The Pentagon’s primary IT provider said Thursday that it’s taking several steps to address ongoing concerns about the functionality of DoD’s Joint Regional Security Stacks, the multi-billion dollar cyber defense system it has been working to construct for the past five years.
The assurances from the Defense Information Systems Agency (DISA) came three weeks after the publication of a report by DoD’s Director of Operational Test and Evaluation (DOT&E) that assessed JRSS as neither “operationally effective” nor “operationally suitable” for the second year in a row.
In a news release, DISA said the course corrections it is making are based not only on DOT&E’s assessments, but also on “concerns and challenges” expressed by the military services who are funding and using JRSS.
The Pentagon has not responded to repeated inquiries from Federal News Network about the DOT&E report, but in the statement, posted on DISA’s website, the agency said it is addressing concerns in five primary areas: latency, cost, multi-tenancy, reliability, and the division of labor between cyber personnel from the military services and DISA itself.
Col. Greg Griffin, DISA’s portfolio manager for JRSS said the agency had “significantly realigned” the program since March 2018, the last time the Joint Interoperability Test Command (JITC) conducted an operational assessment on JRSS.
This month’s DOT&E report was largely based on those JITC results. It found that the security stacks are being deployed more quickly than personnel can be trained to use them, and the training “is not sufficient to prepare operators to effectively integrate and configure the complex suite of JRSS hardware and associated software.”
The realignment, according to Griffin, is “focused on reducing the complexity of the information presented to operators and improving standard operating procedures.”
DISA said there are already concrete signs that the system’s performance has improved. As of one year ago, JRSS had a backlog of 100 “security events” awaiting attention from JRSS operators. The number of outstanding Security Information and Event Manager tickets has now been reduced to zero, officials said.
Latency — another issue identified in the DOT&E report — has also been reduced, according to the agency, because of a series of upgrades it finished in December.
“While a full analysis is not expected until late February, interim reports indicate overall performance has increased,” DISA said. “Operators are reporting seeing significant improvements at the end-user level, especially for web and internet traffic.”
From the start, one of the most difficult aspects of the JRSS proposition has been the project’s requirement for the military services to move into a multi-tenancy model, forcing them to bring what had been, in some instances, widely-diverging network security procedures into a shared hardware and software infrastructure.
“A broad spectrum of people — analysts, operators, network cyber analysts — are working very hard to work through the very complicated situation of sharing data across platforms and across operation centers,” Lisa Belt, DISA’s acting cyber development executive told the agency’s annual industry conference in November. “It had to happen, and I think one of the key takeaways of JRSS will be the fact that it forced us all into a better understanding of how we’re going to have to share data. The trick is how and where and who has access to it, as we evolve into a really fully operational cyber force.”
Thursday’s update offered few new details as to how DISA plans to solve the multi-tenancy problem, other than to say it is employing new “governance processes and (standard operating procedures) until technical solutions are in place.”
Relatedly, the agency said it’s trying to work through some of the operational difficulties implicated by the fact that some JRSS functions at various “tiers” are managed by the military services, and some are DISA’s responsibility.
“Because of the multitude of people involved, the challenges we’ve been working hard to overcome are synchronizing efforts between tiers, ensuring everyone is operating off the same playbook, and ensuring everyone has a similar frame of reference,” said Joe Edwards, DISA’s chief engineer for JRSS. “The enhancements we put in place last March were designed to resolve those challenges.”
But DISA’s update was largely silent on one of the most important issues raised by the DOT&E report: Whether JRSS works at all when it comes to detecting and fending off attacks by sophisticated cyber adversaries.
The operational assessment noted that an Air Force red team was able to fully penetrate the system’s defenses without being noticed by JRSS operators.
But the department is showing no signs that it plans to heed DOT&E’s advice to pause JRSS rollouts until more of the kinks are worked out.
DISA said all 11 of the regional stacks DoD has planned for the military’s state-side unclassified networks are now up and running, as are two more in Europe. It’s currently preparing to activate another two in southwest Asia, and two more JRSS sites for Pacific-area network traffic are expected to come online this summer.
The first JRSS sites for secret-level data are expected to be online by the end of 2019, the agency said.