Thunderdome: DISA’s Next Phase for Zero Trust

Zero-trust ecosystems are rapidly gaining prominence as a fundamental cybersecurity practice throughout the IT industry, and federal agencies are no exception.

In January 2022, Booz Allen Hamilton was awarded a $6.8 million contract by The Defense Information Systems Agency (DISA) for the Thunderdome project, a zero trust prototype. One year later, the project is taking shape and meeting DISA’s success criteria.

Thunderdome is intended to create a new cybersecurity and network architecture for the Defense Department and is currently in the testing and implementation phase. Just last month, Deputy director of DISA, Chris Barnhurst, announced in a recent FCW/NextGov workshop that the prototype has been successfully rolled out to over 1,600 users across three different locations. This significant achievement marks a major milestone for Thunderdome.

What Exactly is Thunderdome?

Thunderdome integrates a collection of technologies to achieve a zero trust ecosystem and bolster cybersecurity. This latest project is intended to replace the Joint Regional Security Stacks (JRSS) that the DoD started using in 2013. The goal of JRSS was to reduce the number of internet entry points vulnerable to hackers. However, the 2019 DoD Inspector General’s report identified weaknesses in JRSS – it failed to meet many cybersecurity goals.

In a statement, DISA’s deputy director Chris Barnhurst explained that Thunderdome marks a significant transition towards a next-generation cybersecurity and network architecture for the DoD. The system is based on identity and reinforced security measures, and it alters the traditional network-centric defense-in-depth security model to focus on safeguarding data. The ultimate result is a more secure operating environment for the department, achieved through zero-trust principles.

Zero trust is a cybersecurity model that employs the principle of “never trust, always verify.” As a result, all users and devices accessing a network are continuously authenticated and authorized, regardless of whether they are inside or outside the network perimeter.

Why JRSS Had to Go

The Thunderdome announcement comes just three years after DoD officials said they had no plans to pause the JRSS rollout or change how they’re deploying it. So, what happened?

The DoD officials’ statement of confidence in JRSS was a response to the Pentagon’s own oversight bodies pointing to significant issues in implementing JRSS. And concerningly, for two consecutive years, the DoD’s Director of Operational Test and Evaluation (DOT&E) published a report stating that JRSS is deemed neither “operationally effective” nor “operationally suitable.”

Audits repeatedly found issues with JRSS, including:

• Five significant concerns – latency, cost, multi-tenancy, reliability, and division of labor between cyber personnel from military services and DISA.
• At least 14 “critical” and “high” level vulnerabilities were found in the JRSS system, and without proper security safeguards, they could compromise DoD data.
• The DoD did not approve a formal list of JRSS training requirements until three years after deployment, and many JRSS sites did not have adequately trained personnel.
• Lack of funding for contractors limited the class size and frequency of scenario-based JRSS training offered by DISA.
• The JRSS project required the military services to move into a multi-tenancy model, which meant bringing divergent network security procedures into a shared infrastructure. This proved challenging in practice.
• Defense IT officials avoided designating JRSS as an official acquisition program to avoid paperwork burdens. However, this decision led to the department sidestepping some major acquisition management principles that would have helped JRSS’s implementation.

Yet, despite JRSS’s issues, the department seemed committed to sticking with the project, at least until Thunderdome came along. So, why was the DoD intent on holding on to a failing multi-billion dollar cyber defense system?

We can’t know for sure, but the answer likely lies in the steps the DoD was taking to mitigate the issues surrounding JRSS and some of the successes it did bring. For example, the project reduced more than 2,700 local access points by 131. The DoD also increased training and increased capacity to reduce latency, as well as standardizing migration tools. In other words, JRSS was improving following the feedback of the audits. As a result, it’s possible that, given enough time, JRSS could have met the DoD’s cybersecurity success criteria.

However, time is a precious commodity in cybersecurity – the longer it takes to get a cybersecurity project off the ground, the more time your systems are left vulnerable. And that’s where Thunderdome is excelling. This latest project came at just the right time and champions proven zero-trust principles.

Final Thoughts

The Thunderdome project is a significant milestone for the Department of Defense’s transition to a zero-trust cybersecurity model. This project highlights the importance of implementing zero trust principles to create more secure operating environments, especially in the face of persistent cybersecurity threats.