A dozen or more pilots advancing DISA’s cyber, cloud efforts

Lt. Gen. Robert Skinner, DISA’s director and commander of the Joint Force Headquarters-Department of Defense Information Network (JTF-DoDIN), said the agency ...

It wouldn’t be much of a stretch to say the Defense Information Systems Agency is in a heavy research mode.

Whether it’s around cybersecurity tools and capabilities or cloud services, DISA has no fewer than 14 ongoing or recently completed pilot initiatives.

Lt. Gen. Robert Skinner, DISA’s director and commander of the Joint Force Headquarters-Department of Defense Information Network (JTF-DODIN), said each of these efforts include the military services as part of the effort to field capabilities that are less complex and more effective.

Take as an example, the three pilots to better protect internet boundaries.

Skinner said at the Department of the Air Force Information Technology and Cyberpower Education and Training conference on Aug. 31, that one of the tests is using security-as-service at the boundary.

“Everybody used to hear we have 10 internet access points. You think, ‘Well, that’s not that tough to manage.’ There’s actually about 70, 10 that DISA controls. But there’s 60-ish, across the enterprise, where there’s internet access into the broader internet and that makes it a lot more unmanageable,” he said. “We’re working a pilot right now for security-as-a-service at our boundary. That takes a lot of the, I’ll say, convoluted and complex internet access points that we have today, and makes it less complex because it’s all packaged into one. So you don’t have the collisions that you have today.”

Some of those collisions, as Skinner described, happen today because of the complexity brought on by the Joint Regional Security Stacks (JRSS) initiative, which started in 2013 and has been widely criticized for not meeting operational goals.

The security stacks are meant to make use of best-of-breed commercial hardware and software products, but the off-the-shelf approach the department pursued has led to a situation in which JRSS now includes security products from more than three dozen separate vendors.

Sunsetting JRSS in the works

The other two pilots, one of which the Air Force is a part of, is focused on automating the validation of protections, ranging from security appliances, security apparatuses and other capabilities throughout the environment.

“How do you know if it is operating nominally? Because right now, we just say, ‘Well, yeah, it is because it’s on and it’s protecting some things.’ But is it protecting everything that you want and leveraging the tactics, techniques and procedures (TTPs) that our adversary uses, and that we know that they use?” Skinner said. “We’re testing it all the way from the boundary to the endpoint. That’s pretty powerful if we get that moving. Those are two of the pilots that we’re working. The third one is how do we virtually maneuver the domain itself? How do we use military deception, or even deception writ large, to that if we do have a vulnerability that can be exploited, but somebody who’s scanning from the external cannot see that. Those are three areas that we’re looking at and it’s all about how do we maneuver and posture ourselves so that we’re ready against the adversary and what they’re throwing against us.”

These new capabilities become more important as bad actors have more powerful attack tools as well as continue to take advantage of basic cyber hygiene problems.

These boundary pilots become more important as DISA presses on to end JRSS.

Skinner said DISA will sunset JRSS across all military services and defense agencies as the money from Congress continues to dry up.

“We are committed to making sure that we have a smooth transition. But what we ask of all those who are leveraging JRSS, you’ve got to get off the snide and you’ve got to get your plan together and start moving out on the plan,” he said. “I’ll tell you we do not have the time to have JRSS continue for years because it is older technology. It is very complex, and it’s costing a whole bunch and then if we have to refresh a lot of the capabilities and that’s going to refresh something that is that we’re going to be sunsetting anyway. Let’s be aggressive but not reckless. The rush to sunset JRSS is on and we’re actively engaged with [Air Force deputy CIO] Mr. [Winston] Beauchamp and his team as we think through JRSS sunsetting.”

 133 zero trust capabilities

Skinner emphasized that the Thunderdome initiative, which is to implement zero trust capabilities, is not a full-fledged replacement for JRSS.

He said DISA will decommission JRSS and implement Thunderdome and other capabilities to advance the protection of DOD networks and systems.

Thunderdome, which DISA moved from prototype to production in late July with a $1.9 billion contract with Booz Allen Hamilton, will also become part of a pilot with the Army.

Skinner said Thunderdome will provide virtual routing for software-defined wide area network (SD-Wan), identity security tools and secure access secure edge (SASE) capabilities.

“From what I’ve gathered, every single organization within the department and every mission partner is coalescing around these capabilities. Why wouldn’t you leverage this contract, if nothing else leverage the contract vehicle that has already been competed and has already been worked through to provide those capabilities?” he said. “The Army, this fall, is doing a pilot with Thunderdome for the western region. [Air Force CIO Venice] Goodwine and I have been talking about the Air Force and how it can leverage this as part of their architecture to move forward.”

Beyond Thunderdome, Skinner said DISA’s cyber offerings will provide about 133 of the 151 capabilities required under the DOD ZTA strategy. He said the other services can take advantage of these cyber tools immediately.

DISA has several ongoing or recently completed pilots around cloud services, including its Stratus offering for instances outside the continental United States (OCONUS).

He said DISA will kick off two pilots in September and is looking for other services to join the test of OCONUS cloud services.

DISA announced the OCONUS cloud options in August as a beta program for OCONUS Region for Stratus is currently available at Joint Base Pearl Harbor-Hickam, Hawaii.

Cyber readiness reviews expanding

Another area where several pilots are underway is with Command Cyber Readiness Inspection (CCRI), a formal inspection process to increase accountability and the security posture of DOD Information Networks according to DOD standards, specifically in the areas of command, mission, threat and vulnerability.

Skinner said DISA already has piloted CCRI 3.0 in three places and using that experience to focus on reducing risks to the mission and the domains.

Among the key areas CCRI 3.0 is helping DOD focus on are devices on the edge, ensuring only those who need them have elevated privileges and developing solid incident response plans.

“I suspect in the next quarter we will have this to where we will roll this out to the services and to the agencies. That’s where we’re trying to go,” Skinner said. “The second piece that really rolls along with this is training. US Cyber Command as a joint force trainer, up to this point has really focused on the cyber mission force. How is the training for those cyber protection teams, combat mission teams, really getting that readiness and that training up? The second phase, the department just signed out two months ago, the Joint Mission Essential Task for Cybersecurity Service Providers (CSSPs). This is the first time we’ve ever had that. This month, four of the five CSSPs are actually going to be reporting readiness against those JMETs.”

Later this year, all 30 CSSPs will report against the tasks to help DISA even better understand cyber readiness.

Skinner said the second piece to this effort to analyze what have mission owners contracted out or directed the CSSPs to do.

“If a CSSP can do all, I think it’s 13 tasks, but you’ve only tasked them or provided resources to do 10 of them or 5 of them, then your readiness is still low. If you look at the CSSP and the training of those, that goes hand-in-hand,” he said. “The other piece now is what about our network operators, our system administrators, those who have elevated privileges, how are they trained? Do we have standards for DOD to support all of them? Today, we don’t. That’s the third phase of this. Then we can holistically look at this thing we call the DODIN and go from a force posture standpoint and force training readiness, here’s the standards, here’s how we’re going to assess against those standards based on readiness, and then understand what the risks are of the terrain and risk of the force to support, protect and secure that terrain.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    DoD Cloud Exchange 2023: DISA’s Sharon Woods on JWCC’s launch, customer-centric focus

    Read more