The Defense Information Systems Agency is closing in on a decision on whether or not to fully enter the Thunderdome.
Like a “Mad Max” movie from the 1980s, DISA’s choice will focus on survival — in their case, from cyber attacks.
There are several factors DISA is weighing about whether to move forward with this zero trust prototype. DISA officials say that decision should come in January.
“We’re doing an evaluation that’s very objective. We are we are using the Joint Interoperability Test Command known as (JITC) as our test and evaluation command to look at it from an operational assessment and operational tests perspective,” said Dr. Brian Hermann, who leads the Cyber Security and Analytics Directorate at DISA, at the Nov. 7 industry day in Towson, Md. “We have objective measures that we use. Some of those are cybersecurity measures. But we’re also evaluating the performance from an end user perspective as well.”
Hermann said DISA has rolled out the prototype in phases, including at agency headquarters at Fort Meade and in their offices in Hawaii and the India-Pacific Command (INDOPACOM) region. He said DISA expects to expand Thunderdome to workers in the Pentagon in November.
DISA also is testing Thunderdome capabilities through the Defense Enclave effort for the Fourth Estate agencies and Joint Service Provider partners in the Pentagon.
Currently, the Thunderdome prototype is rolling out on both the classified and unclassified networks.
“We do a comparison of the cybersecurity capabilities against what we have today. Is it as good or better, while giving us the ability to look at things from a zero trust perspective? Is it going to allow us to eliminate some things that we’ve done in the past at the mid-tier functions?” he said. “I’ll give a couple examples, does it limit or stop lateral movement across the backbone? Do we limit lateral movement inside of enclave networks as well? Have we replaced the way that we do virtual private networks (VPNs) today with a secure way to connect for telecom teleworkers? Yes, we think we think those things are being evaluated, and it’s not just the performance and not just the speed. But those things are happening as well.”
DISA had some level of confidence as it expanded the prototype as it tested the capabilities in the lab first to make sure the technology worked.
Prototype started in January
DISA awarded about a $7 million contract to Booz Allen Hamilton last January under an other transactional agreement (OTA). The goal, in part, was to test out several tools and capabilities that would move DISA in this case, but really any agency that wanted to use this architecture approach, closer to a zero trust environment. The focus of the prototype was across six of the seven pillars DoD outlined in its maturity model — all but the data pillar. DISA says the data piece would have made this effort too complex because data categorization is among the most challenging parts of zero trust for DoD.
Through Thunderdome, DISA has been focused on implementing two commercial concepts: software-defined networking (SD-WAN) and Secure Access Service Edge (SASE) — SASE is meant to combine cybersecurity services and wide area networking, and deliver both in the cloud and on premises, since DoD’s applications and data are increasingly running in cloud environments.
Hermann said the Thunderdome pilot is tying several elements of zero trust together.
“For this to work, we have to be able to say, ‘who is the individual that’s trying to access a capability or data? How do we know that that’s them?’ So we use public key infrastructure (PKI). We use identity credentialing and access management (ICAM) to say I can verify that’s Brian, and then through ICAM, we can say he does have access to this. But wait a second, I’m not sure about him because his device has not been patched. It’s maybe not coming from a trusted network or a trusted location,” he said. “That’s the kind of thing that we’re going to eventually get to. It really is going to be something that has to be done across the department make those fine grained access control decisions.”
Hermann added that the pilot already is doing that in the Microsoft Office 365 environment used by employees, so when they log in from their personal computers using their common access card (CAC), they can see email but can’t download or print.
User experience positive
Over the longer term, Hermann said DISA hopes Thunderdome eventually will replace pieces of the Joint Regional Security Stacks (JRSS) that DoD has been implementing over the last decade.
He said DISA and Thunderdome users already seen some benefits.
“One example of that is we’ve replaced the VPN capabilities that are part of JRSS with a SASE capability. That also streamlines our routing. So no longer do we go into a JRSS node, hairpin back out and go out to cloud based services. We go directly from where the user is to those cloud based services, even if you’re at home teleworking,” Hermann said. “That’s a big difference. I’ve had people tell me that their user experience is better from home when they’re on Thunderdome and that capability, then then if they’re in the office.”
DISA’s decision about Thunderdome comes just as DoD is about to put out its zero trust strategy.
John Sherman, the DoD chief information officers, signed out the strategy on Oct. 27 and expects to release it publicly in the coming weeks.
DISA and DoD both made clear from the beginning that Thunderdome is a set of zero trust capabilities, but it’s not the answer to zero trust for all DoD.
DISA says its goal wasn’t to create a one-size fits all approach to zero trust, but just test out concepts that make up six of the seven DoD zero trust pillars.
DoD strategy influenced
Sherman said at the DISA industry day that Thunderdome, however, did influence the final zero trust strategy.
“What we talked about with basic and advanced zero trust is the biggest thing is we’re talking about getting this done by 2027 for a 4 million person enterprise. We’ve learned from a number of the big companies whose names you know, who’ve been down this path services that have done parts of this, this is going be a heavy lift because 2027 is not that far off,” Sherman said. “But we recognize this cannot be an optional way to approach this. I think it is important.”
Sherman said the move to zero trust requires DoD to fundamentally rethink how it protects its data and network.
He said he’s had conversations with everyone from the Chairman of the Joint Chiefs to the Secretary and Deputy Secretary of Defense about the new approach to cyber.
“This is a must not fail mission for us on cybersecurity,” Sherman said. “This is going to take all of us — government, industry, academia and others — to make sure we can get after this and stay ahead of China, Russia, Iran and North Korea and other non-state actors to keep them off of our networks, which is where we’re starting this as our zero trust focus right now.”