Pentagon testing office urges DoD to pause rollout of Joint Regional Security Stacks

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne.

The Pentagon’s ambitious project to consolidate its network defenses into a relative handful of regional operations centers around the world has been in the works since 2013, but last year was the first time the multibillion dollar Joint Regional Security Stacks have been subjected to a formal operational assessment. The results were not exactly glowing.

In its annual report, released last week, DoD’s independent Director of Operational Test and Evaluation said DoD should halt any further deployments of JRSS for the time being, calling its performance in securing DoD networks “poor,” partly because of what DOT&E concluded were severe staffing shortfalls, difficulties integrating various network defense technologies and a failure to get various Defense components to cohere around a common understanding of tactics, techniques and procedures for how to employ JRSS.

The security stacks are “unable to help network defenders protect the network against operationally realistic cyber-attacks,” the report found. “Although the JRSS uses mature, commercial-off-the-shelf technologies, JRSS operator training lags behind JRSS deployment, and is not sufficient to prepare operators to effectively integrate and configure the complex, room-sized suite of JRSS hardware and associated software.”

DOT&E’s evaluation focused on the 1.5 version of JRSS, the iteration that’s primarily used by the Army and Air Force, with overall integration work led by the Defense Information Systems Agency. A forthcoming JRSS 2.0 is intended to converge the Navy’s cybersecurity protections into the same regionalized security structure.

Basing its findings largely on an internal July assessment by DISA’s Joint Interoperability and Test Command, DOT&E said DoD’s use of the security stacks is hampered by a serious lack of personnel who are trained to make use of the systems: Air Force manning levels are at 50 percent of what they should be; DISA, meanwhile was attempting to manage nine of the stacks during 2017 even though it only had adequate staff for five of them.

The Defense Department believes the JRSS construct is inherently more secure than its network defense architectures of the past. Among the reasons: it consolidates thousands of separately-managed network defense points into one coherent structure that can be monitored at all times by U.S. Cyber Command, and relies almost exclusively on commercial-off-the-shelf technology, reducing overall costs and ensuring that the military services are protected by the best-of-breed in private industry.

But DOT&E said the department has struggled to harmonize all of those commercial technologies — supplied by three dozen different vendors — into something that its personnel can manage.

“The services, DISA, and USCYBERCOM have not codified JRSS joint tactics, techniques, and procedures to ensure unity of defensive effort and enhance defensive operations,” the authors wrote, adding that DoD needs to ensure its personnel are trained to use the commercial capabilities it’s been buying.

The report also makes clear that DOT&E has found more problems than it’s comfortable discussing in a publicly-releasable document, saying the office intends to deliver more details in a classified report on JRSS by the end of January.

Read more of the DoD Reporter’s Notebook.