WASHINGTON — The Pentagon’s main IT office has issued a nearly $7 million contract to develop its Zero Trust computing architecture, the Department of Defense announced Tuesday.
The cyber threat landscape has evolved in recent years, becoming much more dynamic. As a result, traditional defenses proved not to be up to the test. The federal government has now moved to what it calls a zero-trust model, which assumes networks are already compromised and continuously validates users, devices and data.
The contract, awarded to Booz Allen Hamilton, is for Thunderdome, the Defense Information Systems Agency’s implementation of zero trust. The contract is for a six-month prototype trial during which the agency will operationally test how to implement its Zero Trust architecture involving technologies such as Secure Access Service Edge and Software Defined-Wide Area Networks.
“Over the next six months, we plan to produce a scalable working prototype across the department,” said Jason Martin, Director of Digital Capabilities and Security Center at DISA.
Officials explained that Thunderdome is not intended to be the DoD’s only solution. It will not be mandatory for the DoD or the services, which means the services can choose to partner with DISA or implement their own zero-trust system.
Officials also noted that Thunderdome and Zero Trust represent a shift in how the DoD conducts cybersecurity.
“Rooted in identity and enhanced security controls, Thunderdome fundamentally changes our traditional network-centric defense-in-depth security model to a data protection-centric model and will ultimately provide the department with a more secure operating environment. through the adoption of Zero Trust Principles,” said Chris Barnhurst, Deputy Director of DISA.
Following a series of high-profile cyber breaches – such as when Russian intelligence personnel planted malicious code in software updates provided by government provider SolarWinds, allowing months of unprecedented access to networks federal – the Biden administration issued an executive order in May 2021 to strengthen cybersecurity across the federal government. One of the key principles of this order was that agencies implement zero trust.
A follow-up to the January 19 National Security Memorandum establishing measures to improve the cybersecurity of national security systems requires agencies to develop a plan to implement zero-trust architectures.
Last summer, the DoD also decided to do away with joint regional security stacks, originally created to reduce the cyberattack surface by consolidating countless classified entry points around the world at 25 locations, in favor of the Zero Trust Thunderdome approach.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.