The Defense Information System Agency (DISA) is looking for software tools that would provide support in implementing an enterprise zero trust framework to serve the Department of Defense (DoD) Information Network (DoDIN).
In a request for information (RFI) released on May 1, DISA officials explained they’re looking for “information for software or architectural solutions to meet a [Comply-to-Connect (C2C)] framework and business processes with the capability of orchestration.”
The C2C – a program consisting of multiple technologies geared toward standardizing defensive cyber operations across the DoDIN – aims to serve as a zero trust solution for the DoDIN, capable of monitoring user activity across a range of endpoints, from physical and virtual workstations to mobile and Internet of Things devices.
“By identifying the non-compliant and previously unidentified devices, DoD will be able to limit the access of these assets and mitigate risk in an automated fashion, which will significantly increase the security posture of the DoDIN,” the RFI notes. “In addition, C2C will support segmentation of compliant devices based on device type, operational/functional impact, sensitivity, and security risk.”
The DoD Chief Information Officer (CIO) Deputy for Cybersecurity (DCIO/CS) directed DISA to create a program office to seek standardization of the capability with DCIO/CS and U.S. Cyber Command oversight.
DISA began deployment of its C2C framework in September 2020 for the Secret Internet Protocol Router Network, and in March 2021 for the Non-Secure Internet Protocol Router Network. C2C is scheduled to be fully deployed by March 2024. Since 2021, the DISA C2C Program Management Office has provided Forescout licensing for the DoD Enterprise as the solution to meet DoD CIO objectives.
In the RFI, DISA says that any proposed C2C solution should be able to discover, identify, categorize, classify, and profile all devices connecting to networks comprising the DoDIN using the widest variety of both passive and active network-based and host-based discovery methodologies. The solution should also be able to authenticate those devices.
In addition, DISA officials are asking that the solution be able to conduct automated remediation, network segmentation to limit user access, and operate both in and out of band. DISA also requested price estimates for the annual support of $2 million, $4 million, and $7 million licenses.
Responses to the RFI are due on May 5.