DISA’s Secure Architecture Review Team pioneers service evolution

By Amy Probst / DISA Cybersecurity Service Provider Services

The Defense Information Systems Agency’s Cybersecurity Service Provider program is a cornerstone in safeguarding the United States Department of Defense Information Network and its extensive cyber terrain. Critical to that effort is the CSSP Secure Architecture Review Team.

The SAR Team’s network architects examine each customer’s cyber landscape to identify security needs and recommend CSSP service solutions to fortify their defenses. Their efforts have led to an average growth of 86 customers per year. In 2023, the team performed over 80 architecture reviews and conducted over 200 technical exchanges with customers.

Moreover, the SAR Team collaborates with DOD and industry leaders to leverage the latest technology for customers. By forging strategic partnerships with industry giants such as 微软 , Amazon Web Services (AWS) , 甲骨文 and 谷歌 , alongside close cooperation with customer technical points of contact, the team has pioneered innovative service offerings that wouldn’t otherwise exist today.

Defend the cloud, in the cloud, with the cloud

Illustrating their pioneering spirit, the SAR Team developed DISA’s first framework for defending customers in the cloud. It significantly improves Defensive Cyber Operations while eliminating the need for third-party tools.

This cloud defense standard optimizes CSSP service delivery using cloud-native tools, resulting in scalable, repeatable cyber defense for customers across various commercial cloud hosting offerings. By capitalizing on existing cloud services and tapping into a global repository of adversarial tactics and techniques, this framework ensures enhanced cyber resilience.

Comprising four fundamental pillars – cloud native design, scalability, customer-centricity, and efficacy in Defensive Cyber Operations – the cloud defense framework epitomizes the SAR Team's commitment to innovation and excellence in securing critical infrastructure.

Beyond secret: The evolution of CSSP services

In addition to their work in cloud environments, the SAR Team has begun innovating to provide CSSP solutions for security domains beyond Secret classification. Among their notable accomplishments:

• Development of a unique solution to provide support for CSSP’s first customer Special Access Program. This effort required an unprecedented level of research, analysis and coordination. CSSP analysts acquired classified program access and Sensitive Compartmented Information materials to access data and deliver CSSP service.
• Ongoing collaboration with customers and partners to develop an enterprise Defensive Cyber Operations capability in support of future TS/SCI and Special Access Program workloads.

Reaching to the endpoint

To support CSSP delivery, the SAR Team evaluates technological enablers and available data derived from Internet Access Points to the endpoint. A key component of CSSP’s endpoint protection is the Live Response capability within Microsoft Defender for Endpoint. With this capability, CSSP analysts respond immediately to contain identified threats. Analysts collect forensic data, run scripts, analyze suspicious or anomalous activity, remediate threats and proactively hunt for emerging threats.

The SAR Team assists customers in tailoring this capability. They ensure that CSSP executes Live Response actions as authorized by the customer. They also help in understanding the pre-defined use cases, pre-conditions and post-execution actions for the 10 available Live Responses. Additionally, they determine which Live Response actions to threats are always authorized, which require pre-coordination, and which (if any) the customer will execute in place of CSSP.

Looking ahead

Live Response is just one of the ways that CSSP defends its customers from end to end. More exciting details about DISA’s evolved Endpoint CSSP service offering are coming soon.

Visit DISA.mil for more agency news and events.