The Department of Defense is moving quickly to wind down a controversial IT program once touted as something that would significantly improve the Pentagon’s cybersecurity posture.
In 2021, the DOD decided to officially sunset the Joint Regional Security Stacks (JRSS), an ambitious effort to bolster the overall IT security posture of the department. The program was poised to shrink the attack surface by reducing thousands of stacks globally to roughly 25, which in turn promised to significantly enhance digital protection and provide commanders unprecedented visibility into their networks.
“We are working through the sunsetting of JRSS plans right now with all the services,” Lt. Gen. Robert Skinner, director of the Defense Information Systems Agency, said at the annual DAFITC conference Wednesday. “I don’t know if we could have made something more complex than we did that.”
Other officials noted its complexity and failure to deliver on promises.
“We’re scarred by the JRSS adventure,” Lt. Gen. John Morrison, deputy chief of staff, Army G6, said at the TechNet Augusta conference Aug. 15. “We didn’t seal the deal on how to operate in a completely joint environment where the demarc[ation] between roles and responsibilities was different.”
Skinner said funds have been taken away from JRSS already and the department is committed to a smooth transition.
“What I ask of all those who are leveraging JRSS — you’ve got to get off the snide and you’ve got to get your plan together and start moving out on the plan. I’ll tell you, we do not have the time to have JRSS continue for years because, I’ll tell you, it is older technology, it is very complex and it’s costing a whole bunch. And then if we have to refresh a lot of the capabilities, that’s going to refresh something that we’re going to be sunsetting anyway,” he explained. “Let’s be aggressive but not reckless. The rush to sunset JRSS is on.”
Morrison said in the future, officials need to figure out true integration with sister services and combatant commands.
“What we are really striving to do is not simply figure out what is going to be the interface that allows us to pass the ones and zeros … [but] how do we really make this where we’re integrating with the sister services in the geographic combatant commands so that we can get after this notion of” Joint All-Domain Command and Control, he said, referring to the Pentagon’s new concept for warfare that envisions how systems across the entire battlespace from all the military services and key international partners could be more effectively and holistically networked and connected to provide the right data to commanders for better and faster decision-making.
“I will be candid. In some regards, it’s a little bit of a bottom-up approach right now. But it is something we continue to work with [the Office of the Secretary of Defense] and the Joint Staff to start trying to really lay out what those standard APIs should be. And we don’t want standards per se, but so that we get after this notion of integration,” Morrison said.
One of the main reasons for the decision to move away from the JRSS program was the DOD’s push to adopt zero trust, a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.
The Defense Information Systems Agency’s Thunderdome project — DISA’s zero-trust capability providing network access tools, segmentation technologies, and identity and endpoint capabilities — was initially billed as a key reason to sunset JRSS.
However, Skinner noted that Thunderdome is only part of the agency’s cybersecurity vision.
“Thunderdome is just one area of it. Thunderdome is not a replacement for JRSS. We have to decommission JRSS. And Thunderdome plus other capabilities will still be required,” he said.