DISA wants to take Thunderdome pilot to full production in ’30 to 60 days,’ director says

DISA Director Lt. Gen. Robert Skinner in a Senate hearing room following testimony in March 2023.

DISA Director Lt. Gen. Robert Skinner in a Senate hearing room following testimony in March 2023. E.J. Hersom/Department of Defense

Lt. Gen. Robert Skinner said following the successful test of the zero trust architecture prototype, the Defense Department’s information technology agency is working on an acquisition plan to scale the program.

Two months after its successful completion of its zero-trust network access architecture pilot, the Defense Information Systems Agency is hammering out an acquisition strategy to quickly spin it into a full program.

Speaking at the AFCEA TechNet Cyber conference on Tuesday, DISA Director Lt. Gen. Robert Skinner said the agency is working on scaling up its zero trust program, known as Thunderdome, after it successfully completed its pilot on March 1. 

"[Digital Capabilities and Security Center Director] Jason Martin and team are working through the acquisition strategy to be able to go full production here in the next 30 to 60 days," he said. "Thunderdome is more than just a pilot though. I know it's [software-defined wide area network], I know it's [Secure Access Service Edge] and a few other capabilities. But under our Thunderdome umbrella, it's a lot more than that. It's what's happening at the client, it's what's happening in data analytics."

Skinner said that out of the 153 key activities in the DOD's zero trust strategy, DISA can now provide around 123 as a capability through Thunderdome. 

DISA has been moving fast on the project ever since awarding a $6.8 million contract in January 2022, to Booz Allen Hamilton to develop a prototype of the zero trust architecture. 

A little more than a year later, agency officials touted the completion of the system, a mix of zero trust software solutions like SD-WAN, SASE, Customer Edge Security Stack and Application Security Stacks that could offer conditional network access to applications based on information like user and device attributes, geolocation data and time of use.

After also applying portions of the unclassified prototype on its classified network, DISA officials said in March that they would pursue a production other transaction agreement to deploy it across the DOD, a plan that seems to be moving with speed.

The Thunderdome update also coincided with details Skinner provided on other authentication programs, such as the Global Federated User Domain, an identity management add-on to the system governing access to DOD Cloud-based systems and services.

Gabe Solomon, a cloud engineer with DISA's Hosting and Compute Center, told the AFCEA TechNet audience that defense components using GFUD would be using the same identity solution used to login into cloud-based Office software to also login into workstation, streamlining the identity management process for applications used on defense networks. 

Skinner said DISA is also in the midst of multiple six-month pilots looking at updating DISA's approach to boundary defense, such as firewalls and network intrusion detection systems.

"There are so many capabilities in our boundary that a lot of times there are collisions going on, I would offer," he said. "We're looking at is there a better way at providing boundary security going forward, and can we leverage commercial capabilities and industry capabilities more than we are today?"

He added that the goal is to make boundary defense a much simpler operation for the workforce.

"I would offer that the complexity of our boundary and the complexity of our [Joint Regional Security Stacks] is so complex that we can't harmonize user experience and cybersecurity. It just can't be done."