Lawmakers are pushing the Defense Department to decide the fate of a heavily scrutinized network security system criticized in the past as potentially ineffective.
In the sprawling annual defense policy bill that President Donald Trump has threatened to veto, Congress agreed that the Defense Department should settle the future of the Joint Regional Security Stacks platform, a suite of many network protection tools for safety measures including intrusion detection, firewalls, and virtual routing and forwarding.
Senators pressed to “require the Secretary of Defense to undertake a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the activity should proceed as a program of record or be phased out across the Department of Defense,” according to their written comments on the fiscal 2021 National Defense Authorization Act.
The Defense Information Systems Agency, which provides IT support for the DoD, has worked to improve JRSS by replacing 1,000 legacy security systems around the world with 48 stacks, the network security devices that all data must pass through.
But in recent years the platform came under scrutiny from Congress, the Government Accountability Office and the Defense Department’s Office of Operational Test and Evaluation, its chief weapons tester, due to questions about its ability to defend against cyberattacks. The department would have until Oct. 1, 2021, to decide whether to transition the system to a program of record, if the bill passes.
If the review determines that the program should move forward as a program of record, the department must outline the operational requirements and acquisition strategy.
Under the legislation, the department must enter into a contract with a nonprofit or federally funded research and development center to conduct a review of the program within 30 days of the bill becoming law.
The contracted organization is required to provide an “assessment of the efficacy” of JRSS, analyze the capabilities and performance of the program, evaluate the ability of JRSS to meet DoD’s performance metrics, and assess what the system needs to meet cost and schedule milestones.
The proposal also would bar the DoD from spending funds to deploy JRSS on the department’s Secret Internet Protocol Network — a provision that was originally only in the Senate bill and adopted in the compromise version with the House.
In 2018, the Pentagon’s chief weapons tester suggested that the agency scrap the JRSS program. Defense officials, meanwhile, have touted the system as decreasing the cyberattack surface of the Pentagon and vastly increasing situational awareness. They’ve also long challenged the idea that the JRSS system should come to halt, saying that they’ve addressed issued raised by the Office of Operational Test and Evaluation.
DISA continues to envision JRSS as part of its future, noting in its revised strategic plan for fiscal 2021-2022 released last month that it planned to continue to sustain the stacks and increase their capabilities through technology refreshes.
In the Senate Armed Services Committee version of the NDAA, senators wrote in the explanatory language that the “the committee believes that the deployment of JRSS on the Secret Internet Protocol Router Network is thus inappropriate, given JRSS’ limited cybersecurity capability and the existence of alternative capabilities to execute its network functions.”
David Mihelcic, the former chief technology officer of DISA, told C4ISRNET that prohibiting funds to deploy JRSS on the SIPRnet would be a mistake, calling the idea a dangerous limitation.
“Traditionally DoD has invested orders of magnitude more in cybersecurity spending for NIPRNET, leaving SIPRNET protected primarily by physical security and encryption,” said Mihelcic, a consultant at technology market insights firm DMMI. “A malicious insider or an adversary that has penetrated the SIPRNET’s physical security would find fewer security protections than on DoD’s unclassified network.”
Congress instead “should require DoD to focus these investments on more leading-edge technologies such as zero trust, advanced persistent threat detection/prevention, and AI/ML augmented cyber security tools versus] traditional firewalls,” he said.