DOD IG: Cybersecurity upgrades are not being properly implemented
The Joint Regional Security Stack (JRSS) program, a key part of the Department of Defense’s network consolidation and cybersecurity changes, is not being fully implemented properly, a Pentagon inspector general’s report found.
The June 4 report states that operators of the suite of network security equipment were not properly trained, resulting in the security system’s implementation “not fully achieving the expected outcomes.” The report also notes the JRSS has reduced the number of enemy attacks on DOD networks, but the training gaps could lead to exploits in the system that would harm DOD IT networks. The project is more than $1.7 billion over its initial budget of $520 million, according to the report.
This is not the first report that found flaws in JRSS. The DOD Director of Operational Test & Evaluation’s 2018 report found JRSS “is unable to help network defenders protect the network against operationally realistic cyber-attacks.”
JRSS is a part of the Joint Information Environment (JIE), an initiative launched in 2010 to consolidate the DOD’s redundant networks and increase cybersecurity. The report notes that JRSS is the “most critical” near-term element of the JIE. Without proper implementation of JRSS, JIE and the improved network security it hopes to bring, won’t be achieved, it says.
The Defense Information Systems Agency is in charge of implementing JRSS and remedying vulnerabilities that arise. If DISA and the officials overseeing JRSS implementation do not remedy weaknesses identified in the report, it could “lead to unauthorized access to the DoD [information network] and the destruction, manipulation, or compromise of DoD data.”
The report recommends the director of DISA create a schedule to properly train JRSS operators. Some of the specific information in the report was redacted in the public version.
The ballooned cost of the program slipped through a loophole in how DOD officials framed the network changes. JRSS was categorized as a “technology refresh,” which did not trigger a set of more stringent DOD requirements. If it had been categorized as major automated information system acquisition, as the IG report alludes it should have been, formal training and tests for operators would have been created.
The DOD was supposed to fully “migrate” to JRSS by the end of fiscal 2019.
