5 factors affected by disbanding the Defense Information Systems Agency

As the Department of Defense continues to wrestle with managing its spending in this era of ongoing government budget resolutions, it is considering putting several agencies on the chopping block – including the Defense Information Systems Agency (DISA).

For those not familiar, DISA is responsible for providing networking and communications hardware and software for those systems and services that encompass all of the Department of Defense. If there’s circuitry, security and storage that’s shared by the military departments and agencies, it’s likely DISA that plays a role. Because DISA handles military networking, computing and communications services, that potential move begs the question of what might happen if the plan to abolish the agency sees the light of day.

For now, DISA’s demise has been forestalled with the approval of FY19 National Defense Authorization Act. And the relatively young U.S. Cyber Command (CYBERCOM) will be taking over many of DISA’s traditional responsibilities surrounding network defense, so that part of the security picture is already being addressed. Still, there are many other security issues that would need to be addressed if DISA is actually disbanded.

Senior leader communication support

DISA provides secure communication services to the White House and to other senior leaders. One of the reasons for keeping both the infrastructure piece (fibers, routers, audio-visual equipment, etc.) and security of that infrastructure under one roof was that it would create efficiencies, as far as security is concerned.

Also, while it’s fairly easy to see the argument that this part of DISA’s mission could theoretically be subsumed under CYBERCOM, its core mission is the more strategic goal of ensuring U.S. cyber superiority in the military domain. Adding a broad but ultimately tactical mission to its slate would mean a significant expansion of its mandate and reorganizations.

Spectrum management

An often-overlooked aspect of communication, navigation and warfighting is the electromagnetic spectrum, which must be managed to avoid deconfliction and ensure it is encrypted and secure.

Think of how radio signals work. You can’t have two stations using the same communication channels. Well, DISA oversees this mission for the department, a mission that has become increasingly important as more of our ground, sea and aviation military assets have become networked and thus dependent on using the spectrum. Decentralizing this responsibility would mean risk assessment and vulnerability information would need to be coordinated by all the service branches and military agencies that use the spectrum for communication and warfighting.

Global information grid

This term is a good illustration of the vital role DISA plays in providing the circuits and cables that undergird the military’s gargantuan intranet. The Department of Defense would need to ensure that by spreading this responsibility, somehow, across the department, the risk of vulnerabilities would not be elevated, even if CYBERCOM fully takes over responsibilities of protecting endpoints and overseeing configurations and patching.

Enterprise services

DISA is best known for providing department-wide services – somewhat akin to being the “App store” for the Department of Defense. The rationale from the beginning has been primarily economic. Most of DISA’s services could be adopted by the various military services – in fact, they’ve already done so in the case of mobility. Each of the military departments, however, would need to be responsible for the security of the enterprise services they would now oversee, if this service is decentralized.

Take, for example, the enterprise cloud, or milCloud in the military’s case. DOD has already started down the road of having a department-wide cloud contract that also can meet high FedRAMP and DOD Impact Level security control requirements. It seems reasonable to have that contract and the attendant requirements administered by a central agency.

Another trenchant example is DISA’s DOD Mobility program, which enforces policy for end-user devices and mobile device management in general. DISA also provides unclassified and classified devices for the rest of the department, even though (as mentioned previously) much of the rest of DOD has their own programs. Decentralizing mobile security standards would mean each military branch or agency will need to ensure that they adhere to department-wide security standards, especially given that mobility is generally considered to be a primary security threat vector.

Security standards

Speaking of security standards, DISA plays a vital role in overseeing standards for IT hardware and software in the form of SRGs and SGITGs. Security requirements guides (SRGs) provide high level requirements, and security technical implementation guides (SGITGs) provide detailed guidelines for specific products. Without these detailed requirements, it’s logical to conclude that more vulnerabilities and larger attack surfaces could find their way throughout the DOD in general.

There’s no denying that the government needs to make some tough decisions about budgeting, and closing agencies where efforts may be duplicated should at least be thoroughly discussed and debated. Any debate over eliminating DISA for economic efficiencies, however, must be gauged against the potential impact to security.