DISA May Move Beyond Thunderdome Prototype

U.S. Defense Information Systems Agency (DISA) officials are expected to decide next month whether to move forward with the zero-trust architecture known as Thunderdome and want industry to help solve the interoperability issues that will arise from the use of multiple commercial solutions.

Thunderdome is DISA’s implementation of a zero trust security model at the enterprise level. An agency fact sheet describes it as a fundamental change that assumes the network is already compromised and validates the user, device, application and data in a controlled manner, offering greater cybersecurity centered around data protection. Thunderdome eliminates the siloed nature of the classic defense-in-depth security model and moves toward integrating security from the end user all the way to the data being accessed, the fact sheet adds.

January marks the end of the prototyping phase with Booz Allen Hamilton after the original six-month other transaction authority agreement was extended another six months. This was to allow for Thunderdome implementation on the Secure Internet Protocol Router Network (SIPRNet) in addition to the Non-classified Internet Protocol Router Network (NIPRNet). Thunderdome was expected to undergo an operational assessment in the final stages of the prototyping contract.

As of late September, the Thunderdome prototype’s software-defined wide area networking (SD-WAN) capability had been delivered to users at DISA headquarters and DISA Pacific Field Command, and delivery to the Joint Service Provider centers was in the works. The security access service edge solution had been “pushed out to the endpoints,” laying the groundwork for testing required for the January decision point, reported Andrew “Drew” Malloy, technical director for DISA’s Cyber Security and Analytics Directorate.

“The pilot and other transaction authority are scheduled to run through January of 2023. A lot of that right now is getting those users behind production capabilities and going through the operational assessment with our partners at Joint Interoperability Test Command, and then that’s going to eventually feed into what we hope is a successful fielding decision,” Malloy said.

Malloy and DISA spokesman Dillon McConnell returned to the interoperability subject multiple times during an interview with SIGNAL Media, emphasizing that challenges are expected because Thunderdome uses cutting-edge technologies provided by industry, and others, such as the military services, may choose different zero-trust solutions.

“Part of this is due to the fact that we’re working on technologies that are a little forward leaning. It’s out ahead of the standards bodies and things like that and more on the innovative edge, so the interoperability piece is going to be a problem for us,” Malloy explained. “Every time we get a chance to talk to industry, we foot stomp that issue to see where we can get help from the vendor community ... making sure we aren’t going down the route of proprietary protocols or overall, not being interoperable with different implementations.”

As an example, Malloy cited a core zero-trust capability known as secure access service edge, more commonly known by the acronym SASE, which is pronounced “sassy.” “We see a huge risk if we select one SASE implementation as an example, and a [military] service selects another SASE implementation, and they do not work well together.”

SASE solutions work on a user licensing basis, so if for some reason multiple services need to get to a joint application—like one from the Defense Finance Accounting Service, for example—and there are different SASE solutions protecting that system then that would require “two separate agents on their endpoint, and they now have to know what SASE solution is in front of what application so that they can switch the different agents to talk to different SASE solutions,” Malloy elaborated.

Among the military services, the Navy has shown the most interest in partnering with DISA on Thunderdome. The Army is pursuing its own SASE solution, and the Air Force prefers its own security stack, but DISA collaborates with all three in hopes of eliminating interoperability headaches.

Malloy expressed a need for commercial-first, out-of-the-box, interoperable technologies so that government technologies are not required to resolve problems. “The issue is going to be interoperability with other solutions as they come up online and how we make sure that can be really a whole-of-government-type solution and not silos of zero trust and having to back-end a lot of the integration on the government side,” Malloy offered.

McConnell, a DISA public affairs representative who arranged the interview with Malloy, agreed. “The interoperability challenges are because we are using commercial technology and making sure those pieces will operate with each other if there’s a few different ones. That’s a huge part of this: vendors being able to work with the Defense Department to let us get after protecting our networks versus being restricted by proprietary technologies.”

Malloy explained further that the SASE gateway provides visibility into the user identity and the posture of the endpoint to better inform decisions on access to applications and data.

DISA already has been able to resolve some interoperability issues by working with a variety of vendors. “What we’ve done is laid out an architecture that essentially the policies will sync with each other so that there’s uniformity with how we do policy enforcement through a number of different technologies that we do have, more specifically between our SASE solution and our customer security stack,” Malloy explained. “We had to sync those policies in the background. They weren’t really out-of-the-box solutions that industry provided.”

The agency extended the other transaction authority contract with Booz Allen Hamilton largely in response to Russia’s invasion of Ukraine, which emphasized the need for zero trust on the classified SIPRNet. Agency officials planned from the beginning to implement Thunderdome onto SIPRNet but decided to speed up that effort.

“Some of the goings on in the world really had us take a harder look at SIPRNet and the security posture of the network and how we could upgrade that security posture sooner,” Malloy stated. “SIPR was always top of mind for us, but DISA’s accelerating how we get there.”

The SIPRNet and NIPRNet versions of Thunderdome will differ a bit. “There will be some slight differences. It’s really around what’s not going to be available on SIPR. The SASE solution on the NIPR side is a cloud-based managed service, and that’s not going to exist on SIPR just because of the lack of infrastructure there,” Malloy offered. “We looked at how we can take what we’re doing with our customer edge security stack and implement that as a full SASE solution. Because that is something we can host on-premises and really manage ourselves, we’re looking at that as the full solution for the SIPRNet side, and that’s what we’re going to be testing out.”

Though begun later than NIPRNet, the SIPRNet effort is on track for completion before the end of the prototyping contract.

The DISA team also has developed an enterprise Identity Credential Access Management solution set that can be used with Office 365. The next step is to explore partnerships with the military services. “We have a master user record as well as an automated account provisioning system. And then our global directory, which is based off of Azure Active Directory,” he said.

Malloy listed that enterprise effort as a top priority to “support SIPR workloads and a federated identity space on SIPR,” along with working on a departmentwide effort to federate between identity credential access management products because the department will not have a one-size-fits-all solution. “We need to figure out how we’re going to have some commonality in our approach to identity, and federation is really going to be the answer for that.”

Another priority, from a research perspective, is exploring new ideas for securing applications and data. “When we look at the pillars of zero trust and how we’re helping to cover down on it, application and data security are really the next step in how we get a full end-to-end zero trust implementation. It’s something that, quite honestly, I think the department is weak on, and we need to concentrate on those areas,” Malloy offered.