Pentagon watchdog flags cyber issues in DEOS, JRSS

The Defense Department's testing and evaluation body has serious cybersecurity concerns when it comes to using commercial cloud offerings and the embattled Joint Regional Security Stacks effort.

The Pentagon (Photo by Ivan Cholakov / Shutterstock)

The Defense Department's testing and evaluation body has serious cybersecurity concerns when it comes to using commercial cloud offerings.

The Office of the Director, Operational Test and Evaluation (DOT&E) wrote in its annual report for fiscal 2020 that it was "concerned with the cyber survivability" of the Defense Department's digital modernization strategy initiatives, such as the Defense Enterprise Office Solution (DEOS), a $4.4 billion contract for Microsoft Office 365 services with GDIT.

"DOT&E is concerned with the cyber survivability of DMS initiatives and less so with their operational effectiveness and suitability," the report states, adding that DOD would need to do comprehensive cyber testing for commercial cloud platforms.

"Because the DEOS program plans to use commercial cloud platforms to store classified and unclassified data, it will be critical for the DOD to conduct threat-representative cybersecurity testing on the commercial cloud and its hosting infrastructure."

The report detailed six recommendations for the Defense Department's digital modernization initiatives, including a "thorough cybersecurity operational testing" and "threat-representative testing of the commercial cloud capabilities employing current cybersecurity testing guidance and policy."

The report also called for an update to DEOS' testing and evaluation master plan for classified and unclassified networks.

Cybersecurity worries also extend to the embattles Joint Regional Security Stacks initiative, which has endured reliability and latency woes, seen drops in funding and increased scrutiny from Congress.

DOT&E raised concerns about JRSS' cyber vulnerabilities in 2019, recommending the program be paused until they could be resolved. This year, they issued 11 recommendations, noting that the program had continued despite prior warnings, but the message was pretty much the same: DOD needs to look for JRSS alternatives.

"The DOD CIO and the DOD components should...continue developing more effective cybersecurity alternatives to JRSS, such as the ongoing pilot work...on implementing zero trust architectures and increased focus on developing and maintaining a skilled and trained defensive cyber workforce," the report states.

The report also recommends completely suspending classified JRSS operations "if the zero trust architectures prove viable" and halting migrations of new users until the system is proven capable of "helping network defenders to detect and respond to operationally realistic cyberattacks."