Enable breadcrumbs token at /includes/pageheader.html.twig

DISA Prioritizes Secret Network for Zero Trust

The agency will double down on SIPRNET security.

The U.S. Defense Information Systems Agency (DISA) intends to double down on the security of its classified networks in the coming months as it experiments with the zero-trust prototype known as Thunderdome.

Julian Breyer, DISA’s senior enterprise and security architect, reported a change in priorities while discussing Thunderdome during a panel session at AFCEA’s TechNet Cyber conference in Baltimore, April 26.

DISA recently awarded a six-month, prototypical Thunderdome contract to Booz Allen Hamilton and has spent the last three or four months on a journey of discovery on its complex networks. “For all of us, I think, there were still a lot of unknowns that we’ve come to find out over the last couple of months. We’ve spent a lot of time discovering how we can integrate into the existing network, how we can interoperate with existing efforts and new ones that are currently being deployed alongside ours and laying the groundwork for the [Thunderdome] deployment,” Breyer reported.

One of those discoveries included the need to move more quickly on implementing zero trust on the Secret Internet Protocol Router Network (SIPRNet) while implementing the cybersecurity solution on its Non-classified Internet Protocol Router Network known as NIPRNet.  

“One of the big realizations for us is that priorities change. We went into this thinking that the biggest benefits to be realized would be on NIPRNET, and we still stand behind that,” Breyer said, adding that the agency has seen an expansion of its remote workforce since the COVID-19 pandemic began and can gain efficiencies for that workforce through zero trust.

While the SIPRNet always has been a target for Thunderdome deployment, agency officials thought they would delay those efforts “because of the complexity of SIPRNET and because of the approvals necessary to operate there and because of what we perceive to be slightly smaller targets for improvement,” Breyer explained.

But those plans are changing. “And current events have proven us, maybe not wrong, but have shown us that we have to double down and really invest on SIPRNET as well, to make sure we can protect the assets there from any sort of compromise or from any adversarial treatments, increased adversarial activity,” Breyer said.

Breyer added that the agency needs to “figure out how we can bring the same or similar protections to SIPRNet that we have on NIPRNet in a manner that is maybe more coherent with the overall architecture of SIPRNet. He also said that “in parallel with the operational testing of the NIPRNet pilot, we’ll be doubling down on the architecture for SIPRNet” at the same time the agency takes “a broader look at what the SIPRNet of the future should look like and then to move out with an operational test on SIPRNet going forward.”

Alan Rosner, DISA’s Thunderdome program manager, said Thunderdome is still in the first phase, which will likely last until the fall. It will then go into operational testing, a much more formal process where all aspects of the system are supported and evaluated. “That will take us until January or so of the next calendar year to complete. And then we have to make a fielding decision after that in terms of taking the capability set here to a larger scale, even potentially DISA offering services in this area out to the [military] services and combatant commands where expansion is necessary.”

Breyer said that for the next month or two, the agency will begin fielding equipment and software components and will work through the accreditation process and the necessary FedRAMP approvals.

The agency is contemplating initially testing the Thunderdome solution at DISA headquarters and with DISA offices in the Indo-Pacific region and with the joint service provider in the Pentagon. They expect to begin with about 40 users on NIPRNet and then expand to about 2,500 users at the two DISA sites and approximately 400 in the Pentagon.