More than five years after its inception, the Pentagon’s signature cyber defense system is still failing to meet many of its main objectives, according to a new audit by the Defense Department’s inspector general.
The IG report on DoD’s Joint Regional Security Stacks represents the second time in fewer than six months that the Pentagon’s own oversight bodies have pointed to serious stumbles in its implementation of JRSS.
DoD officials, meanwhile, maintain that the findings are based on outdated information, and say they have no plans to pause the JRSS rollout nor to make changes in how they’re deploying the $2.2 billion security architecture.
DoD — beginning with the Army and Air Force — conceived of the regionalized security infrastructure in 2013 as a way to reduce the number of network entry points that could be targeted by hackers. On that score, the IG said the department has seen some success: It’s reduced what had been more than 2,700 local access points by 131, and plans to eventually cut the number of enclaves to just 48 JRSS sites worldwide.
But auditors said JRSS was still failing to achieve the outcomes DoD envisioned for the system under its Joint Information Environment. They found the Defense Information Systems Agency hasn’t fixed critical security vulnerabilities in JRSS, the personnel who are tasked with operating the security stacks are not receiving enough training, and that senior Defense officials have not adequately set and managed requirements for the system.
Details of the security flaws auditors found were redacted from the report, but a table included in the document suggests it pointed to at least 14 “critical” and “high” level vulnerabilities that hadn’t been remediated within government guidelines.
“Without adequate security safeguards for the JRSS, weaknesses identified in this report could prevent network defenders from obtaining the information necessary to make timely decisions, and could lead to unauthorized access to the [DoD Information Network] and the destruction, manipulation, or compromise of DoD data,” the IG wrote.
Neither suitable nor effective, operationally speaking
Although they plan to spend billions of dollars on the system, for years, Defense IT officials have strenuously avoided designating JRSS — or any other part of the Joint Information Environment — as an official acquisition program. That’s partly because they feared that the paperwork burdens that come with a Major Automated Information System, in DoD acquisition parlance, would impede the adoption of cutting-edge commercial cyber defense technologies.
But the IG found the decision to not make JRSS an official program of record also led the department to sidestep some of the major acquisition management principles the department outlines in its key acquisition guidebook, DoD Instruction 5000.02.
“Had DoD Instruction 5000.02 requirements been applied, DoD officials would have been required to develop and approve capability requirements, including key performance parameters, an approved test and evaluation master plan, and training for operators, all of which would have helped ensure that the product meets users’ needs,” auditors wrote.
JRSS is now going through regular operational assessments. But based on those events, DoD’s Director of Operational Test and Evaluation has concluded for two years in a row that the system is neither operationally suitable nor operationally effective. In its latest report in February, DOT&E recommended that department pause JRSS deployments until problems are fixed.
And both DOT&E and the IG say training remains a major problem. The inspector general said DoD didn’t approve a formal list of JRSS training requirements until three years after it started deploying the system, and many of the JRSS sites the office visited during its review still did not have enough personnel who were adequately trained to use the large suite of hardware and software products that make up the stacks.
“For example, from May 2017 through April 2018, DISA officials provided scenario‑based training to only 3 of 37 Army JRSS operators and 10 of 186 Air Force JRSS operators,” according to the IG report. “According to DISA officials, beginning in May 2017, they offered JRSS scenario‑based training once per month; however, the training was limited in class size and frequency due to a lack of funding for contractors to provide training, training locations, and equipment.”
Vice Adm. Nancy Norton, DISA’s director, said DoD had begun to address the training issue and several others over the past year as part of a strategic review of JRSS.
“We created 10 on-demand operator training videos and trained 169 defensive cyber operators, and provided the military services with 15 programs so they could develop their own training,” she told attendees at AFCEA’s TechNet Cyber conference in Baltimore earlier this month.
Norton later told reporters that as a general matter, neither the IG and the DOT&E reports took into account the changes DoD had made recently, and that DISA had no intention of slowing down its planned JRSS rollout, including for new sites that are coming online to handle secret-level SIPRNet traffic.
“It’s a very effective program … I really don’t have any concerns,” she said. “The report is lagging from the review and the actions that have been taken. We’ve increased the training, we’ve increased capacity so that it reduces the latency that we had. We’ve standardized the migration tools to prepare for the SIPRNet migration, which is just starting, and putting in governance processes and policies that are more effective. All of that has been put into place so that we have a much more robust and responsive program overall. And all of that is already well underway.”