Back in the beginning of 2022, the Defense Information Systems Agency (DISA) announced it had awarded a $7 million contract to Booz Allen to create a new IT architecture based on the zero-trust model. Under zero trust, computer networks are already considered compromised, and users, devices, and data are constantly validated through identity management and end-to-end security.
The six-month contract was for the development of a working prototype that was not only scalable but also involved using the technologies of Secure Access Service Edge and Software Defined-Wide Area Networks. That contract was later extended by an additional six months, so they could also work on the DoD’s classified network SIPRnet. The expanded Thunderdome project is ahead of the scheduled completion date of January 2023 and may be online as early as December 2022.
This shift in DoD’s IT architecture is a response to President Biden’s Executive Order 14028 “Improving the Nation’s Cybersecurity” in May 2021 with the intent to strengthen cybersecurity across the federal government. That executive order came as a result to the Solar Winds cyber-attack which gave Russian intelligence undetected access to federal network for months.
One of the key tenets of that Executive Order was the implementation of a zero-trust IT policy. With that in mind, and Thunderdome being the program now in favor, the Joint Regional Security Stacks (JRSS) program is being phased out earlier than its original five-year life span. While it did serve its purpose of reducing the entry points into the DoD’s IT networks, going to a zero-trust model was a logical progression to a more secure platform.
However because both JRSS and Thunderdome operate in the same DISA directorate, they can co-operate while Thunderdome ramps up and JRSS ramps down.
Another caveat to the Thunderdome program is that while it is the preferred DoD zero trust program, the DoD is not mandating that the DoD subsidiaries or military services use it exclusively. But they must use a zero-trust program, as that was dictated in the Executive Order.
As imagined, having several different zero-trust programs in use adds new level of complexity in transitioning from JRSS and trying to get everything to work together in harmony.
The rise of remote work of federal employees during the COVID-19 pandemic also increased the awareness that a more secure IT system was needed. When everyone was working in an office environment, communications would go through the DODIN network. But when many employees started working from home, now communications were often going through personal devices across a less secure network. When the zero-trust model Thunderdome comes fully online, its end-to-end point security and identity management will make this remote force entity more secure.
The Technical Director for the Cybersecurity and Analytics Directorate at DISA, Drew Mallory said as part of an interview. “We’ve been classically very network-centric in how we do cybersecurity. More and more we’re going to need to move toward applications and the data layer to do cybersecurity at that level and figure out what the right mix is going forward.” In the end, Thunderdome is not a destination, but part of an ongoing journey to a more secure DoD as it evolves and responds to an ever-changing cyber field.