DISA fails at delivering critical Zero Trust capabilities refusing to reuse DAF Cloud Native Access Point
Nicolas M. Chaillan
Founder of Ask Sage, Bringing Generative AI to Gov | Former U.S. Air Force and Space Force Chief Software Officer (CSO) | Pilot
1. DISA fails at delivering critical Zero Trust capabilities to the warfighters, refusing to reuse DAF Cloud Native Access Point
You probably know that my team and I at DoD Platform One have built the first and largest implementation of Zero trust in the U.S government, the Cloud Native Access Point (CNAP) back in 2019. No one believed we would get it done, but we did and in 45 days and for less than $2M. CNAP is capable of running across all classification levels and on airgapped environments.
Now, for some odd reason, DISA was put in charge of executing the DoD wide implementation of ZT, following the President Cyber Executive Order. Funny enough, few months prior, those were the same people telling me they didn't believe in ZT just yet and pushed against the CNAP. Now they're all ZT experts. Funny... not really.?#NotFunny.
CNAP is led by government Product Owners and the Government as Integrator. CNAP has multiple companies on contract so we aren't dependent on a single prime. That's the only right way to get things done in DoD and the right way to acquire such complex capabilities.
Of course, that concept is totally foreign to DISA acquisition teams who only think we should buy everything from a single prime, get locked-in, move at the pace of my dead grandma, not meet deadlines, and fail to deliver value to the warfighters, while spending 10x the money.
While DISA did work with CNAP and provided some money for additional work, DISA awarded a $6.8 million contract to Booz Allen Hamilton for execution of a Thunderdome Prototype, a zero trust security solution, that aligns with the president’s executive order to improve the nation's cybersecurity posture. During this six-month effort, the agency will operationally test how to implement DISA’s Zero Trust Reference Architecture, published in March 2020 for DOD, by taking advantage of commercial technologies such as Secure Access Service Edge (SASE) and Software Defined-Wide Area Networks (SD-WAN).
The better approach would have been what I proposed to them over a year ago, merge teams and swarm on CNAP to make it a killer capability.
Of course, you will notice that for a six month engagement, it is 3 times what CNAP cost. CNAP isn't an MVP either, it is a fully fledged production capability and doesn't cost what the alleged DISA prototype costs.
Here is why I'm sharing this story, I am hearing that BAH is now asking for an 18 month extension as it seems they won't meet the deadlines. If true, that would mean DISA picked a prime who claimed they could get it done in 6mo when others said it wouldn't be enough and yet, would get an extension despite failing to do what we did in 45 days.
Now, HOW in the world is this good taxpayer spending?
Time to someone to OVERRULE this nonsense !
2. Why the USAF's IT chief is 'bullish' on open source
Lauren Knausenberger testified in front of the House Committee on Science, Space, and Technology Subcommittees on Investigations and Oversight And Subcommittee on Research and Technology on May 11
"It is entirely possible that a future conflict to preserve our way of life is decided by features, fixes, and updates to software intensive systems that must take place in minutes or hours. And this means that we must learn quickly as a department and leverage the knowledge and best practices of the entire development community," Knausenberger told the committee.
"The same concerns are there whether it's commercial software or open source. But if it's open source software, you have the power of the crowd looking at it and then you can also run your own tests internally because it is open code…you can redo the work yourself if you so choose," she said.?
Platform One was the first large DoD program to massively leverage open-source projects as its foundation. Platform One also contributed back massively to the open-source community, fixing dozens of CVEs upstream and open sourcing Platform One Big Bang, now used by dozens of commercial companies, U.S. agencies and NATO partners.
Several of the engagements created by my office, the Office of the Chief Software Officer, were recognized during the committee, including Platform One, Platform One Iron Bank, Platform One CNAP and Platform One Big Bang as well.
3. When YOU finally understand what Zero Trust is!
Find out about the 3 pillars of?#ZeroTrust?(often bloated or forgotten), with
- Device enforcement: including, patch levels, endpoint protection, MDM etc.
- Strong identities: for both Person Entities (PE) and Non-Person Entities
- Data-centricity: labeling data down to the cell level
领英推荐
Leverage “Software Defined Perimeter” (SDP) (not just SDN) using mTLS tunneling with granular micro-segmentation using the “Segment of One” concept
Leverage?#ServiceMesh?to prevent lateral movement by enforcing east/west traffic down to the container level
In this video, we walk you through the largest implementation of Zero trust in DoD, with the?United States Department of the Air Force?program, the Cloud Native Access Point (#CNAP).
And you, how many times do you see companies alleging they have an end to end Zero Trust solution only to find a basic identity-aware proxy?
4. Opportunity: Security Compass is hiring a Global VP, Channel Sales
Are you great at building bridges and win-win partnerships?
If so, stop everything you're doing and take a look at this new opportunity to become the Global VP, Channel Sales for security and compliance leader,?Security Compass!
5. Appian Awarded $2.036 Billion in Damages Against Pegasystems Inc.
Appian (NASDAQ: APPN) announced today that it has received a verdict from a jury in the Circuit Court for Fairfax County, Virginia, awarding it $2.036 billion in damages from Pegasystems Inc. (NASDAQ: PEGA) for trade secret misappropriation. The jury also found that Pegasystems violated the Virginia Computer Crimes Act. The jury further found Pegasystems’ misappropriation of Appian’s trade secrets to be willful and malicious. Appian brought the case to trial to ensure the protection of its proprietary intellectual property, including its trade secrets.
6. In the Nic of Time upcoming episodes (https://youtube.com/nicolaschaillan):
Join us May 17th at 1PM ET with Prakash Sethuraman, CISO of CloudBees.
We will talk about the security challenges in DevOps, how to find the balance between velocity and security, and Continuous ATO.
Jenkins was first released back in 2011. A lot changed in 11 years so we will discuss how CloudBees is tackling its tech debt and what they are doing to remain relevant moving forward.
We will hear what is coming next for CloudBees with their latest fund raising as well!
This will be a very interesting discussion for sure!
7. Have you missed our last In the Nic of Time Episode with Mike Fraser on shifting cybersecurity left and "ITasCode"?
8. Have you have missed our last videos?
Thanks for continuing to fight to make our nation stronger so our kids have a fighting chance at winning against China 20 years from now!
Advisory Services. People Collaboration. Technology Implementation. Research & Development. Machine Learning. Artificial Intelligence. Cloud & Cyber Security. Invention. Patent Creation. Teaching. Writing. Learning.
2 年Thank you posting this- Tremendous information and so much to think about. Thank you. -R
Thank you for all you t!
Federal Account Manager/Executive USAF/USSF
2 年Great article. I spent over 2000 hours trying to help the AF, working through Hanscom specifically, figure out CNAP on-prem, and hit nothing but government roadblocks at every turn. I've been absolutely stunned at the complete turn the AF took in ZTA once you left. Everyone went back to doing what they've done for decades and are used to, instead of embracing the idea of no vendor lock in. We worked so hard to provide a platform to build on that gives freedom of choice (for hardware, hypervisor, what virtual applications can be ran, etc.) and as soon as the opportunity presented itself, the government went right back to same vendors that have locked them into specific solutions for decades. So disappointing, and so typically government. Not even willingness to fully evaluate other solutions. Just charge forward with "we already know how this works."
Hi Nick... Some thoughts, I think there is an underlying issue re systems engineering, terms, diagrams , approaches. And it hinges around operational systems information engineering and software system designs ... which are so very different from data transactional process designs that have been with us for decades.. Presented this to the LF 5G edge group https://www.dhirubhai.net/posts/alan-lloyd-82a38a_cuublemesh-presentation-to-lf-akraino-grp-activity-6907492027114639360-O0XN?utm_source=linkedin_share&utm_medium=member_desktop_web With all respect to the ZTA USDOD, NIST docs the diagrams on slide 4 , 5 show transactional systems with a policy engine. I commented on both. "The overall systems information architecture and its identity, governance and systems management and how it is applied is left to the systems architect." Seeing how ZTA - starts at global white pages, x500 identity systems, 509/PKI identity validation and controls, DNS, email, web, content URL systems and OSS, identified managed objects and devices and now digital assets etc , these all fall under trusted identity -asset control systems (friend or foe), ZTA.. Such becomes the foundational control systems ' ZTA platform design' agenda.
"There are years that ask questions, and years that answer"/Colorectal Cancer Ally/ Advocate/Survivor&Thriver/ Baltimore Ravens Scout/ *All views on LinkedIn are exclusively my own*
2 年Chris Christi