Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The centralized cyber defense centers at the core of the Pentagon’s years-long effort to consolidate its IT networks still aren’t working as advertised, and the Defense Department needs to stop deploying them until major problems are resolved, according to the Pentagon’s independent testing office.
In its annual report, released on Thursday, the Office of the Director of Operational Test and Evaluation found that DoD’s Joint Regional Security Stacks (JRSS) are neither operationally effective nor operationally suitable.
It’s the second time DOT&E has reviewed JRSS as part of the portfolio of major defense expenditures it oversees, and the second year in which it’s reached the same conclusion.
The office’s findings are based largely on an operational assessment DoD’s Joint Interoperability Test Command conducted last March.
In that event, an Air Force red team acting as a cyber attacker managed to penetrate through one of the stack’s defenses without being detected at all, and was one factor that led DOT&E to conclude that JRSS’ overall performance had not improved since an earlier test in mid-2017.
The security stacks are meant to make use of best-of-breed commercial hardware and software products, but the off-the-shelf approach the department pursued has led to a situation in which JRSS now includes security products from more than three dozen separate vendors. And DOT&E questioned whether such a wide variety of solutions was manageable for the cyber defense personnel tasked with operating the stacks.
“JRSS operator training still lags behind JRSS deployment, and is not sufficient to prepare operators to effectively integrate and configure the complex suite of JRSS hardware and associated software,” according to the report.
DOT&E found that the Defense Information Systems Agency’s Global Operations Command does not have enough personnel to properly operate the stacks, and will not until July of this year. The same appears true of the Army, which wasn’t able to certify that it has sufficient manning to handle its JRSS responsibilities.
DoD, the Army and the Air Force initially conceived JRSS as a way to improve their cyber posture by centralizing about 5,000 separate firewalls into a shared infrastructure that relieved individual military bases of the burden of monitoring and filtering all of their network traffic.
And in conjunction with the JRSS deployments, DISA and the services have also invested heavily in network capacity upgrades so that all of the military’s traffic can be funneled through the stacks. The upgrades to multiprotocol label switching technology will eventually boost the department’s network backbones from 10 gigabit to 100 gigabit connections.
But DOT&E suggested the notion of trying to monitor those vast traffic flows from a relative handful of locations may have been too ambitious a goal.
“It is inherently difficult to effectively manage the very large amount of data designed to traverse each JRSS,” the office wrote. “The DoD CIO and the services should consider the possibility that the data flow designed to traverse each JRSS may be too large to enable secure data management, and if that is the case, refine the JRSS deployment plans to reduce the required data flow through each JRSS.”
And the report said DoD and the services still do not have mature standard operating procedures for the stacks, and haven’t done enough to test them under “operationally realistic” conditions.
“DISA and the services should conduct routine cyber assessments of deployed JRSSs, using a threat representative Persistent Cyber Opposing Force, to discover and address critical cyber vulnerabilities.”
The department did not answer questions from Federal News Network about whether it would accept DOT&E’s recommendation to suspend further JRSS deployments until it addresses the problems.
But DoD did temporarily pause the deployments last year, including by delaying the installation of new stacks in U.S. Central Command and Southwest Asia. It also deferred the Marine Corps’ migration to JRSS and the activation of the versions designed to protect classified networks until 2019.
“It was to try to improve the way we handle training, the way we handle the actual processes so we could improve the deliveries,” Rory Kinney, the principal director for information enterprise in the DoD CIO’s office told an AFCEA conference in December. “But we have about a million people behind JRSS right now, and the big push is now in the Pacific, with the intent of beginning migration in January. So JRSS is still alive and well.”
So far, DoD has activated 14 out of 24 of its planned JRSS sites on its unclassified (NIPR) network. It plans another 25 for its classified (SIPR) network.
According to DOT&E, two more operational assessments were scheduled for January and July of this year. The six-month cycle would repeat until JRSS undergoes its formal initial operational test and evaluation sometime in fiscal year 2020.
In statements to the press, industry and Congress, the Pentagon has consistently maintained for several years that JRSS is the most critical near-term component of a vision it calls the Joint Information Environment.
DoD does not report the cost of the overall effort as a separate budget item, since it is not an official program of record. But as of 2016, officials pegged the department’s five-year expenditures for JRSS at $1.7 billion. The Government Accountability Office has disputed that figure, arguing that it does not include $900 million DoD and the services had spent on JRSS between 2013 and 2016.