The Desperate Need for Interoperability in Zero Trust

By the end of 2022, leaders at the Defense Information Systems Agency (DISA) anticipate having a production decision as part of its zero-trust prototype officials call Thunderdome, Brian Hermann, director of the agency’s Cyber Security and Analytics Directorate, said during a micro-keynote session Tuesday during AFCEA’s annual TechNet Cyber conference, taking place April 26-28 in Baltimore. 

The agency is rolling out various lab environments globally to simulate classified and unclassified networks, including the Indo-Pacific region, the Pentagon, Fort Meade and other locations, testing the ever-developing concept of zero trust, Hermann said. The labs are expected to be operational by fall with hopes of producing results to lead officials to the production decisions by year’s end, he said. 

DISA additionally is piloting a set of capabilities the agency has “identified as promising” and partnering with the services to evaluate the performance of capabilities and interoperability, Hermann said—with interoperability being a key word.  

“In many of the areas related to zero trust, the vendor community still somewhat immature … evident by the fact that there is not a lot of interoperability” among concept solutions, Hermann shared. 

In many areas of #ZeroTrust the “vendor community is still somewhat immature - evident by the lack if interoperability” @USDISA’s Brian Hermann, Director, Cyber Security and Analytics Directorate during #AFCEACyber pic.twitter.com/MkXdibOUYC

— Sandra Jontz (@SandraJontz) April 26, 2022

Interoperability of solutions and transparent collaboration haven’t been part of the industry's DNA, Hermann acknowledged, and federal government planners and decision makers are fully aware that interoperability is typically not in the financial nature of private companies. Just the opposite—company differentiators typically lead to the coveted government contract wins, he said. “Frankly, there is plenty of work in this space,” Hermann shared.  

Sandra Lopez, operations chief technology officer for the Leidos Defense Enterprise IT & Cyber Solutions organization, echoed Hermann’s remarks as part of the two-panelist session discussing zero trust. “Interoperability is imperative; it is not an option; it is not a choice. It is an imperative.”

The words “zero trust” have become the password to staying relevant, Lopez noted. And although bringing newcomers to an already existing enterprise may be challenging, Hermann emphasized that the use of OTA contracts for the Thunderdome project is to bring in novel vendors that haven’t traditionally partnered with the DoD or the federal government. The reason: the necessity for new technologies that come from those industry partners and add an untapped layer of knowledge during integration, Hermann said.  

The DISA decision-makers aren’t working in a bubble and will certainly rely on the efforts coming from the Defense Department’s Chief Information Office, which on January 31 established a zero-trust portfolio management office led by Randy Resnick to focus on providing strategic guidance and alignment in all zero-trust efforts among the military services, DISA and the department as a whole. 

In the end, the primary tool or service Hermann says is needed to enable zero trust is identity management, citing the need for a robust identity credential and access management program, or ICAM. Network gatekeepers needs solutions with a high level of fidelity that show who is accessing systems, from what device, what permissions they have—no matter where in the world.  

For the most part, many of the solutions in some state of readiness already exist, Lopez said. What’s missing: something that cuts across all pillars of data. And that is only possible when there is interoperability, Lopez concluded.