The Defense Information Systems Agency (DISA) announced a six-month extension to its Thunderdome zero trust prototype with Booz Allen Hamilton Thursday with a target completion date of January 2023. The agency cited a need to develop an additional zero trust prototype for the Defense Department’s classified network, SIPRNet.
DISA leaders told GovCIO Media & Research that developing a SIPRNet-specific zero trust architecture will be critical to facilitating secure data interoperability for DOD’s Joint All-Domain Command-and-Control (JADC2) plan.
DISA JADC2 Lead Col. Kevin Finch described SIPRNet as DOD’s “tactical network” imperative to facilitating joint force information exchange.
“A lot of the programs over time are using different data standards, some are the same, most are not,” Finch said in an interview with GovCIO Media & Research. “Project Convergence that the Army is running — they use a lot of basically middleware capabilities like stitches to translate between one capability and another. That’s one part of the problem, getting everybody from Capability A to talk to Capability B. The other challenge is getting across different classification levels. This becomes really important when you start talking about our allies.”
DOD cyber leaders have described “over-classification” of data and the lack of cybersecure data exchange as major hurdles to successful JADC2 implementation. Plus, Air Force cyber leaders described “security constraints” as the core challenge to data interoperability for JADC2 at the Air Force Summit this week.
Brian Hermann, director of DISA’s Cybersecurity and Analytics Directorate, said SIPRNet’s zero trust prototype won’t solve the problem of over-classification, but it will allow users to access mission-critical information more quickly according to their clearance levels.
“There is an element of interoperability that is associated with the data standards that JADC2 brings forward,” Hermann said in an interview with GovCIO Media & Research. “I think there's a desired end state where your ability to access data and applications is based upon attributes about you that define that you are authorized to have access to that information and applications.”
This concept of “flattening the network,” made possible by zero trust, facilitates interoperability while still maintaining necessary classification standards and limiting user access to data as appropriate.
The goal is to produce an iterative approach to cybersecurity that will adapt to threat vectors and new technologies over time.
In other words, Finch said, zero trust is a “core enabler” for JADC2.
“In the implementation plan for JADC2 there's five total lines of effort, but three deal directly with what we're talking about here,” Finch said. “One is data because we do realize that in order to make JADC2 function correctly you have to address the data, second is C2 systems, the line of effort that addresses how these different capabilities are going to consume then present data, and the third is the mission partner environment, how do we share data with our allied partners? And all those get back to classification. Yes, we do have a bunch of silos, I freely admit that; however, the true vision of JADC2 is to flatten the network and be able to have the user get the information they need at the classification level they're approved to get in a timely manner and make sense and then act.”
DISA’s current challenge is managing the different security boundaries of SIPRNet and DOD’s unclassified network, NIPRnet, and creating a zero trust solution that works for both in tandem.
“The differences between those two networks cause us to look for sometimes different solutions to provide services or security,” Hermann said. “There are industry partners that have secure cloud-based solutions we can leverage on the unclassified network because of the connections to Impact Level 5 FedRAMP-approved commercial cloud, whereas those things don't necessarily exist on the SIPRNet side. So, we need to have more of an on-prem solution. The additional work we're doing on the Thunderdome OTA is really designed to make sure the solutions we put in place work as well on SIPRNet as on NIPRNet.”
This new zero trust effort for SIPRNet will be incorporated into the redesign and modernization plans for the classified network, according to a DISA press release.
Operational testing for the prototype will occur in October and November, Hermann said.
“We're negotiating with some of the [armed] services as to whether they want to get some of their users on board and evaluate independently for us as well,” he added.