DISA, Navy Progress in Zero Trust Implementation Goals

Zero trust initiatives at the Defense Department are scaling. Officials said this week they plan to roll out the Defense Information Systems Agency’s Thunderdome to the entire DODNet terrain starting with U.S. Southern Command and the Coast Guard.

Last month, DISA’s zero-trust Thunderdome architecture passed 152 zero-trust exercises during testing. Thunderdome, developed from an initial concept to a working reality with industry partners, has proven successful two years ahead of the Pentagon’s 2027 deadline for zero-trust implementation.

“We went from a concept on a whiteboard, quite literally, to articulating that concept, that vision, to this kind of a forum right to then partnering with a number of industry partners in the room here,” said DISA Deputy Director Christopher Barnhurst said during TechNet’s opening keynote Tuesday. “Dozens of products that are integrated into that design, and that is now real, and it’s real two years ahead of when the DOD CIO said it has to be real for the department.”

The biggest challenge in scaling Thunderdome was addressing technical debt.

“The department recognized that there was some technical debt in those organizations that was preventing them from moving more quickly to DODNet, which in turn prevented them from achieving what we were trying to get with zero trust,” Brian Hermann, director of the cybersecurity and analytics directorate at DISA, said Wednesday during a media roundtable.

DOD Zero Trust Portfolio Management Office Director Randy Resnick added that implementation “is very hard to do.”

“We want to minimize the adversary’s ability to move through the network and limit freedom of movement and their ability to exploit DOD data,” he added. “That means they can’t move laterally. They can’t break out of a micro-segment. They can’t increase privilege escalation.”

“But there’s more to Thunderdome and more to zero trust than just getting off [old systems],” Hermann added. “It is truly a mindset difference in terms of how we protect the terrain.”

Zero Trust Movement Across DOD

Beyond DISA, the Department of the Navy’s Flank Speed will be auditing its technical baseline this fiscal year.

“Another challenge was overall culture with the programs adopting zero trust, making sure that funding was being requested [in program objectives memorandums] so they could implement zero trust,” said Department of the Navy Zero Trust Architecture Lead David Voelker. “Between now and the end of 2025, we’re going to be auditing our technical baselines and get an understanding of where we’re at today.”

Resnick said Tuesday his office used new methods to help the department move quickly.

“We did purple teaming, which is the combination of red and blue together, something very different and not much practiced until zero trust came along,” Resnick said. “We needed both red and blue together because we needed speed.”

Coming Up in Zero Trust

DISA is working on budgeting and collaborating with DOD’s CIO office — including Resnick’s office — to support Thunderdome’s implementation and scale.

“The department’s budget process provided some additional resources to help get over that transition hump and make that move much more quickly,” Hermann said. “We’ve seen a lot of a lot of push where there has perhaps been what could be conceived as reluctance or challenges financially to make the transition. ”

Scaling Thunderdome means there will be some evolution in what the solution looks like.

“The best capability that we had in place two years ago turns out to not be the best capability that is in place today,” said Hermann. “It’s an example of how the zero trust cocktail of tools is going to change over time.”