Editor’s note: Due to a typographical error, an earlier version of this story mistakenly reported that DoD had spent $900 billion on Joint Regional Security Stacks between 2013 and 2016. The correct figure is $900 million.
By the end of this calendar year, the Defense Department plans to deliver new assessments of the cost and scope of the Joint Information Environment, the ambitious, four-year-old project to unify an estimated 15,000 IT networks and improve their security posture.
The Pentagon announced its plans in response to a critique from the Government Accountability Office, which said in an audit last week that Congress would have difficulty holding DoD accountable for JIE’s progress since officials have yet to settle on long-term requirements for key elements of the initiative. It also said officials omitted nearly $1 billion in already-spent funds from JIE cost estimates and haven’t developed a strategy for the workforce they’ll need to support the modernized IT infrastructure.
GAO performed the audit at the direction of Capitol Hill, where many members have expressed frustration that JIE is something of a moving target in terms of effective oversight, since it is not a single program of record but rather a collection of various undertakings dealing with improved identity management, a common security architecture, shared enterprise services and data centers and several other initiatives.
On that score, the watchdog seemed to validate Congress’ concerns.
Insight by Cloudera: Learn about what a few federal agencies are doing to tackle data security challenges and improve their cyber data posture in this exclusive e-book.
“While the department has defined JIE scope at a high level, its scope is not sufficiently defined to determine what, specifically, is and is not included in JIE,” auditors wrote. “For example, the 2013 JIE implementation strategy includes software application rationalization and desktop virtualization as part of JIE, however, briefings provided to congressional staff and to us in 2015 did not specifically include this element. In addition, the briefings included other elements that were not specifically discussed in the implementation strategy. For example, in 2015, DoD CIO officials described JIE as including additional elements, such as Mission Partner Environment and strategic sourcing.”
Of all the JIE elements the department has planned, the one involving the largest expenditure of funds is the deployment of Joint Regional Security Stacks. Officials have described JRSS as the first major stepping stone toward the reduction of military-service-specific IT stovepipes, because they have already eliminated hundreds of locally-managed firewalls and replaced them with a relative handful of regional server rooms that handle network defense for multiple Army and Air Force installations. Starting in 2018, a 2.0 version of JRSS will assume the same role for the Navy and Marine Corps.
But GAO and DoD take different views on the actual cost of JRSS. GAO argued $900 million already spent on the program between 2013 and 2016 should count as part of its cost baseline.
But the Pentagon priced the overall project at $1.6 billion, based only on what it plans to spend to fully build JRSS between 2017 and 2021, arguing that the prior spending came from the military services’ existing budgets and was a prerequisite to upgrade legacy information technology — primarily on Army and Air Force bases — to get them ready to migrate to a regionally-managed security infrastructure.
Aside from the fact that it leaves out money already spent, the cost estimate “is not credible,” GAO auditors said, because “DoD did not assess or disclose risk or uncertainty in its estimate, such as the lack of finalized JRSS 2.0 functional requirements, implementation plans, and workforce requirements … though CIO officials stated that DoD’s Cost Assessment and Program Evaluation office had reviewed the estimated costs in the JRSS funding request for fiscal year 2017 and beyond, officials said that they did not verify the estimated costs because they serve in an advisory capacity for JIE and JRSS and were not requested to verify the costs.”
In its official response to the GAO report, the DoD CIO’s office said it would finish work on a redefinition of JIE’s current scope and prepare it for approval by the military services and the JIE Executive Committee — made up of the DoD CIO, the Joint Staff and U.S. Cyber Command — by December.
“This new document will more clearly enable reporting, tracking and controlling of DoD’s information technology modernization activities,” wrote David DeVries, the principal deputy CIO. “The document will also specify a process for communicating updates to JIE’s scope.”
The CIO’s office said it would also furnish Congress with revised cost estimates on JRSS and the Mission Partner Environment (the department’s initiative to develop plug-and-play interoperability with allied nations) by December, because those are the most fully-developed portions of JIE and the ones whose costs can be most reliably predicted.
DoD said it would calculate cost estimates for other parts of JIE “as appropriate,” indicating that they’re difficult to forecast because of continual changes in the state of commercial IT and bandwidth availability.
Some of those factors are pushing DoD to reexamine even the most settled parts of its initial JIE strategy, like the notion that each base would retain a local Installation Processing Node (IPN) for highly mission-specific functions while offloading most other services to “core data centers.”
“We’ve been trying to apply a prioritization process and taking JIE one piece at a time,” said Doug Wiltsie, the director of the Army’s directorate for system of systems engineering and integration. “Do you have to have an IPN on every installation? It’s a great question, and in today’s world you probably don’t. In a lot of cases, the tech refresh to do those kinds of things is massive because it involves over 300 Army installations.”
Wiltsie, who served as the Army program executive officer for enterprise information systems at the time DoD began implementing JRSS, said it made perfect sense from an Army perspective to use its own funds to begin building the joint system, even before the larger Defense Department had a fully-developed strategy for the shared security stacks.
“We were taking this one piece at a time and trying to tackle the problem from a security standpoint, an efficiency standpoint, an operational effective standpoint,” he told a conference organized by the Association of the U.S. Army last week. “We had 700 firewalls on our posts, camps and stations and we’re now down to 11 in the United States. … We understood the requirement, and it was for commercial products. We got some push back on that from that from vendors who told us that their BMW routers and switches could deliver more value than a Pinto, but we bought what we minimally needed, which allowed us to buy more product and to go faster to improve the security of our posts, camps and stations.”