The Joint Information Environment might be making fewer appearances in PowerPoint conference talking points, but that doesn't mean it's disappeared from Defense Department IT priorities. The Defense Information Systems Agency, which is carrying out the plan to unify DoD network operations and IT, is making steady progress on building out the effort that has no end in sight.
DISA's been at work on improving on the existing joint regional security stacks that underpin JIE connectivity, even as construction continues on new JRSS facilities in the Pacific. JRSS 1.5, as it's known, involves enhancements to the Joint Management System, according to Col. Scott Jackson, DISA chief of JIE solutions.
"JMS is the control system to provide the interfaces to each individual appliance in the security stack," Jackson said in written comments to C4ISR & Networks. "You can think of JMS [as] similar [to] the overarching operating system on a home computer that allows you to then launch individual applications. JMS is our overarching control system that allows an operator to control the various aspects of the JRSS, including multiple vendor devices, from a single interface."
As DISA and the services, in particular the Army, build out and enhance JRSS, they're also decommissioning legacy security stacks, Jackson said. And DoD officials are gearing up for more buildout on JIE — including work orders in forthcoming awards under the Encore III contract, for which proposals were due April 4.
Encore III comes later than planned and with a hefty price tag — worth some $17.5 billion — and military officials have high expectations for what the contract vehicle will do for JIE.
"DoD is transitioning from a collection of stovepipe systems and architectures to an integrated and interoperable environment," stated the Encore III request for proposals, released March 2. JIE "will enhance combat effectiveness through greatly increased battlespace awareness, improved ability to employ weapons beyond line-of-sight, employment of massed effects instead of massed forces and reduced decision cycles. It will also contribute to the success of non-combat military operations."
At the top of the to-do list after JRSS: Working on security architecture and further developing the pieces that will put the actual jointness in JIE: the Joint Management Network, the Mission Partner Environment and Cross-Domain Gateways, Jackson noted.
"As a natural evolution of the JMS…the JMN is that out-of-band management network that will be able to touch all things on the [DoD Information Network]. The protections and telemetry will then enhance the situational awareness and cut the reaction time to cyber issues dramatically," he said. "Beyond that secure and management part of JIE, we will continue to mature the Mission Partner Environment (MPE) and Cross-Domain Gateways and other capability that enhances our warfighting capabilities, both within cyberspace and the conventional domains."
So JIE is evolving, to be sure, but the process isn't without its continued bumps along the way — which have yielded important lessons, according to DoD officials. That's something Jackson confirmed is especially true when it comes to the nitty-gritty technical work of transitioning network operations, hardware, software and all the other moving pieces on the back end of defense IT.
"We definitely learned that slow is fast when it comes to network discovery and methodical migration from one security enclave to another. Meaning that the first impression was stand up a new security stack and swing over the users and circuits," Jackson said. "However, we found that we need to have a much more deliberate process of network discovery to fully understand the customers' individual situation so we didn't break anything as we migrated. We have now streamlined that process and believe that the next wave of migrations will take about half as much time now that we have enough lessons learned and examples of settings to watch for."
Of course, there's more than just the technology. Considering there's never been an effort like it before, it's taking time to determine the path forward — and then to get everyone to take that path.
Addressing the culture change involved in moving multiple services and agencies to the same physical appliance, and ultimately to an enterprise IT environment is "both a challenge and a success story," Jackson said.
"Although each JRSS customer has separate security domains, the way they used to do business is changing in some cases. Our partners on the operations side of DISA have done a spectacular job hosting working groups with all the services to document use cases and procedures to minimize any negative impacts to anyone's mission," he said.
Those use cases will form a baseline for testing at the Joint Interoperability Test Command (JITC), which will validate JRSS operations under stressed conditions with multiple agencies making changes at the same time, Jackson said.
"Ultimately, DISA Global located at Scott Air Force Base (Illinois) has full visibility and control over the entire JRSS constellation, but allowing services and agencies to control their portion of the domain to meet their individual needs is a key to making sure we have not negatively impacted our customers with this effort," he said.
As for the pool of customers, that's about to grow. So far JIE has mostly centered on transitioning Army network and facilities to JRSS, but the other services have been closely monitoring progress and determining if, when and how they will get onboard.
The Air Force is preparing to transition its internal AFNET from Air Force gateways to JRSS, with DISA currently setting up lab-based testing, rehearsals and exercises "to get their operators the confidence they need" to make the transition, Jackson said. In collaboration with JITC helping with testing and validation, officials expect the Air Force to begin migrating to JRSS by the end of fiscal 2016.
The Navy has identified a several networks for DISA to begin the network discovery process and schedule the migration activities, but "we are still working out the logistics to set an actual date of their first move to JRSS," Jackson said.
The Marines remain a question mark, given that they tend to "operate a little differently," but they are considering making some sort of moves, Marine Corps CIO Brig. Gen. Dennis Crall said at an event in Washington last fall.
"JIE is going to promote cost savings, and it's not hard to argue with reducing threat surfaces," Crall said. "But the biggest challenges are … how do you enforce standardization and balance customization?"
For now, DISA officials are focused on "doing our best to migrate as many bases [and] agencies as we can so they can achieve savings by turning off the legacy security stack they currently have," Jackson said. Additionally, "in the short term, our focus is to continue building out the sites to the same level of maturity as the four stacks in the Southeast and Southwest.
Looking further out, security will be the name of the game. Optimization is a rising priority – including the optimization of network flow and of the tools that secure the network by blocking, alerting or capturing malicious behavior, Jackson said.
Another long-term security goal centers on analytics and an unprecedented ability to act on the vast amount of data JRSS collects on every network transaction. That includes pushing that information to a fortified out-of-band network that "cannot be physically manipulated, even by the most privileged user or administrator," Jackson said.
"We have consulted our own DOD experts and they have confirmed this is the most challenging issue for someone attacking a network; if we use passive network taps to dump data to an out-of-band network and then run signatures and analytics on that data, no one is able to spoof their movements or clean up behind themselves," he said. "The fact that they even try to delete logs or remove packets serve as an even bigger spotlight that they have done something they should not have. Traditionally, an advanced user or someone who gains advanced authentication can clean up behind themselves, alter or delete logs and make things appear normal. Passive data taps that dump data to an out-of-band network, that then runs analytics, will eliminate this threat."
