WASHINGTON — The Pentagon’s top IT office issued a nearly $7 million contract to develop its zero trust IT architecture, the Department of Defense announced Tuesday.
The cyber threat landscape has shifted in recent years, becoming much more dynamic. As a result, traditional defenses have proven to not be up to the test. The federal government has now shifted to what it calls a zero trust model, which assumes networks are already compromised and validates users, devices and data continuously.
The contract, awarded to Booz Allen Hamilton, is for Thunderdome, the Defense Information Systems Agency’s implementation of zero trust. The contract is for a six month prototype effort in which the agency will operationally test how to implement its zero trust architecture involving technologies such as Secure Access Service Edge and Software Defined-Wide Area Networks.
“Over the course of the next six months, we plan to produce a working prototype that is scalable across the department,” said Jason Martin, director of DISA’s digital capabilities and security center.
Officials have explained that Thunderdome is not intended to be the DoD’s sole solution. It will not be mandated across DoD or the services, meaning the services can opt to partner with DISA or implement their own zero trust system.
Officials also noted that Thunderdome and zero trust represents a shift in how the DoD conducts cybersecurity.
“Rooted in identity and enhanced security controls, Thunderdome fundamentally changes our classic network-centric defense-in-depth security model to one centered on the protection of data and will ultimately provide the department with a more secure operating environment through the adoption of zero trust principles,” said Chris Barnhurst, DISA deputy director.
Following a series of high profile cyber breaches – such as when Russian intelligence personnel planted malicious code in software updates provided by government supplier SolarWinds, allowing unprecedented access for months across federal networks – the Biden administration issued an executive order in May 2021 to strengthen cybersecurity across the federal government. One of the key tenets of that order was for agencies to implement zero trust.
A follow on Jan. 19 national security memorandum establishing metrics for improving the cybersecurity of national security systems requires agencies to develop a plan to implement zero trust architectures.
Last summer, the DoD also decided to do away with the Joint Regional Security Stacks, initially established to shrink the cyberattack surface by consolidating countless classified entry points around the world to 25 sites, in favor of the zero trust Thunderdome approach.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.