The Defense Information Systems Agency’s (DISA) Thunderdome program has remarkably met the stringent advanced zero-trust standards set by the Pentagon. This achievement highlights a pivotal milestone in implementing IT and cybersecurity technologies across various Defense Department agencies. According to Randy Resnick, director of the department’s Zero Trust (ZT) portfolio management office, this success occurred well before the Pentagon’s deadline to attain target levels of zero trust by the end of fiscal 2027.
The Zero-Trust Approach
Moving Away from Traditional Cybersecurity
Zero-trust cybersecurity diverges significantly from traditional perimeter-based security by operating under the assumption that networks are always at risk of compromise. Unlike conventional methods that focus primarily on defending the network border, zero trust emphasizes continuous monitoring and authentication of every network user and device. This strategy ensures that even if perimeters are breached, the system remains resilient through rigorous checks and validation processes.
The Department of Defense (DoD) laid out a comprehensive 2022 Zero Trust Strategy that included 152 capability outcomes: 91 considered minimum outcomes and 61 deemed advanced. DISA’s Thunderdome program successfully achieved all 152 criteria, marking an impressive advance in its security posture. Notably, the Navy’s cloud-based Microsoft Office 365 platform, Flank Speed, was the initial platform to meet this high bar earlier in the same year.
Comprehensive Solutions
Chris Pymm, Thunderdome portfolio manager at DISA, has illustrated how Thunderdome represents a holistic zero-trust solution integrated with a range of cybersecurity tools. Thunderdome includes enterprise Identity Credential and Access Management (ICAM), Secure Access Service Edge (SASE) capabilities, software-defined wide area networking, and advanced security tools. This comprehensive approach has facilitated greater protection levels across Defense Department operations, making it possible for agencies to efficiently meet their zero-trust requirements.
The initiative also received rigorous validation from the Department of Defense CIO purple team, reinforcing its credibility and effectiveness. By leveraging Thunderdome’s procurement vehicle, various organizations can enhance and upgrade their cybersecurity infrastructure, thereby improving their overall security posture.
Development and Deployment
Initial Development and Contract
In 2022, DISA awarded Booz Allen Hamilton a $6.8 million contract to develop a prototype of Thunderdome. This initiative was expanded to include the Pentagon’s classified Secure Internet Protocol Router Network (SIPRNet), highlighting the program’s versatility and importance. After 18 months of successful development, a follow-on production contract was awarded in 2023 for full-scale deployment.
The award, structured as an indefinite delivery/indefinite quantity (IDIQ) contract, allows other Pentagon agencies to leverage it over five years, with a $1.86 billion total ceiling. This structure provides significant operational flexibility, enabling the seamless expansion of zero-trust capabilities across different defense sectors.
Reaching Additional Agencies
Thunderdome has expanded its capabilities within the Defense Information Systems Agency terrain, significantly scaling its zero-trust framework. By fiscal 2025, the initiative extended its advanced security measures to other defense entities, including the Defense Contract Management Agency, Defense Contract Audit Agency, Defense Logistics Agency, Defense Media Activity, Defense Finance Accounting Service, and Defense Microelectronics Activity. These deployments underscore Thunderdome’s capability to provide reliable and consistent security across various operational contexts.
In fiscal 2026, the Thunderdome framework further broadened its reach to other key defense components. The Defense Threat Reduction Agency, Joint Staff’s J-6 directorate, Defense Advanced Research Projects Agency, Missile Defense Agency, and Defense Manpower Data Center integrated Thunderdome’s robust zero-trust measures. With each integration, Thunderdome’s efficacy in fortifying these critical agencies against potential cybersecurity threats was proven.
Conclusion
The Defense Information Systems Agency’s (DISA) Thunderdome program has successfully met the Pentagon’s stringent advanced zero-trust standards. This milestone demonstrates significant progress in deploying IT and cybersecurity solutions within various Defense Department agencies. Randy Resnick, the director of the department’s Zero Trust (ZT) portfolio management office, emphasized that this achievement came well ahead of the Pentagon’s deadline to reach the targeted levels of zero trust by the end of fiscal year 2027. Thunderdome’s success not only underscores its capability but also sets a precedent for other agencies to follow in enhancing their cybersecurity frameworks. The early accomplishment of this goal showcases DISA’s commitment to fortifying the department’s IT infrastructure against evolving cyber threats. This proactive approach is crucial as the landscape of cybersecurity continues to grow more complex. By achieving these standards ahead of schedule, DISA is not only meeting current needs but also preparing for future challenges, ensuring the security and resilience of the Defense Department’s digital assets.
