A Defense Department inspector general audit says JRSS isn’t working like it is supposed to.
The Defense Department’s $2.2 billion Joint Regional Security Stack is paramount to providing improved cybersecurity across the Pentagon and its components, but an audit released Tuesday suggests its implementation is anything but smooth.
The audit, conducted by the Defense Department inspector general, found numerous “critical” security vulnerabilities, training woes and poor oversight of JRSS, which is supposed to eventually provide trusted cyber situational awareness across the Defense Department, improve its security posture and reduce the number of access points to its information network. Despite limited success in reducing more than 2,700 access points across the Army, Navy and Air Force 131, JRSS isn’t meetings other intended outcomes under the Joint Information Environment.
However, two specific outcomes JRSS is intended to meet are redacted in the audit. Auditors offered a partial explanation as to why those outcomes aren’t being met.
“The JRSS is not meeting other JIE outcomes because DoD officials did not ensure that all JRSS tools met users’ needs and that JRSS operators were trained prior to JRSS deployment,” the audit states. “In addition, although the JRSS was estimated to cost over $520 million, DoD officials considered the JRSS to be a technology refresh and, therefore, not subject to DoD Instruction 5000.02 requirements.”
Auditors said the Defense Department’s decision not to classify JRSS as an official acquisition program—despite its cost and importance—impacted its oversight. For example, typical acquisitions of this size require Defense officials to develop and approve capability requirements, training for operators and further mandate additional planning.
The Defense Information Systems Agency—which has authority over JRSS—agreed with recommendations from auditors to propose a plan to address changes identified during testing and to work with Defense officials to incorporate JRSS operational training requirements into component agencies’ institutional training programs.