DISA leans in on zero trust

The Defense Information Systems Agency is teaming up with the National Security Agency to deliver the defense community's first zero-trust reference architecture guidance later this year, DISA’s chief, Vice Adm. Nancy Norton said during the Army’s virtual Signal Conference on July 15.

Once complete, the reference architecture will be available for defense agencies to use as a guide to implementing zero trust environments where network access is continually authenticated, rather than relying on an initial login.

DISA began piloting the concept last year on the Secret Internet Protocol Router Network with U.S. Cyber Command.

“This is not going to be a wholesale, greenfield approach to new network architecture. We’re not starting over again with wholesale new equipment,” Norton said. “We are taking what’s out there today with our legacy equipment and building new principles into it.”

Norton added that analytics, policies, devices and automation would be incorporated along the way.

John Hale, DISA’s cloud portfolio office chief, said to bring zero trust to reality, DISA has been implementing it on the “use case by use case basis” as some cloud providers are “more forward-leaning than others.”

Speaking at a July 15 FCW and Defense Systems cloud event, Hale said the efforts were not pilots, but rather “large-scale implementations” that further prove out the need for boundary cloud access points, which are often criticized for choking network traffic. But even with zero trust architecture, DOD will still need the BCAPS, he said. .

DISA is also working on expanding access to boundary cloud access points for off-premises commercial cloud providers. Hale said a fourth installation for third-generation BCAPs will stand up in August, which should result in a forty-fold increas in bandwidth for off-premises providers.

“If we could have direct big, fat pipes between the end user and the commercial cloud provider, as long as they meet the zero trust [and] DOD security requirements, that’s ultimately where we want to go,” Hale said.

The Navy, which has increased migration to Microsoft 365, moved its Microsoft capabilities to third generation BCAPs, he said, adding that all mission partners should be able to use the BCAPs once the fourth installation is complete. Additional BCAPs will be added as needed, Hale said.