Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Defense Information Systems Agency may be best known for the more than $5 billion in contracting support it provides the military services and agencies each year. But with the move of the Joint Force Headquarters, DoD Information Network (JFHQ-DoDIN) to DISA earlier this year, the agency is playing a bigger role in securing the Pentagon’s networks and data.
Just listen to what Dana Deasy, the Defense Department’s chief information officer, said are his priorities: Cloud, cybersecurity, artificial intelligence and next generation command and control. All of these relate back to the work DISA is doing and will continue to do into 2019. And it’s also the reason why DISA’s Forecast to Industry day is one of the must-attend events each year.
More than 500 people journeyed out to Linthicum, Maryland on Nov. 5 to hear from and meet with DISA’s senior executives. While the focus on the days tends to be the agency’s acquisition plans for 2019, including the timing of the release of solicitations and awards as well as any acquisition strategy that it has determined, the real benefit for contractors is the policies and programs behind the contracts.
It’s also more than just DISA discussing the products and services it wants to buy, but officials discussing why they are buying them.
The Forecast to Industry day continues to be a refreshing reminder of the importance of and what success looks like around industry-government communication. To be clear, the model isn’t perfect by any means, but it’s heads and tails above what most agencies do.
Here are three highlights from the event:
A new view of how to secure the endpoints
A new endpoint security policy is coming from DoD.
Lisa Belt, the acting cyber development executive, said the document will incorporate lessons learned over the last year from the military services’ pilots of different end point detection, response and containment tools.
Belt said it also is based on the results from the DoD cyber architecture review effort and a new analysis of the end point threats the military faces.
The strategy aims to converge the security of traditional end points like laptops with new ones like mobile devices and critical infrastructure systems.
DoD has been using a host based security system (HBSS) approach for much of the past decade. DISA says “HBSS is designed to provide a flexible, modular design that enables expansion of the tool by incorporating additional security capabilities, integrating existing security products, and eliminating redundant systems management processes.”
The DoD CIO’s office asked DISA to test new endpoint security technologies. DISA worked with the Army Research Laboratories at Adelphi, Maryland to analyze eight endpoint detection and response and application containment technologies.
“We’ve got some ongoing piloting activities, live environments out with the services and our mission partners. We are learning about what’s working there and what isn’t,” she said. “Expect to see some acquisition strategies refined in this space as we move forward over the next three-to-six months.”
Belt said DoD has done good work to secure traditional endpoints, but as the Pentagon’s environment becomes more complex, a next generation approach is needed.
“We have a phased approach because of the complicated environment,” she said. “Mobility has been expressly and intently built into that strategy as well as supervisory control and data acquisition (SCADA), Internet of Things and more non-traditional endpoints where we’ve done some work across the enterprise but we really eventually under this phased approach will need to get after how all of these various endpoints security can come together.”
CAC’s transformation to zero trust
DISA has several irons in the proverbial fire around identity management and access control.
First, the traditional use of PKI, public key infrastructure, will continue as DISA and the National Security Agency are the joint program manager of the program.
“We are working our way through what happens in the identity space. This is key and transformational. It’s on Mr. Deasy’s top 10 cyber list. If we don’t get the next generation of identity right with quantum computing coming at us and encryption, we really don’t have much to talk about if we can’t definitively identify who is on the network, where they are and how they’re operating, everything else we are doing is interesting, but not as effective as it could be,” Belt said. “So working closely with the innovation folks, we have our engineers and our program managers with some key stakeholders and mission partners on what identity will look like writ large in the next three-to-five years.”
For instance, Douglas Packard, DISA’s procurement services executive, said the agency released a request for a white paper under Other Transaction Authority (OTA) for how artificial intelligence could help assure a user’s identity on a mobile device.
“It has a set of models and we are building them into fusion score and making a decision based on risk,” he said. “We are using AI in several places, but I don’t see us specific buying AI.”
This effort is in addition to DISA’s Purebred program, which replaces the need for smart card readers to send digitally signed and encrypted email, decrypt email, and authenticate to DoD websites when using a DoD mobile device. DISA says “Purebred provides a secure, over-the-air credentialing process through a series of one-time passwords and user demonstrated possession and use of a CAC.”
Currently there are more than 32,000 users of the Purebred technology.
At the same time, DISA rolled a series of services under PKI to improve identity management and access control.
Jason Martin, the services executive, said DISA now has a single authoritative source of identity data for all of their customers and the applications and endpoint devices.
“To secure all that … we rolled out virtual desktop interface (VDI) for those folks who have access to privileged information. So our entire privileged user base is now using a scaled down version of an enterprise VDI,” he said. “We are very excited about that capability. We have been able to eliminate over 200,000 user accounts simply by developing a single authentication solution and a single entry into that solution. From a security threat vector perspective, that’s pretty good. We dramatically reduced our threat vector simply by instituting two solutions.”
Martin said DISA wants to provide these VDI tools to other services as well.
All of the work around identity management is helping lead DISA toward a zero trust network.
Belt said it will take DoD some time to get to a full zero trust network, but identity and the endpoint security policy are pieces to the bigger puzzle.
Forecast: Cloudy with a chance of more clouds
Every senior official who presented mentioned the word cloud in some way or another. So it’s not surprising that DISA continues to be leading many DoD efforts around cloud.
Even with all the anxiety and drama over the $10 billion JEDI cloud program, officials tried to make clear to the industry audience that a multi-cloud approach is the only way for the Pentagon.
Deasy, the DoD CIO, said the military will use both a general purpose cloud and a fit-for-purpose cloud.
“I’ve been asked a lot about our cloud strategy and I keep pointing out there will be multiple vendors, multiple clouds,” Deasy said.
No matter what happens with JEDI, DISA continues to move out with its cloud initiatives including the maturing of MilCloud 2.0 and the Defense Enterprise Operations Solutions (DEOS) strategy.
Martin said DISA already has migrated 30 applications to the MilCloud 2.0 and more are coming as the “fourth estate” agencies migrate more than 100 data centers to the offering by March 2019.
“What we are doing now is placing heavy emphasis on integrating us with the commercial vendors’ off-premise solutions for cloud with the secure cloud computing environment point also known as the cloud access points (CAPs),” he said. “That is where we’ve placed a lot of emphasis, time and effort over the past six months, and we will continue to over the next year or two as we continue to move people onto the unclassified (NIPR) CAPs and as we build out the secret (SIPR) CAPs.”
Martin said DISA also is increasing the security of MilCloud 2.0 to increase to an impact level six on the secret enclave. Martin said he expects to reach that security level by early 2019.
And finally, DISA will decommission MilCloud 1.0 November 2019 and move all the existing capabilities on to version 2.0 over the next year.