The Defense Information Systems Agency (DISA) plays a fundamental role in ensuring that the U.S. Department of Defense (DoD) has the necessary information technology and communications support to fulfill its mission. Among its many initiatives, DISA’s Comply-to-Connect (C2C) is a vital framework that enhances network security. In this blog, we will explore how DISA’s C2C approach is transformative, with simplified compliance and a centralized platform. Specifically, one that automates the discovery of endpoints – all done with the use of Cisco’s Identity Services Engine (ISE).
If it’s connected, it’s protected
As Cisco’s Area Leader for Cybersecurity supporting United States National Security entities and the DoD, I have the privilege of witnessing an evolution in how our government is securing its most critical information assets. I also have the distinct honor of still wearing the uniform, serving as a Lieutenant Colonel with the Army National Guard. In my military role, I serve as my Commander’s G6, or Chief Information Officer, overseeing all aspects of mission critical information; from dissemination to transport to storage and everything in between.
Why Cisco ISE is critical
DISA’s Comply-to-Connect approach is designed to reduce vulnerabilities and enhance the resilience of the DoD’s information network against increasingly sophisticated cyber threats. That’s where Cisco ISE can help. It is the industry’s most widely adopted and awarded network access and control (NAC) solution, but it’s so much more than that. It enables the creation and enforcement of security and access policies for endpoint devices connected to the agencies’ networks. Not only, that but ISE can be deployed in the cloud as well and is packed with all the same enhancements and features found in the on-premises version.
Cisco ISE is a crucial component in the implementation of DISA’s C2C approach. For Cisco’s Federal Customers, Cisco ISE has maintained market dominance with a platform approach to securing access that is integrated, not bolted into the network. I encourage you to watch my brief discussion on how they’re better together:
How Cisco ISE enhances DISA’s Comply-to-Connect mandate
With Cisco ISE, our National Security & Defense teams are closing the gaps in device visibility by enabling and enhancing DoD network management and security strategies. In the field, I have seen how Cisco ISE has assisted the Department of Defense in the following ways.
- Device Profiling: Cisco ISE excels at identifying and profiling devices attempting to access the network. It can dynamically classify endpoints into specific groups, offering granular control over network access.
- Policy Enforcement: Cisco ISE automates the enforcement of security policies, making sure that all devices comply with the necessary security requirements before they can connect to the network. This adherence to policy enforcement is critical in maintaining the integrity of DISA’s C2C approach because if those devices don’t comply, they’re not getting on the network. Simple as that.
- Threat Containment: When a threat is detected, Cisco ISE can quickly contain it by limiting network access or completely blocking the device from the network. This rapid response diminishes the catastrophes that a bad actor can do while significantly reducing the potential damage from any security breaches.
- Continuous Monitoring: Cisco ISE continuously monitors the security posture of connected devices, ensuring that they remain compliant with the latest security updates and policies. This constant monitoring is vital for maintaining the ongoing security of the network under the C2C framework. Even after a device is let on to the network, it still gets rechecked every time to make sure that it’s safe.
- Scalability: Cisco ISE can be scaled to accommodate large, diverse networks. This scalability is essential for a massive organization like the DoD, ensuring that all devices, regardless of number or location, can be securely managed under the C2C framework.
Meeting DoD Zero Trust mandates
Cisco ISE with Comply-to-Connect is the bridge that helps our mission focused stakeholders meet their five-year zero-trust strategy because it is the ideal Zero Trust policy decision point. Cisco ISE uses adaptive policies to continually verify trust, enforce trust-based access, and quickly respond to changes in trust for resilient incident response.
As outlined in the DoD Zero Trust Strategy document,[1] adopting zero trust requires a shift from a perimeter-based model for trust to a “multi-attribute-based” model for trust using authentication and authorization that enforces least privileged access. By easily integrating into existing environments, Cisco ISE simplifies the transition to zero trust access – especially for complex and vast networks like the DoD.
Conclusion
I love that I’m a part of the Cisco team because Cisco’s Security solutions are an indispensable tool in our National Security and Defense arsenal against cyber threats. And with the integration of Cisco ISE with DISA’s Comply-to-Connect approach, we’re helping to provide a robust and comprehensive solution for managing network access and enhancing cybersecurity. One that is enabling the DoD with the critical capability to profile devices, enforce policies, contain threats, and continuously monitor security compliance.
By ensuring that all devices comply with the latest security updates before accessing the network, the C2C approach is significantly bolstered by Cisco Security’s capabilities, enhancing the resilience of DISA’s information network against cyber threats.
Next steps for Comply-to-Connect success
- A Peek into the Newly Released DoD Zero Trust Strategy (Part 1 of 2)
- Delving Deeper into the DoD Zero Trust Strategy (Part 2 of 2)
- Comply to Connect: The Bridge to Zero Trust
- Dive into Cisco ISE
Reference
[1] DoD Zero Trust Strategy (October 2022) – PDF
