The defense agency adjusted its long-term cybersecurity and cloud plans to take into account progress and pivots made for the COVID-19 pandemic.
The Defense Information Systems Agency released the first annual refresh for its strategic plan outlining a vision for the agency through 2022, including a new technology roadmap, on Monday.
The update takes into account changes to the operating landscape—most significantly, the COVID-19 pandemic. DISA was a major part of the effort to enable mass telework at DOD. Vice Adm. Nancy Norton, director of DISA, said in a statement 2020 affirmed the importance of the annual strategic planning process.
“Because of the planning efforts we undertook in 2019, DISA was able to turn on a dime to support the Department of Defense and the whole-of-government response to the COVID-19 pandemic,” Norton said. “A lot of what we did to ensure the warfighter, national-level leaders, and mission partners had secure collaboration tools and capabilities needed throughout the pandemic was outlined in version 1 of our four-year plan, but we had to accelerate implementation at a very rapid pace.”
The main addition to the strategy this year is a new technology roadmap outlining how DISA will achieve its objectives and goals in fiscal years 2021 and 2022. The roadmap focuses on cyber defense, cloud and the Defense Enterprise Office Solution, a contract to provide the Pentagon and its departments with cloud-based business tools.
For each of the three focus areas, DISA listed activities that will help it reach its technology goals. To improve its cyber posture, for example, DISA plans to implement the zero trust model, a move it announced in July.
DISA’s own zero trust reference architecture is due “very shortly,” Norton said during a panel at AFCEA International’s TechNet Cyber Event Tuesday. The framework will help industry and mission partners determine what tools they want to use to implement zero trust and allow DISA to expand its labs to continue testing, she added.
“We don't have a specific acquisition strategy, because we're not trying to go out and buy a box of zero trust,” Norton said. “That's just not the way it works.”
Instead, the zero trust piece of the cyber puzzle will come together by looking at what tools are available today and what changes need to be made to configurations to maximize the capabilities of these existing tools, Norton said.
Under the cloud focus area, DISA pinpoints development security operations, or DevSecOps, which is a form of agile software development that wraps security into each iteration of the development cycle, as an enabling activity. The roadmap indicates DISA will define a DevSecOps framework and develop dashboards to visualize DevOps metrics, among the initiatives it will undertake to support agile development.
Cloud-based internet isolation, or CBII, pops up in both the cyber focus area and as one of the three performance outcomes on the roadmap for the cloud focus area. CBII was DISA’s first other transaction authority, or OTA, project to reach full production, Norton said, and it helped improve security for DOD personnel working from home.
“CBII moves internet browsing off the endpoint to a cloud-based environment,” Norton said. “It effectively creates an air gap between the internet and our enterprise networks, so malicious code is detonated in the cloud, not on our government computers.” Norton added that over 100,000 people across DOD are using CBII.
DISA is also currently using a prototype OTA for an identity, credentialing and access management, or ICAM, project. Dr. Serena Chan, director of DISA’s cyber development directorate, told Nextgov in October the prototype is slated to reach initial operational capability status later this month. Chan said in a webinar ICAM is “foundational” to the zero trust model.
Establishing an enterprise identity and authentication capability for DOD cloud environments is also a component of the cloud access and security performance outcome on the roadmap.
The DEOS section emphasizes the need for collaboration with mission partners, and indicates consolidating DOD collaboration activities will be a major line of effort over the next two years. The General Services Administration and DOD re-awarded the DEOS contract to CSRA, a managed affiliate of General Dynamics Information Technology, and its contracting teaming partners, Dell Marketing and Minburn Technology Group in October.
Productivity tools provided through the DEOS contract will run through a Microsoft Office 365 cloud environment. The DEOS solution will supplant the Commercial Virtual Remote, or CVR, environment, which enabled DOD personnel to work on personal devices during the pandemic. CVR runs on Microsoft Teams.