WASHINGTON — For the fourth year in a row, the Pentagon’s chief weapons tester recommended Thursday that components stop migrating to a fraught network security system until the department proves that the system can effectively help defend against cyberattacks.
The department’s Joint Regional Security Stacks program faces numerous shortfalls, continuing to provide insufficient network defense capabilities, according to the annual report from the Director of Operational Test and Evaluation office. Components should look to other cybersecurity programs in the department’s pipeline, including work on zero trust, the report recommended.
The security system is supposed to improve cyber situational awareness of DoD network defenders by increasing their ability to continuously monitor and analyze network traffic on the DoD information network (DoDIN). The program, managed by the Defense Information Systems Agency, is supposed to be deployed on both the Nonclassified Internet Protocol (IP) Router Network (NIPRnet) and Secret Internet Protocol Router Network (SIPRNet). Its capabilities include firewall functions, intrusion detection and prevention, enterprise management, and virtual routing.
Migrations to the NIPRnet’s security stacks system have continued “despite DOT&E recommendations to suspend them until the stacks are shown to be effective in operational testing,” the report said. Assessments since 2016 found that the security system for NIPRnet hasn’t helped network defenders protect against realistic cyberattacks, the report said.
This year's NDAA calls for the DoD to make a decision on the future of its Joint Regional Security Stacks program in 2021.
SIPRnet deployment, meanwhile, was postponed to fiscal 2023 after a test last year showed poor cybersecurity findings, leading the program office to shut down existing joint stacks systems on the secret infrastructure and delay full deployment. The 2021 defense policy law bars DISA from spending funds on SIPRnet deployment after lawmakers expressed concern about its “limited cybersecurity capability and the existence of alternative capabilities to execute its network functions.”
Though SIPRnet capabilities were deployed in 2016, the report noted that no users had migrated to it.
The report made seven recommendations to the department’s chief information officer and components, including that the DoD continue to develop alternative cybersecurity programs and halt adding new users until the system proves that it can aid cyber defenders. Additionally, DOT&E pointed to the department’s work on zero-trust pilots, stating that components should track that work and forgo Joint Regional Security Stacks deployment on SIPRnet if those pilots prove viable.
The program, which is not a program of record, is also missing an operational requirements document, according to the report. That document is needed in part to “improve the N-JRSS defense against nation-state threats,” a timely recommendation after Russian-linked hackers breached unclassified systems of several federal agencies using their software supply chains.
“In order to fully address users’ and mission owners’ needs during testing, operational requirements must be documented,” the report said.
As the years-long list of problems continue to pile up, members of Congress are showing skepticism about the program. In addition to banning spending on SIPRnet deployment, the defense policy law directed the Defense Department to decide by Oct. 1 whether the effort should become a program of record or get phased out.
Despite their concerns, lawmakers fully authorized the department’s $88.7 million budget request.
DISA, meanwhile, appears to still view the system as a core part of it security architecture moving forward. The agency’s strategic plan for 2021 and 2022 outlined how it will sustain the program and update the stacks through refreshes.