The Pentagon’s project to consolidate its network access points and decrease the cyber attack with Joint Regional Security Stacks (JRSS) is failing to meet objectives, according to a report Thursday from the department’s inspector general.
Defense Information Systems Agency’s (DISA) JRSS program is said to have ongoing operational shortcomings and difficulty training operators to use the system, with officials noting the system will likely cost $1.7 billion more than originally projected.
The DoD IG’s report notes ongoing difficulty training operators on JRSS and a failure to meet operational needs for the system designed to address cyber security concerns by deploying physical security stacks to operational locations to provide increased firewall security.
“DoD’s implementation of the JRSS is not fully achieving the expected outcomes of the DoD’s [Joint Information Environment] objective to implement regional security,” officials wrote in the report.“Although implementing the JRSS is reducing the footprint and number of enemy attack vectors to the DoD [Information Network] (DoDIN), the JRSS is not achieving other intended JIE outcomes for implementing regional security.”
JRSS was intended to address cyber security concerns by deploying deploying physical security stacks to operational locations to provide increased firewall security and decrease the attack vector space on the DoDIN.
The report states that DoD officials projected JRSS would cost $520 million, while the IG’s office estimated the program would eventually total over $2.2 billion, which would exceed DoD 5000 contracting requirements and require an approved training plan for operators.
Thursday’s report follows a December report by Pentagon’s top weapons tester that noted the program’s poor performance, and a decision DISA announced last May to slow the rollout of the program to address ongoing issues (Defense Daily, May 16 2019).
The IG report notes the Pentagon’s CIO released a memo in December detailing plans to improve JRSS.
“Although the DoD CIO’s memorandum addressed training challenges identified in this report, it did not specify whether the DoD CIO plans to develop and implement a schedule for providing all JRSS operators with JRSS scenario‑based training and lab‑based exercises,” officials wrote in the report.
Officials recommended the DoD CIO, along with the DISA director, develop a new JRSS capabilities requirement document.
The report notes that CIO’s office disagreed with the recommendation, while adding that they will review the current requirements document and update it as needed to meet operational shortcomings. Officials in the report wrote that the actions to update the current document would meet the initial recommendation.
DISA’s director agreed with the recommendations in the IG’s report, which included proposing a plan to address changes to JRSS identified during testing, improving operational training requirements and a third adjustment that is redacted in the document.
“The DISA Director addressed all specifics of the recommendations; therefore, the recommendations are resolved,” officials wrote.
The document also includes a broader recommendation to the under secretary of defense for acquisition and sustainment and the DoD CIO to revise DoD 5000 guidance to require the same approved training and evaluation plans for technology refresh programs as it does for programs that exceed established cost thresholds.
Officials wrote the recommendations’ intent was met with agreement, while the office disagreed to “establish a fixed threshold that would require all such programs to be managed as ‘new programs.’
“Assistant secretary did not explain how the new guidance will address the processes and procedures that should be followed when acquiring technology refreshes; therefore, the recommendation is unresolved,” officials wrote.