BALTIMORE, Md. — The Department of Defense chief information officer this summer decided to sunset the Joint Regional Security Stacks, initially established to shrink the cyberattack surface by consolidating countless classified entry points around the world to 25 sites, a spokesperson from the Defense Information Systems Agency confirmed.
The program had faced multiple setbacks, with government watchdogs and Congress asking to pause the program and for more information along its lifecycle. Last year, Congress asked DoD to assess the fate of the program.
Officials originally lauded JRSS because it was aimed to provide increased security as well as unprecedented situational awareness of the network.
Now, DoD is preparing the transition strategy for JRSS, officials from the Defense Information Systems Agency said Wednesday.
“We’re working with the CIO now on figuring out what the JRSS transition strategy is. It was tagged for sunset within five years,” Andrew Malloy, technical director in the cyber development directorate at DISA, said during a panel presentation as part of TechNet Cyber on Oct. 27.
DISA will keep evaluating JRSS and make adjustments accordingly, according to the spokesperson.
As JRSS is phased out, DISA will begin phasing in Thunderdome, its approach and architecture for zero trust networking, officials said.
“The good news is that both Thunderdome and JRSS exist in the same DISA directorate, and we plan to run programs side by side so that as we ramp up Thunderdome, we start ramping down JRSS,” Angela Landress, division chief for perimeter security at DISA’s cyber security and analytics directorate, said. “We’re setting up various transition working groups across the department, but also with DoD CIO and internally to DISA to make sure that it’s very seamless and that we do that transition in a way that doesn’t break anybody.”
Part of the complexity is determining the services’ roadmap, Malloy said. DISA has maintained that its Thunderdome approach will not be mandated across DoD or the services, meaning the services can opt to partner with DISA or implement their own zero trust system.
“We’re open to partnering, and we’ve had an interest from a number of services who have already said we’d like to partner with how you’re doing this, but this is not a mandated system so the transition from an enterprise system to a collection of different offerings from both DISA and the services is also going to be one of the complexities that we have to navigate,” he said.
Stephen Wallace, systems innovation scientist in the emerging technology directorate at DISA, argued that despite its issues, JRSS “has done a lot for us over the years.”
“It’s easy to pick on certain aspects of it, but the reality is that JRSS has been a tremendous opportunity for the department to unify a number of capabilities and standardize a number of capabilities,” he said. “This is just the next logical progression and, frankly, where IT as a whole is going.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.