A Senate committee’s version of the annual defense policy bill would ban the Department of Defense from spending money to deploy a controversial cybersecurity program on its secret network.
The Senate Armed Services Committee’s version of the National Defense Authorization Act for fiscal year 2021, released June 23, would preclude the department from spending fiscal 2021 funds on the Joint Regional Security Stacks (JRSS) program for use on its Secret Internet Protocol Router Network. JRSS, run by the Defense Information Systems Agency provides cybersecurity services for many DoD components through intrusion detection and prevention, enterprise management, and virtual routing. DISA is tasked with operating and maintaining DoD networks,
But the JRSS program has a checkered history for being effective. In 2018, the Defense Department’s chief weapons tester suggested that the program be shut down. Other tests have also found several operational and technical troubles. Now defense committees in both legislative chambers are trying to rein in the program.
The Senate bill authorizes cuts of about $11.6 million from the JRSS, including $11.1 million in JRSS procurement funds for SIPRNet and about $500,000 in research, development, testing and evaluation. The House bill authorizes deeper cuts, slashing procurement dollars from $88 million to $8 million and research and development funds to zero from $9 million.
Because of the continued challenges plaguing the program “the committee believes that the deployment of JRSS on the Secret Internet Protocol Router Network is thus inappropriate, given JRSS’ limited cybersecurity capability and the existence of alternative capabilities to execute its network functions,” the Senate committee wrote in a report accompanying the bill.
As Congress questions the efficacy of the program, it also wants answers. Under the legislation, the Secretary of Defense would have to answers the following questions by Dec. 1, 2021.
- Is the Department of Defense Information Network properly designed to achieve JRSS’ intended network middle tier security and network functions?
- Is the JRSS hardware and software stack technologically obsolete?
- If JRSS were to be properly manned with proficiently trained personnel, can it perform the security functions it was intended to provide within affordable manning and training resources?
- What are the required security functions that can be measured and subjected to operational testing?
- Is the collection of cybersecurity related data and metadata enabled at JRSS nodes being consumed by other cybersecurity systems — for example, the Big Data Platform and Security Information and Event Management capabilities?
- Is JRSS performing its network management functions well, and should the security functions of JRSS be terminated in favor of other solutions and investments?
If the DoD finds that JRSS should move forward, it must develop a plan to transition it to a program of record by October 2021.
The fiscal 2019 report from the Pentagon’s Office of the Director of Operational Test and Evaluation recommended that the DoD chief information officer refrain from migrating more users to JRSS until “the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyber‑attacks.”