DISA to Use Challenge-Based OTA for Zero-Trust Network Prototype

The Defense Information Systems Agency (DISA) seeks feedback from industry on a plan to modernize its network infrastructure to implement a “zero-trust” architecture. Defense experts say the move will bolster the department’s cybersecurity posture and enable adoption of cloud computing.

Zero trust is an approach that doesn’t automatically grant trust to a user based solely on their physical or network location, which is important in a network that includes remote users and cloud-based resources.

DISA, which functions as the Pentagon’s central IT department, issued a sources sought notice in late May for a program officials call Thunderdome. DISA previously released a notice under the title Secure Access Service Edge (SASE). With Thunderdome, DISA officials aim to implement modern, software-defined wide area networking technologies seen as foundational for the department’s transition to a zero-trust architecture.

(Defense Department)

Organizations prioritized cyber defenses at the perimeter of their networks to keep intruders out in the past, while offering authorized users freedom of movement on the network. Zero trust is the opposite. It’s the paradigm that users and programs receive the minimum network access necessary to do their jobs. It requires users to continuously prove their authorization to access the network, rather than accepting them by default. The SolarWinds hack that affected perhaps dozens of federal agencies was a wakeup call that federal cybersecurity strategies needed to do more to constrain hostile actors if they succeed in breaching the perimeter. Zero trust has quickly emerged as the keystone of the Biden administration’s May executive order on cybersecurity and represents a top priority of federal chief information security officer Chris DeRusha.

Once in place, Thunderdome will enable DISA’s information security team to apply access controls based on users’ role within the organization, location, or even type of devices they use, according to the notice. The program will complement an existing suite of cybersecurity technologies — including identity management, encryption, security analytics, and endpoint management — offering greater “defense in depth” for users both inside the Pentagon and those working remotely.

DISA did not provide an official estimate for the value of Thunderdome, but Bloomberg Government estimates the contract could generate $100 million or more in obligations through the end of fiscal 2025. Notably, DISA is contemplating awarding contracts for one to two Thunderdome prototypes in the form of other transaction agreements (OTA). OTAs enable some federal agencies, including DISA, to fast-track funding for technology research and prototyping engagements with nontraditional contractors.

This is not the first time Pentagon agencies considered using OTAs to implement zero trust. In August 2020, DISA awarded By Light Professional IT Services Inc. and Menlo Security Inc. a $199 million OTA to build a cloud-based internet isolation platform to prevent malware from reaching DOD networks. The contract has generated $24 million.

Further, DISA is considering competing Thunderdome using what’s known as a challenge-based acquisition (ChBA). This approach, pioneered by the nonprofit MITRE Corp., consists of one or more technical simulations or exercises to assess how bidders solve real-world problems. In a March 2020 report, MITRE experts recommend ChBA in cases where the government faces an urgent and time-critical need, where conventional solutions prove ineffective and emerging technologies offer a nontraditional solution.

Potential bidders have until June 14 to submit a seven-page response detailing technical capabilities, company information, and experience implementing more than three dozen cybersecurity technologies listed in the notice. DISA officials are considering hosting a reverse industry day to learn more about contractors’ capabilities and offer details about any challenge-based approach to evaluating bids.

To contact the analyst on this story: Chris Cornillie in Washington at ccornillie@bgov.com

To contact the editor responsible for this story: Michael Clark at mclark@ic.bloombergindustry.com