Is it time to rethink JRSS?
A new report from the Defense Department's operational test and evaluation director says the Joint Regional Security Stacks program is undermanned and should be halted until security issues are resolved.
The Defense Department's Joint Regional Security Stacks program is behind schedule, undermanned, riddled with connectivity and security issues and needs to be shut down -- at least for now, according to an internal Pentagon evaluation report released Jan. 31.
The Pentagon's CIO and the military branches "should discontinue deploying JRSS's until the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyber-attacks," the Director of Operational Test and Evaluation (DOT&E) recommended.
JRSS is part of major IT reform to reduce DOD's vulnerabilities and access points. But the "difficulty inherent in integrating disparate, complex commercial technologies into a functional system of systems" along with "insufficient training" and underdeveloped standard operating procedures have stalled progress, the report found.
The program's troubles aren't entirely surprising. The Air Force previously revealed its paused migration and connectivity struggles last year, as did the Army. The Coast Guard began migrating in April with a goal of completing the transition by the end of fiscal 2019 -- a timeline in step with DOD's original ambitions.
But in a year's time, the Defense Department hasn't made any substantive progress with the JRSS migrations. In March, then-acting CIO Essye Miller said DOD had 14 stacks stood up across the non-classified network and was on track to have all 23 up later this year.
However, no additional stacks have been deployed in the 11 months since, according to the report.
Lack of personnel seems to be one of the biggest challenges to the JRSS. The Army "could not certify that they had sufficient manning to assume the JRSS mission" and the Defense Information Systems Agency, which is the prime integrator for the program, reported that it was 17 government positions short, needing more engineers, administrators, development operations managers, and project managers.
DISA's Global Operations Command East is covering the shortages for now and "plans to be properly manned by July 2019."
DOT&E noted that despite using commercial solutions, operator training is lagging, which hampers deployment. Additionally, there have not been any codified defensive tactics, techniques, and procedures across the military services, DISA, and U.S. Cyber Command.
On top of halting deployments, the director recommended routine cyber assessments with realistic threats, refining JRSS deployment plans to shrink the data transmitted through each stack to reduce clogs, and having the JRSS program manager work more cohesively with the services. The report also urges the program manager to "use operationally realistic test results to improve current JRSS configurations, training, and procedures, and to inform future" migration decisions.