On DoD: Pentagon needs to shore up JIE cost, scope, GAO says

By the end of this calendar year, the Defense Department plans to deliver new assessments of the cost and scope of the Joint Information Environment, the ambitious, four-year-old project to unify an estimated 15,000 IT networks and improve their security posture.

The Pentagon announced its plans in response to a critique from the Government Accountability Office, which said in a July 14 audit that Congress would have difficulty holding DoD accountable for JIE’s progress since officials have yet to settle on long-term requirements for key elements of the initiative. It also said officials omitted nearly $1 billion in already-spent funds from JIE cost estimates and haven’t developed a strategy for the workforce they’ll need to support the modernized IT infrastructure.

GAO performed the audit at the direction of Capitol Hill, where many members have expressed frustration that JIE is something of a moving target in terms of effective oversight, since it is not a single program of record but rather a collection of various undertakings dealing with improved identity management, a common security architecture, shared enterprise services and data centers and several other initiatives.

On that score, the watchdog seemed to validate Congress’ concerns.

“The JIE scope, expected cost and plans have not been fully defined,” Carol Harris, GAO’s director for IT acquisition management issues said in an interview for Federal News Radio’s On DoD program. “I’ll give you some examples: On the scope, we found inconsistencies across multiple planning documents and strategies as to what is and is not included in JIE. An implementation plan from 2013 included  software application rationalization and desktop virtualization, but those elements weren’t identified in more recent plans. On the cost side, DoD hasn’t yet developed an estimate of the costs to implement JIE. The department did tell us this is a highly complex undertaking and they’re in the process of establishing those costs, but despite this, DoD plans to spend almost $1 billion by the end of the fiscal year to implement JIE.”

Of all the JIE elements the department has planned, the one involving the largest expenditure of funds is the deployment of Joint Regional Security Stacks. Officials have described JRSS as the first major stepping stone toward the reduction of military-service-specific IT stovepipes, because they have already eliminated hundreds of locally-managed firewalls and replaced them with a relative handful of regional server rooms that handle network defense for multiple Army and Air Force installations. Starting in 2018, a 2.0 version of JRSS will assume the same role for the Navy and Marine Corps.

But GAO and DoD take different views on the actual cost of JRSS. GAO argued $900 million already spent on the program between 2013 and 2016 should count as part of its cost baseline.

But the Pentagon priced the overall project at $1.6 billion, based only on what it plans to spend to fully build JRSS between 2017 and 2021, arguing that the prior spending came from the military services’ existing budgets and was a prerequisite to upgrade legacy information technology — primarily on Army and Air Force bases — to get them ready to migrate to a regionally-managed security infrastructure.

Aside from the fact that it leaves out money already spent, the cost estimate “is not credible,” GAO auditors said, because “DoD did not assess or disclose risk or uncertainty in its estimate, such as the lack of finalized JRSS 2.0 functional requirements, implementation plans, and workforce requirements … though CIO officials stated that DoD’s Cost Assessment and Program Evaluation office had reviewed the estimated costs in the JRSS funding request for fiscal year 2017 and beyond, officials said that they did not verify the estimated costs because they serve in an advisory capacity for JIE and JRSS and were not requested to verify the costs.”

In its official response to the GAO report, the DoD CIO’s office said it would finish work on a redefinition of JIE’s current scope and prepare it for approval by the military services and the JIE Executive Committee — made up of the DoD CIO, the Joint Staff and U.S. Cyber Command — by December.

“This new document will more clearly enable reporting, tracking and controlling of DoD’s information technology modernization activities,” wrote David DeVries, the principal deputy CIO. “The document will also specify a process for communicating updates to JIE’s scope.”

The CIO’s office said it would also furnish Congress with revised cost estimates on JRSS and the Mission Partner Environment (the department’s initiative to develop plug-and-play interoperability with allied nations) by December, because those are the most fully-developed portions of JIE and the ones whose costs can be most reliably predicted.

DoD said it would calculate cost estimates for other parts of JIE “as appropriate,” indicating that they’re difficult to forecast because of continual changes in the state of commercial IT and bandwidth availability.