DOD Cyber Program at Risk in Senate NDAA: This Is IT

The annual defense policy bill could imperil a cybersecurity program once considered crucial to defending the Pentagon’s networks against unauthorized access by U.S. adversaries.

But now the Joint Regional Security Stacks (JRSS) program has come under fire for being difficult to use, ineffective at stopping cyber threats, and redundant with other systems. The fiscal 2021 National Defense Authorization Act (S. 4049) — being debated this week on the Senate floor after it was approved by the Senate Armed Services Committee on June 24 — would require the Defense Department to decide the future of program.

Fixing a Troubled Program

JRSS is a system of cyber defenses including network routers, firewalls, and switches that are centralized rather than being distributed worldwide. The goals include better situational awareness around cybersecurity at DOD, reducing unauthorized network access, and improving network security.

However, the system has failed to meet these goals and was the subject of a critical June 2019 report from the Pentagon’s inspector general that identified more than a dozen critical or high-level cybersecurity vulnerabilities that DOD officials had failed to address.

“The committee is aware of the operational cybersecurity limitations of the JRSS technology,” according to the SASC report accompanying the NDAA text that cited the difficulty in training DOD personnel to use it and the present failure to use the system effectively.

The bill would force the Pentagon to either transition the JRSS to an official program of record, which would require the program to fully adhere to federal acquisition guidelines, or to scrap the program in favor of more capable, cost-effective technologies within five years. The secretary must notify Congress of the decision by Dec. 1, 2021.

If the Pentagon elects to double down on the program, Defense Secretary Mark Esper must submit a plan for transitioning JRSS to a program of record, requiring the department to disclose future years’ budget planning, define its operational requirements, develop an acquisition strategy, name a responsible program manager, document training requirements, and performing systems testing.

The Senate bill included a combined $16.5 million in cuts to the Pentagon’s fiscal 2021 budget for JRSS procurement, research and development, and operations and maintenance — about 2.4% of the $681 million the Pentagon requested in February. It would also prohibit the Pentagon from giving the JRSS system access to the Secret Internet Protocol Router Network (SIPRNet), the department’s classified information system, in fiscal 2021.

An Opportunity for DOD Contractors

Whether the Pentagon chooses to overhaul the JRSS program or to cancel it entirely, the Senate bill should signal to federal contractors that cybersecurity will remain a top investment priority for federal agencies. It should also make clear that Congress will hold agencies accountable for failing to meet their cybersecurity objectives.

If the Pentagon decides to transition the program to program-of-record status in fiscal 2021, it may require the department to accelerate the timeline on one or more procurements to scale the program to full operational capacity and address any outstanding vulnerabilities.

Leidos Holdings Inc. has managed the JRSS portfolio management office since June 2019, generating $71 million in the last year. Leidos’s contract, a task order on its Global Information Grid Services Management – Operations (GSM-O), expired on June 28.

A decision to end the JRSS program could also open the door for new contracting activity, especially for vendors already serving as top federal cybersecurity service providers (CSSPs) — such as Booz Allen Hamilton Holding Corp., Perspecta Inc., Accenture PLC, and General Dynamics Corp. The bill would require the Pentagon to transition to a new technological approach within five years.

Note: This Is IT is a weekly column by Bloomberg Government focused on information technology matters affecting government contractors.

With assistance from Chris Cornillie

To contact the analyst: Laura Criste in Salt Lake City, Utah at lcriste@bgov.com

To contact the editors responsible: Daniel Snyder at dsnyder@bgov.com; Jodie Morris at jmorris@bgov.com