sees Thunderdome as a potential replacement for DoD’s Joint Regional Security Stacks, the department’s current main approach to monitoring and securing its networks. DoD decided last year to start winding down the JRSS project, which had been criticized by one of the department’s main oversight bodies as being operationally ineffective.
But the Thunderdome model represents an entirely different way of thinking about security. Like other zero trust approaches, it’s designed to operate on the presumption that intruders have already penetrated DoD’s networks, and focus on securing individual data elements, implementing new identity management techniques and segmenting the network in ways that make it more difficult for attackers to hop from one section to another.
To that end, it’s heavily focused on implementing two commercial concepts: software-defined networking (SD-WAN) and Secure Access Service Edge (SASE) – the latter of which is meant to combine cybersecurity services and wide area networking, and deliver both in the cloud itself, since DoD’s applications and data are increasingly running in cloud environments.
“We had a network-based architecture that was supported by a network based cybersecurity framework, and it’s no longer that way with the cloud,” Maj. Gen. Garrett Yee, the assistant to DISA’s director told vendors during an industry day in October. “This impacts the perimeter, the mid-tier, and the endpoint … there are going to be big moves of money over time, but we’ll see some in the next two years.”
For now though, the main aim of the prototype Booz Allen will conduct is to see how DISA’s notional zero trust architecture works in the real world. The agency also wants to determine whether its initial concepts are scalable to the massive DoD IT enterprise, and which tweaks are needed to prove out the principles on military networks.
“But Thunderdome is not the end-all-be-all of our zero trust strategy. It is a component to help move us into that mindset,” Steve Wallace, the agency’s chief technology officer said during October’s industry engagement. “We’re really trying to push some limits here, and Thundersome is very important to the to the agency and the department as a whole, but it doesn’t fill all of the gaps. So we’ll continue to build things out and look for other opportunities to employ a lot of those concepts.”