• United States



5 factors affected by disbanding the Defense Information Systems Agency

Sep 12, 20185 mins

Government needs to make tough budgeting decisions, and closing agencies is up for debate. But cutting the Defense Information Systems Agency (DISA) could have a potential impact on national security.

aerial view of pentagon government security dv1282020
Credit: Thinkstock

As the Department of Defense continues to wrestle with managing its spending in this era of ongoing government budget resolutions, it is considering putting several agencies on the chopping block – including the Defense Information Systems Agency (DISA).

For those not familiar, DISA is responsible for providing networking and communications hardware and software for those systems and services that encompass all of the Department of Defense. If there’s circuitry, security and storage that’s shared by the military departments and agencies, it’s likely DISA that plays a role. Because DISA handles military networking, computing and communications services, that potential move begs the question of what might happen if the plan to abolish the agency sees the light of day.

For now, DISA’s demise has been forestalled with the approval of FY19 National Defense Authorization Act. And the relatively young U.S. Cyber Command (CYBERCOM) will be taking over many of DISA’s traditional responsibilities surrounding network defense, so that part of the security picture is already being addressed. Still, there are many other security issues that would need to be addressed if DISA is actually disbanded.

Senior leader communication support

DISA provides secure communication services to the White House and to other senior leaders. One of the reasons for keeping both the infrastructure piece (fibers, routers, audio-visual equipment, etc.) and security of that infrastructure under one roof was that it would create efficiencies, as far as security is concerned.

Also, while it’s fairly easy to see the argument that this part of DISA’s mission could theoretically be subsumed under CYBERCOM, its core mission is the more strategic goal of ensuring U.S. cyber superiority in the military domain. Adding a broad but ultimately tactical mission to its slate would mean a significant expansion of its mandate and reorganizations.

Spectrum management

An often-overlooked aspect of communication, navigation and warfighting is the electromagnetic spectrum, which must be managed to avoid deconfliction and ensure it is encrypted and secure.

Think of how radio signals work. You can’t have two stations using the same communication channels. Well, DISA oversees this mission for the department, a mission that has become increasingly important as more of our ground, sea and aviation military assets have become networked and thus dependent on using the spectrum. Decentralizing this responsibility would mean risk assessment and vulnerability information would need to be coordinated by all the service branches and military agencies that use the spectrum for communication and warfighting.

Global information grid

This term is a good illustration of the vital role DISA plays in providing the circuits and cables that undergird the military’s gargantuan intranet. The Department of Defense would need to ensure that by spreading this responsibility, somehow, across the department, the risk of vulnerabilities would not be elevated, even if CYBERCOM fully takes over responsibilities of protecting endpoints and overseeing configurations and patching.

Enterprise services

DISA is best known for providing department-wide services – somewhat akin to being the “App store” for the Department of Defense. The rationale from the beginning has been primarily economic. Most of DISA’s services could be adopted by the various military services – in fact, they’ve already done so in the case of mobility. Each of the military departments, however, would need to be responsible for the security of the enterprise services they would now oversee, if this service is decentralized.

Take, for example, the enterprise cloud, or milCloud in the military’s case. DOD has already started down the road of having a department-wide cloud contract that also can meet high FedRAMP and DOD Impact Level security control requirements. It seems reasonable to have that contract and the attendant requirements administered by a central agency.

Another trenchant example is DISA’s DOD Mobility program, which enforces policy for end-user devices and mobile device management in general. DISA also provides unclassified and classified devices for the rest of the department, even though (as mentioned previously) much of the rest of DOD has their own programs. Decentralizing mobile security standards would mean each military branch or agency will need to ensure that they adhere to department-wide security standards, especially given that mobility is generally considered to be a primary security threat vector.

Security standards

Speaking of security standards, DISA plays a vital role in overseeing standards for IT hardware and software in the form of SRGs and SGITGs. Security requirements guides (SRGs) provide high level requirements, and security technical implementation guides (SGITGs) provide detailed guidelines for specific products. Without these detailed requirements, it’s logical to conclude that more vulnerabilities and larger attack surfaces could find their way throughout the DOD in general.

There’s no denying that the government needs to make some tough decisions about budgeting, and closing agencies where efforts may be duplicated should at least be thoroughly discussed and debated. Any debate over eliminating DISA for economic efficiencies, however, must be gauged against the potential impact to security.

Lloyd McCoy is a DOD manager with immixGroup’s Market Intelligence team. He is responsible for providing subject matter expertise on Department of Defense agencies, identifying business opportunities, and providing timely, relevant, and actionable intelligence to clients.

Prior to immixGroup, Lloyd worked for the Defense Department for eight years, serving in a variety of senior analytic and project management positions both in the U.S. and abroad. In this capacity, Lloyd worked extensively with the acquisition and procurement offices within the Office of Secretary of Defense.

Lloyd earned an M.S. in Strategic Intelligence from the National Intelligence University in 2011, as well as an M.A. in Public Policy in 2004 and a B.A. in Political Science in 2002, both from the University of Maryland.

The opinions expressed in this blog are those of Lloyd McCoy Jr. and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.