WASHINGTON — The U.S. Defense Information Systems Agency released a revised strategic plan Monday for fiscal 2021 and 2022 that identifies three core technology areas of focus where the agency “must direct our attention to achieve our overall mission objectives.”
The areas are cyber defense, cloud computing and Defense Enterprise Office Solutions. The latter is a new office tools contract. This is the second version of DISA’s strategic plan for fiscal 2019-2022, which was originally released in 2019.
“This refresh incorporates updates to our priorities in light of a changed strategic environment characterized by rapidly shifting global and cyberspace landscapes,” the introduction stated. “In this era of technological advancement in the cyber domain, DISA is continually seeking new ways to meet the needs of the end user that demands responsive, resilient, secure and high-quality IT services.”
In her letter from the director, Vice Adm. Nancy Norton noted that the Defense Department relied on DISA, as its top IT combat-support agency, to enable telework and COVID-19 pandemic response. The pandemic kicked off remote work for many of the department’s employees, which brought with it greater cybersecurity risks and sped up conversations around zero-trust cybersecurity architectures, senior IT officials at the Pentagon have said this year.
DISA’s cyber defense strategic focus area centers around zero trust, a model that inherently distrusts users trying to access systems. To enable that architecture, the strategic plan states that DISA must define the zero-trust reference architecture, which Norton said will be released by the end of the calendar year, develop policy, and test and implement capabilities.
Right now, DISA is working with the National Security Agency, U.S. Cyber Command and the Pentagon’s chief information officer to develop a zero-trust lab environment “to replicate existing and near-state technologies to test zero trust capabilities,” the plan stated.
DISA also plans to bolster cyber defenses at network boundaries using threat intelligence, both internally and from commercial vendors. It plans to complete this project in FY22. The agency will also boost cybersecurity through cloud-based internet isolation, for which DISA awarded a $199 million other transaction authority contract earlier this year.
The strategic plan also lays out increasing regional defenses and endpoint security. DISA plans to sustain its Joint Regional Security Stacks as well as update the stacks through technology refreshes in FY21 to FY22.
DISA also plans to enhance endpoint security through the Comply to Connect program, a cybersecurity program that boosts network security. Sunsetting legacy systems and migrating to Comply to Connect started in FY20 and is expected to end in FY22. DISA also plans to stand up its Enterprise Patch Management Service by FY21 so Pentagon components have a centralized platform to find software fixes.
In terms of the cloud, DISA highlights several agile software development activities as key enablers for the department’s cloud mission, including a DevSecOps framework, a DevOps metrics model and a departmentwide community of practice. The strategic plan lists three major lines of effort for the cloud, including the Cloud Based Internet Isolation tool. The other two are cloud access and security, and cloud infrastructure. For access and security, DISA wants to establish enterprise identity and authentication for the department’s cloud environments and “evolve” its cloud access and security offerings.
“During this strategic time frame, we will host critical traditional systems, divest outdated legacy computing systems, and where appropriate, shift to cloud-based alternatives,” the plan read. “We are actively onboarding new mission-critical applications and working toward an infrastructure technical refresh for [Non-classified Internet Protocol Router Network] and [Secret Internet Protocol Router Network] in 2021.”
For cloud infrastructure, DISA wants to deploy milCloud 2.0 on the SIPRnet and integrate common services that will be provided through the Joint Enterprise Defense Infrastructure cloud, the Pentagon’s long-delayed enterprise cloud.
The final area, the Defense Enterprise Office Solution, is a commercial cloud offering that will provide the Microsoft Office suite across the department in an effort to standardize tools and applications across the department. The $4.4 billion contract was recently re-awarded to General Dynamics Information Technology after several protests.
“In this strategic time frame, we will facilitate migration from legacy enterprise services to DEOS, and sunset legacy services,” the strategic plan read. “This includes standing up, testing and authorizing NIPRNet services within the continental United States, as well as initiating OCONUS and SIPRNet services.”