Publicly released: June 6, 2019
Objective
We determined whether the DoD’s implementation of the Joint Regional Security Stacks (JRSS) is achieving the expected outcomes of the DoD’s Joint Information Environment (JIE) objective to implement regional security. The expected outcomes of implementing regional security are to:
- provide timely access to trusted cyber situational awareness that will provide the DoD an understanding of its security posture and threat environment, related risk, and the entity’s projected future status;
- reduce the number of paths an adversary can use to gain access to the DoD Information Network (DoDIN); and
- improve the DoDIN security posture.
Background
In August 2010, the Secretary of Defense initiated the JIE to consolidate the DoD’s information technology infrastructure into a single security architecture that is intended to improve the DoD’s ability to defend its network against cyber attacks. The DoD Chief Information Officer (CIO) proposed to the JIE Executive Committee that the DoD should implement the JRSS to address the JIE capability objective of implementing regional security.
The JRSS is a suite of equipment that includes assets such as network routers, firewalls, and switches that work together to:
- provide network security capabilities, such as intrusion detection and prevention;
- reduce the number of access points to the DoDIN;
- enable inspections of network traffic that travels through the JRSS;
- serve as the network traffic flow integration point between DoD Components; and
- facilitate the monitoring and control of all security mechanisms throughout the DoD network.
Finding
The DoD’s implementation of the JRSS is not fully achieving the expected outcomes of the DoD’s JIE objective to implement regional security. Although implementing the JRSS is reducing the footprint and number of enemy attack vectors to the DoDIN, the JRSS is not achieving other intended JIE outcomes for implementing regional security.
The JRSS is not meeting other JIE outcomes because DoD officials did not ensure that all JRSS tools met users’ needs and that JRSS operators were trained prior to JRSS deployment. In addition, although the JRSS was estimated to cost over $520 million, DoD officials considered the JRSS to be a technology refresh and, therefore, not subject to DoD Instruction 5000.02 requirements. Had DoD Instruction 5000.02 requirements applied, the JRSS would have qualified as a major automated information system acquisition because it is projected to cost $1.7 billion more than the $520 million threshold and DoD officials would have been required to develop formal capability requirements, an approved test and evaluation master plan, and a training plan for operators during the development of the JRSS.
The Defense Information Systems Agency (DISA) serves as the JRSS program management office and is responsible for identifying and successfully remediating vulnerabilities and developing plans of action and milestones for vulnerabilities that cannot be remediated. This occurred because the JRSS Program Management Officer did not ensure that DISA officials managed vulnerabilities in accordance with the JRSS Vulnerability Management Plan.
According to the Director of DoDIN Modernization, the JRSS is the most critical near‑term element of the DoD’s JIE. Therefore, if the JRSS is not operationally effective, secure, and sustainable, the DoD may not achieve the JIE vision, which includes achieving greater security on the DoDIN. In addition, without adequate security safeguards for the JRSS, weaknesses identified in this report could prevent network defenders from obtaining the information necessary to make timely decisions, and could lead to unauthorized access to the DoDIN and the destruction, manipulation, or compromise of DoD data.
Management Actions Taken
In December 2018, the DoD CIO issued a memorandum describing actions that the DoD CIO plans to take to improve JRSS operations. The DoD CIO issued the memorandum in response to recommendations made by the Director of Operational Test and Evaluation in a December 2018 annual report. Although the DoD CIO’s memorandum addressed training challenges identified in this report, it did not specify whether the DoD CIO plans to develop and implement a schedule for providing all JRSS operators with JRSS scenario‑based training and lab‑based exercises. Therefore, we are making a recommendation to the DISA Director, who is responsible for providing training and technical support and overseeing network and security services, to develop and implement a schedule to ensure that all JRSS operators receive the training needed to use the JRSS as intended. In addition, during our audit, we informed the JRSS program management office that some capabilities were not meeting users’ needs.
Recommendations
We recommend that the Under Secretary of Defense for Acquisition and Sustainment, in coordination with the DoD CIO, establish or revise guidance that requires DoD Components to follow the same requirements when developing a technology refresh that will exceed an established cost threshold as required for new acquisitions under DoD Instruction 5000.02.
We also recommend that the DoD CIO, in coordination with the DISA Director, develop a baseline JRSS functional capabilities requirement document that includes all capabilities required for the JRSS to meet user needs and the expected outcomes of implementing regional security.
We recommend that the DISA Director direct the JRSS Program Management Officer to:
- establish and implement a plan to incorporate the required capabilities into the JRSS once the JRSS functional capabilities requirement document is developed;
- develop and implement a schedule to provide all JRSS operators with training, as required by the JRSS Operations Training Requirements Document.
Management Comments and Our Response
The Assistant Secretary of Defense for Acquisition, responding for the Under Secretary of Defense for Acquisition and Sustainment, agreed with the intent of our recommendation to rigorously manage technology refresh programs, but not to establish a fixed threshold that would require all such programs to be managed as “new programs.” The Assistant Secretary stated that the Office of the Under Secretary of Defense for Acquisition and Sustainment is developing policy for unique characteristics of information systems and commercial off‑the‑shelf hardware and will consider the intent of the recommendation in that context. However, the Assistant Secretary did not explain how the new guidance will address the processes and procedures that should be followed when acquiring technology refreshes; therefore, the recommendation is unresolved. We request additional comments from the Under Secretary of Defense explaining how the new guidance will address processes and procedures that must be followed when acquiring technology refreshes.
The Principal Deputy CIO, responding for the DoD CIO, disagreed with the recommendation to develop a baseline functional capabilities requirement document, stating that the DoD developed a functional requirements document that was coordinated with all stakeholders and approved by the DoD CIO. The Principle Deputy stated that they will review and if required, update the JRSS measures of effectiveness and measures of performance; map the JRSS capability requirements to the corresponding measures of effectiveness and measures of performance; and add an appendix to the functional requirements document to include the measures of effectiveness and measures of performance. Although the Principle Deputy disagreed, the proposed actions addressed all specifics of the recommendation; therefore, the recommendation is resolved. We will close the recommendation once we verify the agreed upon actions are implemented.
The DISA Director agreed with the recommendations stating that DISA will:
- propose a plan to address changes identified during testing after the measures of performance assessment;
- work with DoD Officials to incorporate JRSS operational training requirements into the Components’ institutional training programs.
The DISA Director addressed all specifics of the recommendations; therefore, the recommendations are resolved. We will close the recommendations once we verify that the agreed upon actions are implemented.
This report is a result of Project No. D2018‑D000RE‑0079.000