Enable breadcrumbs token at /includes/pageheader.html.twig

Beyond Thunderdome: DISA Plans Ahead on Zero Trust

Officials define current and future cybersecurity.
Stephen Wallace, chief technology officer and director of DISA’s Emerging Technology Directorate, shown during a session of TechNet Cyber 2022, told reporters during a media roundtable at the conference that his organization already is evaluating future capabilities for the next generation of Thunderdome. Photo by Michael Carpenter

Stephen Wallace, chief technology officer and director of DISA’s Emerging Technology Directorate, shown during a session of TechNet Cyber 2022, told reporters during a media roundtable at the conference that his organization already is evaluating future capabilities for the next generation of Thunderdome. Photo by Michael Carpenter

The Defense Information Systems Agency (DISA) is still in the prototyping stage with its zero-trust solution but already is looking ahead to the next version.

Thunderdome, the prototype being developed by Booz Allen Hamilton under a six-month contract awarded in January, is DISA’s solution for implementing zero-trust cybersecurity. It is a comprehensive effort requiring cooperation across the agency, as well as with the military services, combatant commands and others.

Stephen Wallace, chief technology officer and director of DISA’s Emerging Technology Directorate, told reporters during a media roundtable at the AFCEA TechNet Cyber conference in Baltimore, April 26-28, that his organization already is evaluating future capabilities for the next generation of Thunderdome. “We are already starting to think of what comes next. We can’t jump to the next thing right away, but we knew at the onset that things like data tagging and decisions made based on that tagging was not part of the original Thunderdome. That would be handled in a follow-on.”

That assessment of future capabilities comes as the agency still is evaluating capabilities for the initial version known as a minimally viable product. “Monday, we had an agency-wide technical and direction setting discussion … to ensure we are building out the most optimal way ahead,” Jason Martin, DISA’s Digital Capabilities and Security Center director and the agency’s component acquisition executive, told reporters.

For example, officials are determining which capabilities, such as containerized security, identity credential access management and software-defined wide area networking, will be included in a minimally viable product.

DISA officials explain that the initial Thunderdome prototype, which is being developed under an other transaction authority (OTA) contract, as a learning process. “Frankly, we’re going to learn a lot from this. We’re going to get some bumps and bruises along the way, but the beauty of us using the other transaction authority as part of this is our thinking on the subject evolves over the period of that OTA, which allows us to apply that at the end,” Wallace said. “We may not end in the same place where we thought we would when we started and that’s okay. That’s part of the whole maturation process.”

Zero trust will replace the Defense Department’s traditional layered, perimeter-focused approach to cybersecurity, which impeded interoperability. “When we step back and look at how we’ve traditionally done the layered security, one system does not necessarily talk to the next. Your endpoint defense doesn’t talk to your network defense. The idea for Thunderdome is to bring them together and approach security holistically all the way from the endpoint to the data that the user’s accessing,” Wallace explained.

Thunderdome originated with the far less memorable name, Perimeter Revolution—because DISA officials saw the perimeter changing—but evolved based largely on the agency’s focus on the customer experience, officials noted.

“We were watching the user experience and the fact that we were backhauling their sessions into the network and turning around and sending them back out somewhere else. Thunderdome was born just out of a new way of doing security,” Wallace said.  

He cautioned, however, that if security becomes too complex, users will seek workarounds to accomplish their missions in a timely manner. “We’re about to get a whole bunch of new security capabilities. We have to be very careful and very diligent not to enable every single one of those in the name of security,” Wallace said. “Too much security leads to the users going out of bounds, and they will get their jobs done. Period.”

Roger Greenwell, director of the agency’s Enterprise Integration and Innovation Center director and chief information officer, agreed. “Security is paramount in this, but again, it’s got to be the right amount of security.”

The best security, Wallace suggested, is security users never notice. “That is what we are going after her with Thunderdome as well.”

Zero trust is a critical piece to the Defense Department’s vision for Joint All-Domain Command and Control, or JADC2. Lt. Gen. Robert J. Skinner, USAF, DISA director and commander of the Joint Force Headquarters-Department of Defense Information Network, stressed the importance of assured command, control and communications to allow leaders to “to engage with allied partners, to engage with the military department, to engage with the federal government,” and to coordinate at the national level on homeland defense and internationally with NATO and others. “Assured C2 and assured communications is paramount to success in any endeavor. It’s never been more apparent recently than what’s going on in Ukraine.”

Enjoying The Cyber Edge?