The Defense Department’s (DoD’s) Joint Regional Security Stacks (JRSS) have not met the regional security implementation expectations of DoD’s Joint Information Environment (JIE), according to a June 4 public Office of Inspector General (OIG) report.
JRSS is a suite of equipment with assets such as network routers, firewalls, and switches that work to provide network security, monitor DoD information network (DoDIN) traffic, and conduct inspections, among other activities.
DoD implemented JRSS after launching JIE to consolidate DoD’s IT infrastructure into a single security architecture and improve DoD’s network defense against cyberattacks.
The OIG report indicates that JRSS has reduced the number of cyberattack vectors to DoDIN, but it is not meeting JIE’s regional security expectations. Although the public report did not indicate the specific shortfalls in JRSS’s security implementation, it states that inadequate management and training has contributed to the problems the IG uncovered.
“JRSS is not meeting other JIE outcomes because DoD officials did not ensure that all JRSS tools met users’ needs and that JRSS operators were trained prior to JRSS deployment,” OIG said.
Furthermore, DoD officials considered JRSS as a technology refresh – an incremental installation of new technology to improve cost and performance. Therefore, JRSS was not subject to DoD Instruction 5000.02 requirements, which govern DoD acquisition requirements. JRSS had an estimated cost of over $520 million, and had DoD Instruction 5000.02 been implemented, JRSS’s acquisition process would be different.
“Had DoD Instruction 5000.02 requirements applied, the JRSS would have qualified as a major automated information system acquisition because it is projected to cost $1.7 billion more than the $520 million threshold and DoD officials would have been required to develop formal capability requirements, an approved test and evaluation master plan, and a training plan for operators during the development of the JRSS,” OIG said.
OIG recommended that DoD’s CIO work with the Defense Information Systems Agency (DISA) director to development a baseline requirements document of JRSS’s functional capabilities – including capabilities that would meet user needs and the expected outcomes of implementing regional security.
OIG also recommended DISA direct the JRSS Program Management Officer to establish and implement a plan for incorporating the required capabilities into JRSS once the CIO and DISA developers create the requirements document. Furthermore, OIG suggested leadership create a training schedule for all JRSS operators.
OIG stressed that improving JRSS is critical to realizing JIE’s mission and the security integrity of DoDIN.
“If the JRSS is not operationally effective, secure, and sustainable, the DoD may not achieve the JIE vision, which includes achieving greater security on the DoDIN,” OIG said. “Without adequate security safeguards for the JRSS, weaknesses identified in this report could prevent network defenders from obtaining the information necessary to make timely decisions, and could lead to unauthorized access to the DoDIN and the destruction, manipulation, or compromise of DoD data.”