DoD CIO: ‘You cannot rest’ on shared cybersecurity system

Depending on who you ask in the Defense Department, the most important part of the implementation of the Joint Regional Security Stacks (JRSS) is either its impact on service culture, the upcoming tests or the possibilities for version 3.0.

DoD’s multi-year migration to a shared cybersecurity system is well under way, officials told an audience gathered for the Nov. 1 Defense Systems Summit “JIE and the New Military Landscape,” held in Pentagon City, Virginia. Now it’s just a matter of embracing the high standards and new culture that come with it.

Defense Chief Information Office Terry Halvorsen said JRSS is going to bring DoD great capabilities, but at a price.

“When it is complete it really will be the first architecture, the first set of tools and equipment that were from the beginning designed to be a part of a joint system,” Halvorsen said. “Governance, of how to operate this, is going to be the other thing we’ve got to test and the other thing we’ve got to learn to do better. We’ve also got to remember … there will never be a last JRSS if JRSS stays in place. If you are in this business, the cyber-IT-software hub, it never can stop. You cannot rest.”

Sponsored Content: Sign up for a free webinar as DoD, Air Force and VA offer insights on cybersecurity strategies.

Advertisement

The JRSS migration is part of the Joint Information Environment (JIE), a four-year-old unification effort and security boost for the department’s 15,000 IT networks.

Halvorsen said if he could start over, he’d name it the “Joined Information Environment” because DoD will never get to a true joint environment due to its ever-changing nature.

“The vision of JIE has to be one that we accept will continually change,” Halvorsen said, pointing to the threat factor as reason alone that the JIE must be constantly updating — though money and usability were other reasons he mentioned during his speech.

“JRSS as a concept will be done when everybody is behind it, but it won’t stop there,” Halvorsen said. “In this business, what’s next comes really fast. We have to adopt our actions better to do that. I suspect JRSS 3.0 will look very little like JRSS 1.5. [Given] the rate of change both in software, tactics, procedures in this field, it has to get better, has to keep morphing, so we’re going to have that issue as we move forward with JRSS.”

Passing the test

The Defense Department is moving forward on JRSS implementation.

Col. Scott Jackson, JIE Solutions Division chief at the Defense Information Systems Agency, said each service has submitted implementation plans, which include phases and timelines for bases and users. The plans might also include concerns from each military branch about implementation.

DHS rollout of HR IT system called 'textbook case of waste'

“A lot of that implementation plan was getting into the nitty-gritty about the technology of JRSS, the protections, rebuilding the same access authorities that say, an Air Force administrator has on an Air Force base to change his individual firewall, confirming that when they migrate to JRSS, that same administrator in the virtual Air Force firewall can still change all the same things,” Jackson said. “It really comes back to that no loss of current capability. We would not want to be responsible for the Air Force saying this mission didn’t take off because your cybersecurity failed because it didn’t do something that my current system does.”

Jackson said there are 23 Non-Secure Internet Protocol Router NETwork (NIPRNet) security stacks and 25 Secret Internet Protocol Router Network (SIPRNet) stacks planned globally.

Once stacks are installed, a team goes in and does initial software configuration to test for any vulnerabilities. Then there’s an initial test acceptance when DISA Global Operations command operators log in and confirm the agreed upon configuration matches.

Jackson said the process is similar to purchasing a combination lock, having someone install it on the default combination, and then you changing it to your preference once the locksmith leaves.

Six stacks are operational to the level that Air Force can migrate to them now, two additional stacks will be operational by the end of December.

Once those tests are passed, the service branch can start migrating bases to the JRSS and overall JIE, Jackson said. The Army has gone through about 16 migrations, while the Air Force is in the process of two migrations.

Working together

The tests aren’t the only thing DoD branches are focusing on.

During his talk, Halvorsen admitted that the JRSS implementation and a more refined understanding of enterprise culture are something the military services are going to have to work on.

Daniel Corbin,  chief technology adviser at the U.S. Marine Corps headquarters, acknowledged during a Defense and industry panel, that loss of control and potential lack of understanding are downsides to JIE, but there were also opportunities for cost savings and added security.

Danielle Metz, deputy director for strategy and integration within the DOD CIO’s office, said instead of thinking of it as losing control, “it’s protecting DOD as an information network.”

“It’s not looking at the Marines are protecting their portion of the Marine network, the Navy is protecting the Navy’s portion, but really working together,” Metz said.

Deputy CIO for the Navy Janice Haith said the standardization is overdue, and while giving up some control is going to be the biggest challenge, the JRSS “gives us the security we didn’t have, but allows us to plan for the future of how we can bring those into more of an enterprise forum.”

Frank Konieczny, Air Force chief technology officer, said the JRSS would finally get the services talking to each other.

“Now we’re coming in with a healthy tension as to what should be the way that we’re actually going forward,” Konieczny said. “We can’t keep our own security separate, we have to somehow push them all together. That’s helping us realize that everybody, every component has a different way of looking at it, take the best of breed and we have to use that.”