DISA Pushes Zero-Trust Qualification Forward
Defense Information Systems Agency (DISA) officials are in the midst of conducting the second iteration of the zero-trust qualification developmental training initiative. The program focuses on introducing cyber personnel to the zero-trust domain and helping these individuals cultivate and qualify their skills in the space. The exercise is a few days away from concluding, but even though it is still in progress, Lt. Gen. Paul Stanton, USA, director of DISA and commander of the Department of War Cyber Defense Command (DCDC), is confident that this training exercise will be a triumph.
“[We are seeing] very positive initial feedback that is reinforcing the observations from the first pilot,” Stanton said during a media availability session at TechNet Cyber 2026 in Baltimore. The DISA director added that, “Even in our early stages, we’re seeing comparable results in terms of folks that had not previously been exposed to the technology and learning it relatively quickly.”
The exercise has not yet reached the qualification stage, but Stanton added that all indicators are suggesting that they are definitely heading in the right direction. “We will be successful,” Stanton stressed. “This second iteration will be just as awesome as the first.”
The ongoing training exercise looks very similar to the pilot, especially regarding the mechanics and framework, but there are a few differences.
Firstly, DISA leaders have gathered participants from across the world. Some individuals are in class in person, while others join remotely from all over the globe. Officials are experimenting to see whether there is a difference in success between the folks who are physically in class and the folks who are completing the training virtually, according to Stanton.
Secondly, training program personnel have incorporated a control unit that consists of experienced cybersecurity service provider (CSSP) operators who, along with the participants, will also partake in the final qualification stage. The control unit will help the team that is overseeing the training program gauge the appropriateness of the qualification environment. In other words, they want to find out if their setup is suitable for experts and to evaluate new trainees, per Stanton.
As for next steps following the conclusion of the ongoing exercise, Stanton and his team expect to scale horizontally to other CSSPs and to select an organization(s) or a company(ies) from a list of competitors to build the presentation of the training and qualification environments.
“I would anticipate the next cohort being much larger, being more diverse and still focused in on the zero-trust technologies that I want and need a CSSP to be trained [on] and ready to execute, but I’ll give the team that’s working it just a little bit of grace in order to assess the effectiveness using the metrics that they’ve been applying and come back to me with a recommendation,” Stanton said. “But I expect to downshift and accelerate into a well-developed training environment that can address the scale of CSSPs across the department.
I want to make sure that I have confidence that when I publish orders as the commander of the DCDC, that the folks that are going to execute it are actually qualified on the weapons system.
As briefly mentioned above, the first iteration of the zero-trust qualification developmental training program took place in March, and it was a success. During a previous interview with SIGNAL Media, Stanton discussed that event and broke down the results.
“So, we took 15 individuals, who were assigned to CSSP roles, and we put them through five weeks of developmental training,” Stanton said when describing the first training event. “We gave them a pretest, and then we gave them a posttest, and we watched their scores improve by over 30%. But then, very importantly, we put them into a range environment and had them execute.”
Stanton added that they entered into contracts with several vendors to leverage their help in developing the testing infrastructure. “They built simulated artificial intelligence (AI)-informed environments, so the scenario is continuously changing,” Stanton said. “It was very realistic in terms of its composition. Then, we had specific tasks—individual and collective—that we forced the team to go through within a time window. They all passed; they all qualified.”
Training of this nature provides the opportunity for cyber crews to be prepared and fully equipped with the knowledge and skills needed to succeed in their missions. In his leadership position, Stanton desires events like these to ensure his staff will be ready to accomplish their duties.
“I want to make sure that I have confidence that when I publish orders as the commander of the DCDC, that the folks that are going to execute it are actually qualified on the weapons system,” Stanton said during the aforementioned previous interview with SIGNAL Media. “It’s a mindset of being a military operator. You don’t just arbitrarily jump inside of a tank and understand how it works. You train the driver, the gunner and the tank commander. You put them together in order to form a crew to operate the weapon system.”
“I want to make sure that you go down range in a simulated and emulated environment and validate that you can actually perform your individual and collective tasks,” Stanton added. “That’s qualification, and that’s what we’ve developed.”
TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.
Comments