The achievement is a major milestone for DISA’s Thunderdome initiative, which offers a suite of IT and cybersecurity technologies that various agencies across the Defense Department can use as their zero-trust solution. DISA’s validation of Thunderdome comes more than two years ahead of the Pentagon’s deadline to implement target levels of zero trust by the end of fiscal 2027.

“It is a stellar machine system and environment, and there’s a lot of DOD field activities and agencies that are depending on that solution as its [zero-trust] solution,” Resnick said Wednesday during the Defense Acquisition University’s annual Zero Trust Symposium.

Zero trust is a cybersecurity framework that assumes networks are already compromised by adversaries, as opposed to the perimeter-based standards traditionally employed by the DOD. Rather than establishing a protective cybersecurity boundary over its networks, zero trust requires the Pentagon to integrate new capabilities that can constantly monitor and authenticate its networks and users as they move through them.

The DOD’s 2022 Zero Trust Strategy outlined a minimum set of 91 capability outcomes that agencies and components must meet to achieve “target levels” of zero trust no later than Sept. 30, 2027. The strategy also provided an additional 61 activities that are required to meet what the Pentagon considers “advanced levels.”

Resnick said DISA’s Thunderdome achieved a “perfect 152 out of 152,” meaning the solution is the second to hit all of the department’s ZT capability outcomes. The Navy’s cloud-based Microsoft Office 365 platform — known as Flank Speed — was the first zero-trust solution to achieve advanced levels, and met all 152 requirements earlier this year.

“Thunderdome is the Defense Information Systems Agency’s (DISA) comprehensive ZT solution,” Chris Pymm, Thunderdome portfolio manager at DISA, told DefenseScoop in a statement. “Recently, the Department of Defense DOD CIO purple team has validated that Thunderdome provides advanced level ZT across all 152 activities in DOD’s ZT model. What’s more, organizations can leverage DISA’s Thunderdome procurement vehicle to meet their integration ZT needs.”

According to the agency, the Thunderdome solution leverages enterprise identity credential and access management (ICAM); commercial secure access service edge capabilities; and software-defined wide area networking and security tools.

In 2022, DISA awarded Booz Allen Hamilton a $6.8 million other transaction agreement to prototype Thunderdome, which was later extended to include the Pentagon’s classified Secure Internet Protocol Router Network (SIPRNet). Following 18 months of development, the company received a follow-on production contract in 2023 to transition the solution into full deployment. 

The award is structured as an indefinite delivery/indefinite quantity (IDIQ)-like award to allow for other Pentagon agencies and departments to leverage the OTA over a five-year period. The contract has a total ceiling of $1.86 billion.

Pymm said that Thunderdome “will complete the DISA terrain in June of this year.” The effort’s zero-trust capabilities will be scaled to defense agencies and field activities via the broader migration of users to its new modernized network, known as DODNet, he added.

In fiscal 2025, Thunderdome will be fielded to the Defense Contract Management Agency, Defense Contract Audit Agency, Defense Logistics Agencies, Defense Media Activity, Defense Finance Accounting Service and the Defense Microelectronics Activity.

Moving forward, DISA plans to deploy the capability to the following agencies and organizations in fiscal 2026: Defense Threat Reduction Agency, Joint Staff’s J-6 directorate, Defense Advanced Research Projects Agency, Missile Defense Agency and Defense Manpower Data Center.

Updated on April 2, 2025, at 5:25 PM: This story has been updated to include more information from DISA about plans for Thunderdome and statements from Chris Pymm, Thunderdome portfolio manager.

The post DISA’s Thunderdome achieves advanced zero-trust goals appeared first on DefenseScoop.

The Senate Armed Services Committee on Monday released the full text and report for its version of the fiscal 2025 National Defense Authorization Act with a number of cybersecurity provisions included in it related to zero trust — a widely recognized, cloud-based concept that assumes an adversary has already gained access to a network and therefore looks to limit further movement internally by requiring constant monitoring and authentication of users and their devices as they pass from one part of a network to another.

Key among them is a requirement that, if passed as is, would enlist the DOD chief information officer to issue new guidance tailoring the department’s zero-trust framework to “human-wearable devices, sensors, and other smart technology” included in the so-called military internet of things within 180 days of the law’s passage.

Like traditional internet-of-things hardware, the military internet of things is generally comprised of interconnected, data-rich, sensor-driven devices meant to communicate or share information on a domain in both combat and non-combat settings. While the devices are credited for inexpensively enhancing the military’s ability to sense and share information — in some cases in an automated fashion — they also have led to a proliferation of endpoints that adversaries can target for a cyberattack. A 2015 Center for Strategic and International Studies report referred to security as the “single most important challenge for IoT implementation across the military.”

The guidance from the CIO would also require details on the role that identity, credential, and access management technologies would play in that larger zero-trust strategy as it’s applied to the military internet of things.

A Defense Department strategy signed out in 2022 outlines “target levels” of zero trust, which are a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to achieve those target levels no later than Sept. 30, 2027 — a deadline that David McKeown, the department’s chief information security officer, wants to accelerate.

Senate lawmakers have also taken note of a successful zero-trust pilot and subsequent production contract led by the Defense Information Systems Agency called Thunderdome. In the committee report accompanying the text of the chamber’s version of the 2025 policy bill, the committee urges department components to leverage the success of Thunderdome in replacing the agency’s previous security model known as the Joint Regional Security Stacks (JRSS), which aimed to consolidate the department’s attack surface by reducing thousands of network stacks globally to roughly 25. DISA decided to begin sunsetting that program in 2021.

“The committee is encouraged by the successful prototyping and production agreement for the Thunderdome program, which is expected to scale rapidly across the entire DOD enterprise,” the report reads. “To achieve stated goals within DOD’s specified timelines, the committee believes that DOD components should leverage technologies like Thunderdome, which rely on an open vendor selection process and comprehensive prototyping before production. The committee believes that such attributes are necessary to ensure upgradability and adaptability over time.”

That provision calls on the DOD CIO and director of DISA to brief congressional armed services committees on the progress made with Thunderdome and progress transitioning away from JRSS, “with a focus on how legacy JRSS will incorporate zero trust-aligned continuous trust verification and security inspection regardless of user location or device.”

The post Senate NDAA calls for guidance to apply zero trust to ‘internet of military things’ devices appeared first on DefenseScoop.

The Thunderdome cybersecurity initiative aims to help the Department of Defense move toward a zero-trust architecture.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information. The Pentagon’s strategy aims to fully implement zero trust by 2027.

Last year, DISA announced a $6.8 million other transaction agreement with Booz Allen Hamilton for Thunderdome prototyping. After 18 months of work on that phase of the program, the agency on Friday announced that it awarded the company a follow-on production deal with a one-year base period and four one-year option periods, which could run from August 2023 through August 2028.

“This award has been structured as an indefinite delivery/indefinite quantity (IDIQ)-like award so other DOD agencies and military departments can leverage the OTA over the five-year period of performance,” a DISA spokesperson told DefenseScoop on Monday.

The total agreement ceiling is $1.86 billion.

“Awarding this Thunderdome production agreement is an important step on our zero-trust journey and furthers DISA’s mission to provide warfighters with a more secure operating environment,” Lt. Gen. Robert Skinner, DISA director and commander of the Joint Force Headquarters-Department of Defense Information Network, said in a statement. “While DISA leverages these capabilities on our cyber terrain, this full-scale production agreement can be used to assist the military services and other DOD components in implementing key zero-trust activities.”

Thunderdome will contribute to zero trust by offering network access tools and segmentation technologies paired with identity and endpoint cybersecurity capabilities, according to a DISA release.

Last summer, the agency extended the prototyping effort so that it could include the Secure Internet Protocol Router Network (SIPRNet), which is used globally by the Pentagon and the U.S. military to transmit secret information. The intent was to take a more comprehensive and holistic approach to how the network operates. The new capability’s “secure access service edge” is expected to integrate with DISA’s Cloud Defensive Cyber Operations, Enterprise Comply to Connect, and Identity, Credential, and Access Management (ICAM) solutions.

“The experience gained in partnership with industry as we implemented the prototype solution over the last 18 months has been invaluable, and we believe this award positions the department to meet critical zero trust adoption timelines in support of our warfighters,” DISA Deputy Director Christopher Barnhurst said in a statement. “We look forward to accelerating implementation activities and partnering across the department to expand access to the zero-trust capabilities Thunderdome provides.”

In a statement to DefenseScoop, Imran Umar, a vice president at Booz Allen Hamilton spearheading the company’s zero-trust practice, said the Thunderdome prototype “was composed of innovative technologies to demonstrate, with real users, that they will work together to deliver the tenets of zero trust on both classified and unclassified networks. We look forward to our continued partnership with DISA to take this solution into full production.”

Kelly Rozumalski, a senior vice president leading the company’s national cyber defense business, said: “Our team successfully demonstrated the use of commercial technologies to help meet many of DoD’s zero trust implementation goals, and our internal zero trust investments helped accelerate our ability to bring innovative solutions to complex challenges.”

Updated on July 31, 2023 at 6:30 PM: This story has been updated to include comments from Booz Allen Hamilton executives and additional information from DISA about the other transaction agreement.

The post DISA awards production deal for Thunderdome zero-trust initiative appeared first on DefenseScoop.

Bringing the classified network into the Thunderdome initiative — which is aimed at helping the Department of Defense move toward a zero trust architecture — is a major evolution for the program.

“The six-month extension is essential to allow DISA additional time to expand the Thunderdome pilot to include the Secure Internet Protocol Router Network and complete development, testing and deployment planning for the original unclassified prototype,” the agency said in a July 28 press release.

In January, DISA announced that it had awarded a $6.8 million Other Transaction agreement (OTA) to Booz Allen Hamilton for Thunderdome prototyping, with a six-month development timeline. The recently announced extension of the pilot will push the expected completion date to January 2023.

The agency said the ongoing Ukraine-Russia war — which began in February and has reportedly included cyberattacks from both sides — underscores the importance of securing systems like the SIPRNet, which is used globally by the Pentagon and the U.S. military to transmit secret information.

“While we have been working on developing a zero trust prototype for the unclassified network, we realized early on that we must develop one, in tandem, for the classified side. This extension will enable us to produce the necessary prototypes that will get us to a true zero trust concept,” DISA Deputy Director Christopher Barnhurst said in a press release July 28.

The SIPRNET framework “is antiquated and needs updating,” according to the release.

“Thunderdome will be a completely comprehensive and holistic approach to how the network operates — a major shift from the current architecture,” it added.

The new capability’s “secure access service edge” is expected to integrate with DISA’s Cloud Defensive Cyber Operations, Enterprise Comply to Connect, and Identity, Credential, and Access Management solutions.

“While Secure Internet Protocol Router Network is undergoing a number of modernization efforts led by DISA, the Thunderdome prototype is an important part of the SIPR redesign process and will provide SIPRNet with the security benefits of a zero trust architecture. During this extension period, DISA will design and implement a SIPR zero trust production solution that is focused on improving and better securing the SIPRNet core infrastructure. This will provide DISA with improved visibility to ensure that people cannot access documents that they do not have the need to see,” the agency said in the release.

In an executive order last year, the White House directed federal agencies to develop plans for implementing zero trust. The directive was part of a larger push to modernize the U.S. government’s cybersecurity in the wake of cyberattacks that compromised federal agencies through the exploitation of software.

Jason Martin, digital capabilities and security center director at DISA, told reporters in April at AFCEA’s TechNet Cyber conference in Baltimore, that Thunderdome will “fundamentally change” the Defense Information Systems Network (DISN) and the way that the Department of Defense Information Network (DODIN) interoperates with the DISN.

“I think those are all obviously critically important to what we’re trying to do across the department,” he said.

DISA is developing a departmentwide strategy for transitioning the DOD from today’s cybersecurity frameworks and tools to Thunderdome or other zero trust solutions.

The six-month extension of the OTA with Booz Allen Hamilton will give DISA additional time to work on the strategy; conduct operational and security testing beyond what was planned for in the initial Thunderdome pilot; and mitigate the overall risk of deploying zero trust capabilities, Martin said in the release.

Booz Allen Hamilton declined to comment.

The post DISA expanding Thunderdome cybersecurity project to include classified network appeared first on DefenseScoop.

A meeting scheduled for next week could be pivotal.

“Monday we have an agencywide technical and direction-setting discussion … to ensure that we are building out … the most optimal way ahead,” Jason Martin, digital capabilities and security center director at DISA, told reporters on the sidelines of AFCEA’s TechNet Cyber conference.

“We’re going through a rack and stack of where we are, what the priorities are, and then what resources we need to align to put out a given MVP [minimum viable product] and associated capabilities,” he said.

DISA has already established a program office for Thunderdome.

Earlier this year the agency awarded the first contract for a Thunderdome security solution prototype to Booz Allen Hamilton, which was valued at $6.8 million.

DISA is leveraging Other Transaction Authority agreements (OTA) for the initiative. OTAs are intended to cut through bureaucratic red tape and help federal agencies such as the Pentagon acquire new technology faster.

“We’re moving forward with sitting down with the vendor on a daily basis to work through, you know, where are we going to go when, what are the milestones, what are the critical performance periods that we’re going to tackle,” Martin said.

“We’ve also started to build out what the prototype will look like for the year, which includes, you know, multiple parts of the agency, which I think will be really good at helping us understand also the various use cases across the agency [and] really what we need to support,” he said. “I think that will really help us build out a set of … parameters to help us get to that initial set of MVPs.”

Unlike some previous cybersecurity models, zero trust assumes that entities already operating inside a network can’t automatically be trusted. The model is already being adopted by organizations in the private sector.

In an executive order last year, the White House directed federal agencies to develop plans for implementing zero trust.

The directive was part of a larger push to modernize the U.S. government’s cybersecurity in the wake of cyberattacks that compromised federal agencies through the exploitation of software.

Thunderdome “will fundamentally change the way DISA operates,” Martin said. “It will fundamentally change the DISN [Defense Information Systems Network] and it will fundamentally change the way that DODIN [Department of Defense Information Network] interoperates with the DISN. So, I think those are all obviously critically important to what we’re trying to do across the department.”

The post DISA setting direction for Thunderdome cybersecurity initiative appeared first on DefenseScoop.

The $6.8 million award, which has a six-month development timeline, is the first of what could be larger contracts on the DOD-wide program. Thunderdome is DISA’s implementation of the zero trust security model, which was mandated by the Biden administration’s Cyber Executive Order in May last year.

“Over the course of the next six months, we plan to produce a working prototype that is scalable across the department,” Jason Martin, director of DISA’s digital capabilities and security center, said in a press release. “During that time, we will do what DISA does best – build, test, validate and implement the premier cybersecurity solutions for the Department of Defense and warfighter around the world.”

The move to zero trust comes as the DOD shutters its Joint Regional Security Stack (JRSS) design in favor of more modern cybersecurity practices. The six-month prototype window is designed to give DISA time to see how it can scale Thunderdome across the department, the agency said.

“Successful deployment of Thunderdome as a new security model will achieve DoD’s overall goals to integrate network and security solutions in the cloud and to enhance protections of end-user devices,” DISA wrote in a press release announcing the award.

Booz Allen Hamilton declined to comment.

The post Booz Allen wins first prototype contract for DISA’s zero trust program appeared first on DefenseScoop.