DISA Readies Zero Trust Architecture for Warfighters

Over the last few months, the Defense Information Systems Agency, known as DISA, has been working with the National Security Agency, the Department of Defense (DoD) chief information officer and others to finalize an initial reference architecture for zero trust. The construct, according to DISA’s director, Vice Adm. Nancy Norton, USN, and commander, Joint Force Headquarters-Department of Defense Information Network, will ensure every person wanting to use the DoD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

The move to zero trust architecture, according to Stephen Wallace, systems innovation scientist, Emerging Technologies directorate, DISA, will bring more security, flexibility, enhanced device use and faster data access to DoD warfighters.

“The idea with zero trust is that it is more encompassing,” he said. “One purpose of zero trust is to protect data. And it’s around the entire user experience, everywhere from that endpoint device, and every bit of data that it transits, all the way back to the application and ultimately the data repository.

Wallace presented details about the agency’s efforts during a September 16 TechNet Cyber Webinar Series entitled, “Zero Trust and Identity: How DISA Continues to Protect the Warfighter in Cyberspace.”

He expects the architecture to be released by the end of the calendar year, then DISA will seek industry and governmental input and comments before issuing a completed document a few months after that.

Zero trust architecture, which encompasses network and other infrastructure; user authentication, authorization and monitoring; visibility and analytics; automation and orchestration; end user device activity; applications and workload; and data tenants, “is a natural evolution of information technology,” Wallace noted. “We're quickly moving in this direction, but the one thing that I want to make very clear is that this is not an overnight journey. This is a multiyear journey, and it's going to take us some time to get there.”

With authentication—including identity, credential and access management (ICAM)—being a foundational element of zero trust, the agency is developing associated capabilities centering around how DISA handles identity and authentication in the department. And while Wallace was not at liberty to publicly discuss the details, “the new capabilities that come in the next year will help us get to stronger cloud-based authentication that is more scalable than what we have done in the past,” he noted.

DISA also is working on software-defined perimeter provisions meant to offer warfighters increased security and flexibility, essentially getting users to data faster and more directly, Wallace said, including users who are not on the Non-classified Internet Protocol (IP) Router Network, or NIPRNet.

“Rather than the traditional segmentation and boundary type protections that we've used in the past, we need to move more toward a software-driven logical model where we're actually laying down local or virtualized infrastructure in real time that the user would traverse,” he explained. “Automation and orchestration become very important because you can't have someone at a keyboard standing up the different parts of the architecture in real time. We need automation and orchestration in order to make that happen. The software defined perimeter aspect is something that I think is coming together reasonably quickly, especially as we look to leverage more and more cloud services. DISA is involved in a number of prototypes across the department, and we're pretty excited about that.”

One challenge with zero trust architecture, however, is the current lack of standards, especially given how DoD depends on federated information technology. DISA is working with the National Institute of Standards and Technology (NIST) to provide input on the guidance NIST is drafting. “The lack of standards hinders the adoption of a lot of these capabilities going forward until we can work some of this out, but it won't stop us,” Wallace said. “We are going to adopt zero trust principles everywhere that we can, but to really create the vision of a harmonious zero trust environment is going to be a bit of a challenge until we get some of these interoperability issues worked out.”

He suggested that the commercial industry participate in the NIST zero trust forums, and once the standards come out, he advised companies to adopt the standards “in a pure type of way,” without adding “twists” that could create interoperability problems and challenges when integrating platforms into a larger military system.

Like the DoD, DISA is heavily dependent on industry solutions. As such, Wallace encouraged interested companies to get involved with the agency through its Small Business Office, or through the Emerging Technologies directorate, to provide a technical briefing of capabilities. The directorate hosts weekly technical exchange meetings with DoD’s chief information officer.  

He advised companies, however, to provide a straightforward account of a solution’s limitations.

“We need frank and honest discussions around what the products can and can't do,” Wallace stressed. “There's no silver bullet for any of this, and we don't expect there to be.”