Towards Zero-Trust: Forescout To Help DISA Scale Comply-to-Connect

This report was updated 10/21/21 at 3:55 p.m. ET to include the value of the Forescout contract.

WASHINGTON: US cybersecurity firm Forescout said it recently won a new contract from the Pentagon, one of the latest in the Defense Department’s ambitious push towards zero-trust security.

The Defense Information Systems Agency (DISA) chose Forescout’s platform to be a component of the broader Comply-to-Connect (C2C) program, an expansion of work the company began with the department a year ago. The DoD envisions C2C as providing a suite of cyber capabilities to manage all assets across the Pentagon’s networks — a project important enough to be specifically named, rather than generically referenced, in the Biden administration’s fiscal year 2022 proposed budget.

DISA runs the C2C program office, which handles contracts, while Joint Force Headquarters-Department of Defense Information Network is the C2C operational lead. Lt. Gen. Robert Skinner heads both DISA and JFHQ-DoDIN.

Forescout declined to say how much the contract is worth, beyond it being in the “multi-millions.” Following the original publication of this report, a DISA spokesperson told Breaking Defense the Forescout contract was awarded on Aug. 26 and has a “life-cycle value” of $115 million.

One of the Forescout platform’s enabling capabilities for C2C is end-to-end visibility of everything connected to DoD networks. “The ultimate goal is understanding exactly what is happening on the network, who is connecting, what is connected, and what are those devices and users doing on the network so you can make sure that, where connection is necessary for a mission, it’s available but also that it’s secure,” Forescout’s Global Defense Solutions Strategist Dean Hullings told Breaking Defense in an interview. “Without that foundational visibility… all the other plans that you have really just don’t matter.”

The Pentagon’s broader plan, in this case, is zero-trust security across the entire defense enterprise. It’s a massively complex initiative given the amount and nature of data that must be protected yet available to those need it, as well as the size of DoD’s traditional IT networks like the Non-classified Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNet). Forescout’s scope of work entails NIPRNet and SIPRNet, which are separate networks.

The precise number of DoD traditional IT assets — everything from smartphones and servers to systems and applications — is difficult to judge (and is always changing, anyway), but a conservative estimate would number well into the tens of millions and quite possibly more. A zero-trust model requires that every end-user asset, including phones and computers, be assigned granular privileges to allow or block access to parts of microsegmented networks and the data stored there.

But implementing zero-trust security across DoD is further complicated by the number and diversity of non-traditional IT assets that also must be visible to and protected by network operators. These non-traditional IT assets include operational technologies (OT), commercial smart devices, and embedded control systems within Internet of Things devices and platform information technology, such as industrial control systems, weapons systems, autonomous vehicles, and medical gear, according to Forescout.

Hullings said the Forescout platform’s unique ability to provide visibility across non-traditional IT assets is why DISA chose it. “When you start talking about the threats of today, [non-traditional assets] are the things being attacked,” Hullings noted. “They’re the things that adversaries are using as penetration points into the network and then moving laterally to get to their real target, whether a weapon system or command and control system.”

Skinner recently said that DISA is working to modernize many DoD technologies, highlighting a suite of tools that provides what DoD calls identity, credential, and access management (ICAM), which entails C2C technologies. While Forescout’s platform does not provide the entirety of C2C’s capabilities, C2C as envisioned would be impossible without Forescout’s platform or something similar that provides comparable capabilities.

In addition to end-to-end network visibility, Forescout’s platform will enable DISA to update security processes to include automating basic security functions and improving information sharing. The platform also allows security orchestration via policy-based controls, such as recognizing a device has not applied available security patches and then prompting an automated update.

Forescout’s latest win comes after DISA last year selected the company’s platform as part of the early rollout of these C2C capabilities. That initial contract extended for one year, largely to allow Forescout to set up smaller test cases across DoD’s networks to prove out the technological capabilities.

“The first year of the [C2C] program was relatively limited in scope, really, to get the program started and moving, quite frankly, to make sure that they were on a solid path,” Hullings said. The new contract is “validation that what we told them we can do for them is actually being delivered and making a difference in their cybersecurity, right after year one,” he said.

The goal of the follow-on contract is to begin scaling the rollout across the Pentagon’s networks. Hullings said DoD’s traditional and non-traditional IT assets currently being monitored by Forescout’s platform number in the “single digit millions. In year two and three of this new contract, DoD will up to double again within those two years, and they’re going to be in the tens of millions.”

“So, that’s the ultimate piece,” Hullings said, “understanding everything about the network, and then you can use the zero-trust principles and the other capabilities that Comply-to-Connect is delivering to give the assurance to the commanders and the decision-makers across DoD that their connected soldier, sailor, airman, and marine are going to have that connectivity and the information necessary to execute whatever orders they’re given.”