DISA pilots zero-trust networking

The Defense Information Systems Agency is testing zero-trust networking on the Defense Department's classified network.

DISA ultimately wants to move to a zero-trust network environment where access is denied by default and only approved requests are permitted, the agency's Director of Operations David Bennett told reporters on July 16.

Bennett told reporters following a July 16 keynote at a FedInsider event that his agency is currently implementing a zero-trust pilot on the Secret Internet Protocol Router Network with U.S. Cyber Command.

"It's a proof-of-concept pilot," he said, adding that DISA hopes to expand it as more lessons are learned. "Zero trust is really about figuring out the data and applications and how to put that together and then try to connect it to the rest of the world," he said.

In that same vein, Bennett said one of the trickiest issues will be reining in and quantifying the internet of things. He said DISA was "not doing a lot" with IoT right now because it's "a very complicated scenario."

"DOD didn't grow up in an IoT world," he said, "It's only been recently where we find ourselves buying products that have internet capability."

Bennett said DISA is trying to understand the risks and challenges that come with IoT, primarily what a device is doing when it's not being used for its primary function.

Zero-trust security and IoT are both key components in Pentagon's newly released digital modernization strategy. DOD publicly released the document July 12, outlining its priorities for cybersecurity resilience and fostering talent and innovation.

The strategy overall reads like a long to-do list for the Defense Department, aggregating key network, cyber, cloud and emerging tech issues, such as 5G and artificial intelligence. While DISA's wheelhouse is discussed throughout, its network modernization efforts are highlighted, including the Joint Regional Security Stacks (JRSS) program that aims to improve DOD's network security posture by analyzing traffic entering and leaving DOD's IP networks for cyber threats.

But while JRSSseems to be on track after reported weaknesses identified by a recent inspector general audit, DISA is hoping to garner industry support for the Defense Department's move to IPv6. 

Bennett mentioned during his speech that he needed industry help removing low-speed time division multiplexed circuits and moving to IPv6 because telecommunications service providers will soon stop supporting TDM. He added that the culture shift, rather than the tech itself would be the most challenging part around the move.

The House-passed 2020 defense authorization bill includes a provision that would require all of DOD to sell its older IPv4 addresses, convert to the IPv6 format and provide Congress a report assessing progress on the process that has been nearly 20 years in the making.

Moving to IPv6 is the last element in a suite of six strategies listed in the DOD's new digital modernization plan for the Defense Information Systems Network: The other strategies are upgrading optical transport, enhancing mid-point security by implementing JRSS and a joint management system, building out multiprotocol label switching router networks with quality of service and performance monitoring, implementing software -defined networking and eliminating asynchronous transfer mode and low-speed TDM circuits.