The military services and Defense agencies are making a hard push to meet the Secretary’s goal of migrating their connected networks to a single, integrated cybersecurity architecture — otherwise known as Joint Regional Security Stacks (JRSS) — by 2019.
“The Army is going very aggressive right now and [is] actively purchasing some additional migration teams,” David Cotton, deputy chief information officer for DoD’s information enterprise, said during the Association for Enterprise Information’s DI2E Plugfest at George Mason University June 1. “This is no small feat. This is huge. … There’s a lot of analysis that takes place, a lot of sensing in preparation. Then the joint team that has JRSS and the service teams, the Army, then work together to do the federal migration and collapse at the same time.”
Within the continental United States, four out of 12 major nodes are now operational, Cotton said. JRSS has roughly 160,000 users — mostly in the Army — across six of 226 U.S. installations and bases. DoD plans to move seven more installations over to JRSS by the end of the fiscal year, he said.
What first began as an Army-Air Force partnership to consolidate the two services’ disparate networks into one integrated infrastructure has now expanded to include all of the services.
The Air Force is next major player in line, Cotton said. The service will start its operational assessment decision making tests later this year.
“The Navy is identifying what they call their excepted networks, those things that aren’t perfectly covered by their NGEN contract that they wish to provide some additional security to,” he said. “The Marines are nominating the ones that they wish to [move], and the Coast Guard is anxious to join as well.”
By October this year, the Defense agencies will develop implementation plans for migrating their own networks to JRSS, Cotton said.
It’s all part of DoD’s push to give military commanders a better view of their cyber defenses across a specific region, rather than a snapshot of seemingly disparate networks on individual bases. All told, the JRSS migration will reduce the department’s overall surface attack area and pare back the number of access points from about 1,000 to 50, Cotton said.
Yet Cotton said changing the military’s culture is the main challenge he sees with such a sweeping move to a shared cybersecurity architecture.
“The hardware is similar [and] the software is similar, but maybe the process is different because now it’s more of a larger game with more players,” he said. “It’s not just one individual agency or user, so you have to think differently, which gets into policies. But I must say in about 35 years I’ve been doing this work, it’s probably the greatest collaboration I’ve seen among partners like [Undersecretary of Defense Intelligence] and the military services, where they actually get along and work toward a common end instead of trying to go to different directions.”
The JRSS migration project could also prove to be one of DoD’s more concrete deliverables under the Joint Information Environment (JIE), which the department’s chief information officer, Terry Halvorsen, has indicated is a top priority.
The department is also continuing to focus its efforts on new data center consolidation projects, as well as hosting more cloud services on Pentagon property.
DoD will continue to define its core data centers, but the department is considering another option as well.
“We’re actually exploring and considering having not only core data centers but [also] have component enterprise data centers,” Cotton said. “In other words, if I’m the Army, Air Force, Marines, Navy [or] an agency, I could have an enterprise data center that I own for myself but provide … services to other users as well. Some of the services desire to do that, and that actually is a step toward our achievement of data center consolidation reduction. So that’s acceptable.”
DoD now has 10 major cloud services at provisional-level 5, or information cleared for national security or official-use-only, as well as 40 commercial cloud services at level-2, or public-facing information. Roughly 40 other DoD systems will move to unclassified or official-use-only security levels in the near future, Cotton said.
“Admittedly, as my boss has talked about, some of you have had some challenges in taking advantage of the cloud,” Cotton said. “We haven’t done as much as we’d like to, so we’re doubling down on that. We’ve refined some of the requirements in the security requirements guide for cloud access points.”
Each week, Defense Reporter Jared Serbu speaks one-on-one and in depth with the people responsible for managing the inner workings of the federal government's largest department, and those who know it best. Subscribe to the latest episode on PodcastOne or iTunes.