Can DISA's CBII make DOD telework more secure?

When mass telework began a year ago in response to the COVID-19 pandemic, the Defense Department faced a sharp spike in cyberattacks against its networks. The Defense Information Systems Agency is fighting back, in part by developing the Cloud-Based Internet Isolation solution.

CBII allows users to browse nongovernment websites while keeping online threats from moving onto DOD’s network, reducing endpoint attacks and bandwidth demands at the same time.

“CBII has been that solution that enables mission partners to solve their bandwidth constraints, especially in response to mass telework due to COVID-19,” Laurel Lashley, DISA’s CBII program manager, told FCW. “For mission partners who are operating in low-bandwidth, high-latency environments, CBII has been the solution for them to conserve bandwidth for their mission-essential functions.”

After a pilot test, DISA moved CBII into production in September 2020, with the ultimate goal of migrating all DOD users to the solution. So far, 190,000 users at 25 organizations have been moved to CBII, with the Defense Health Agency as the largest adopter at 160,000 users. Lashley said 1.5 million users will be migrated by the end of fiscal 2021.

“Our approach is to onboard the DOD services, combatant commands, and the defense agencies and field activities with a sizable sampling of users in this first year,” she added. In 2021, the 11 combatant commands “will be prioritized for migration at 100% of their applicable users, and then the remaining license will be allocated for the services and will incrementally increase 200%” by the end of fiscal 2024.

CBII is expected to save DOD the more than $300 million it would have cost to upgrade cybersecurity tools to defend internet access points, according to DISA’s Requirements and Analysis Office.

Lashley said implementation has been fairly seamless so far, with the lesson that “no environment is identical” as the primary takeaway.

“Beyond improved performance or latency reduction, many users are unaware that they’re even doing something different,” she said. “All the users generally have to do is browse, except now their browsing occurs in the isolated container, and all internet-born browser code is executed outside of the DODIN. Therefore, users are protected against any recent zero-day browser vulnerabilities.”

CBII is part of DISA’s effort to provide secure, cutting-edge cybersecurity solutions for DOD’s workforce, which includes adopting zero trust methods.

Steve Wallace, systems innovation scientist at DISA’s Emerging Technology Directorate, noted that endpoint security is a critical component of zero trust. He told FCW that “with respect to CBII, zero trust as well as other design considerations are certainly part of our ever-evolving approach to cyber defense. CBII has changed our approach to both endpoint and perimeter protection. Because it shifts a large portion of the threat off the DODIN, we can reshape our approach.”

Lashley said DISA plans to integrate CBII into mobile devices to protect the use of sensitive data and prevent data loss.“Deploying CBII to mobile devices will allow mission partners further protections while they’re on the go, working on the fly,” she said. “We are already working with our mission partners to get the requirements to baseline policies and rule sets that ensure users are operating within the constructs of sensitive data within their organization and ensuring that organizations are able to discover and stop data from leaving their networks.”

She emphasized that the main goal is to spread CBII’s use across DOD in fiscal 2022. “If you want a solution that allows you to optimize bandwidth, that allows you to enhance network security and [that] provides your users with an enhanced…experience, CBII is that solution,” she said.