Pentagon Zero Trust Challenges Include Scalability, Interoperability

As the Defense Information Systems Agency (DISA) moves closer to the Thunderdome project completion date in January 2023, remaining challenges include testing, scaling the capability from operational and technology perspectives and interoperability with other zero trust solutions.

“As a department, we have a pretty consistent track record of not agreeing on what one single solution is. So we wanted to operate with that as a design constraint in mind to say, ‘There are going to be other solutions out there. How do we make sure that we work well together?'” Drew Malloy, technical director for the Cyber Development Directorate at DISA, said during a Federal News Network panel Tuesday. “How do we interoperate … how do we make sure that we aren’t isolating ourselves and having to stand up duplicative systems in order to achieve the same goal?”

DISA awarded the $7 million Thunderdome zero trust prototype contract to Booz Allen Hamilton in January, initially setting a six-month project completion timeline. The war in Ukraine highlighted the need for the Defense Department (DOD) to develop a cybersecurity solution for a modernized classified network, which prompted DISA to extend the pilot by six more months to include a zero trust prototype for the DOD’s classified network, SIPRNet.

As DISA integrates these innovative solutions, the agency hopes to address concerns such as out-of-date data standards or solutions not working well with other third-party security systems.

“When you look at what we’re trying to do, from an end-to-end security mindset around zero trust, you really want to have those integrations out of the box with those security tools to make sure that everything is working in a consolidated fashion,” Malloy said. “And right now … we’re carrying some risks around the fact that some of these solutions aren’t working well together.”

Thunderdome’s ultimate goal is enabling military service members and civilian employees to access the services they need securely. Successful implementation includes figuring out how many sites DISA will have, how to manage them and what the provisioning or sustainment will look like.

DISA is also working on the messaging around how to engage both the user community, the security applications and data owners.

“We can put out a lot of these capabilities that … are centered around zero trust, but until folks adopt them, especially from an application perspective — talking about how do you look at what you do for access control currently and how can you take advantage of what’s being given to you by this SASE solution to make better decisions based off of the different parts of your application and or the data within your application,” Malloy said. “We’ve put a lot of enabling technologies out there, but we aren’t taking as much advantage of it as we can. So that’s part of our efforts as well.”