DISA Details Plans to Improve Network for Shift to Zero Trust


The agency's recent request for information also seeks feedback on its acquisition strategy.

The Defense Department’s IT services provider is driving a shift away from perimeter-based security toward a data-focused, never trust, always verify paradigm, and it's looking for industry guidance on a potential acquisition to help it do so. 

Current network architectures don’t allow for easy application of zero-trust security principles, the Defense Information Systems Agency said in a recent request for information. To get rid of silos and better address “modern-day security threats,” DISA wants Secure Access Service Edge technology, which it defines as the convergence of wide area networking and network security services into one cloud-delivered service model. 

“Software Defined Wide Area Network (SD WAN) technology is an emerging concept that can have massive effects on how we rapidly deploy networks, prioritize traffic, and continuously monitor performance,” reads the RFI for the project, which DISA is calling Thunderdome. “This can be paired with a number of different security technologies that can give the DoD a true zero-trust network.”

Over the past year, DISA has been pushing zero trust forward. Last July, Vice Adm. Nancy Norton, then-director of DISA, outlined the move to zero trust—well into the pandemic and remote work but months before news of the SolarWinds and Microsoft cyberattacks began forcing hard looks at the security of government systems. The agency publicly released its reference architecture in May. President Joe Biden’s May executive order on cybersecurity also instructed agencies to advance zero-trust architectures. 

In addition to a variety of technical questions regarding industry approaches to SASE and SD WAN design and integration, DISA is soliciting feedback on its acquisition approach. The agency is considering using its other transaction authority, which has become increasingly common at DOD in particular, to prototype solutions. 

And prior to awarding OTAs to one or two companies, which will deliver a minimum viable product within six months of award, DISA in the RFI said it may use a Challenge Based Acquisition, or ChBA, where industry shows off their technical capabilities prior to the award. The agency plans to implement Thunderdome capabilities for operations through the year 2025. 

From the RFI respondents, DISA hopes to learn whether industry is able to meet its requirements as well as collect any suggestions to improve the approach. DISA will select some respondents to participate in a reverse industry day, according to a questions-and-answers document posted with the RFI, but the request for white papers for the project will be open to all. Responses to the RFI are due June 21.