The Defense Information Systems Agency began employing Joint Regional Security Stacks (JRSS) – regional suites of equipment intended to enable Defense Department cyber defenders to continuously monitor and analyze the DoD Information Network (DoDIN) in 2014. The intent is to minimize the effects of cyber threats while ensuring the integrity, availability, and confidentiality of data.
But there have been challenges to overcome. Feedback received from mission partners and testing authorities has helped the agency determine what it is doing right and where it can improve the JRSS, said Army Col. Greg Griffin, JRSS portfolio manager.
“We’re enabling the DoD-wide cyber footprint to become dramatically more defensible across an ever-changing information landscape,” he said, explaining program resources were significantly realigned as the result of an operational assessment conducted by the DoD Director of Test and Evaluation in March 2018. “These resources are focused on reducing the complexity of the information presented to operators and improving standard operating procedures.”
Over the past 10 months, the JRSS program management office (PMO), in partnership with DISA’s Mission Partner Engagement Office (MPEO), has focused on systematic, active contact with all JRSS mission partners, at strategic and operational levels, DISA explained in a release.
“Our goal is to help mission partners resolve any frustration they may have. We assist mission partners in articulating their needs, concerns, and challenges in actionable ways,” said Army Col. Keith Chinn, chief of the MPEO.
According to Chinn, mission partner engagements revealed five primary concerns and challenges related to JRSS: latency, cost, multi-tenancy, performance reliability, and synchronization with base infrastructure.
Program officials addressed each topic and explained what the agency has done recently or is currently doing to mitigate concerns.
Reducing Latency and Cost
One major effort aimed at reducing latency issues was the upgrade of all the Continental U.S. (CONUS) Intrusion Prevention System appliances to eliminate bottlenecks, said Joe Edwards, JRSS chief engineer. The upgrades were completed in December 2018.
While a full analysis is not expected until late February, interim reports indicate overall performance has increased, and end-user latency has significantly decreased. Operators are reporting seeing significant improvements at the end-user level, especially for web and internet traffic.
“Performance is being constantly assessed and re-assessed by JITC and our mission partners, and we have dramatically reduced overall latency,” said Edwards.
Because JRSS is not a program of record, the military departments must realign funds within their IT budgets to pay for JRSS procurement, fielding, deployment, sustainment, and tech refresh, explained Griffin. DISA is required to do the same, he said.
The DoD Chief Information Officer’s 2012 charter of the Joint Information Environment Executive Committee (EXCOM) affirmed this “everyone chips in” budget and management construct.
“The real cost savings for the military services comes from decommissioning legacy circuits and capabilities,” said Griffin. “If they do not do that, their workforce has to manage two systems, as well as continue budgeting for systems that should no longer be in use.”
Fund stewardship is still a priority for the JRSS PMO as it works to streamline the JRSS architecture, said Griffin. The team is actively looking ways to reduce costs, including: pursuing volume discounts as much as possible; utilizing enterprise-licensing solutions, such as Joint Enterprise Licensing Agreements (JELA); and investigating ways to increase workflow automation wherever possible to shrink labor costs over time.
The military departments expressed concerns about multi-tenancy and the potential for ripple effects – JRSS changes made by one mission partner possibly impacting others – when speaking with DISA’s MPEO team, said Chinn.
While JRSS components provide multi-tenant operation, sharing key system resources, such as CPU, memory, and more, equally without affecting other mission partners is not guaranteed, acknowledged Edwards.
To tackle this issue, and prevent an adverse impact from one component’s configuration changes to another’s performance, the JRSS PMO is using governance processes and SOPs until technical solutions are in place.
“We continually stress that going forward, vendors must demonstrate an ability to safeguard processing resources to avoid inadvertent impacts among mission partner traffic,” said Edwards.
Improving Reliability and Base Infrastructure Synchronization
The JRSS Security Information and Event Manager (SIEM) is notably more stable and reliable than it was a year ago as a result of the DISA team’s effort to verify and adjust connector and logger configurations, Edwards said.
Last year, nearly 100 SIEM tickets were in the queue. Today, there are no tickets requiring immediate action. As a result, the PMO has rebuilt confidence at the customer-level and ensured the tool is at a stable, optimal state for all mission partners, DISA reported.
“With this effort completed, we are able to move beyond collecting logs. We can address customer needs by deriving more value out of the tool and by implementing features that were not possible before,” Edwards said.
Additionally, in an effort to enhance and simplify JRSS operation, revamped dashboards reduce alarms and simplify incident responses. These changes standardize incident response procedures with mission partners and move users toward a common language to prevent miscommunication, DISA explained.
According to Edwards, under JRSS multi-tenancy, mission partners and DISA Global Operations Command (DISA Global) share Tier 1 network and security operations center responsibilities. Tier 2 operational engineering support capability is provided solely by DISA Global. Finally, subject matter expertise, along with architecture and engineering support, is provided by the PMO at the Tier 3 level.
"Because of the multitude of people involved, the challenges we've been working hard to overcome are synchronizing efforts between tiers, ensuring everyone is operating off the same playbook, and ensuring everyone has a similar frame of reference," said Edwards. "The enhancements we put in place last March were designed to resolve those challenges."
The JRSS PMO also made several enhancements to Tier 3 operations and engineering support. For example, “We’ve implemented operational engineering solutions with additional tactics, techniques, procedures and standard operating procedures,” Edwards said. “This ensures uninterrupted support during critical migrations.”
Currently, all 11 Non-classified Internet Protocol (IP) Router Network (NIPRNet) JRSS stacks throughout CONUS are active.
Outside the Continental U.S. (OCONUS) NIPRNet security stack activations are well underway, with two stacks in Europe operational and handling migrated traffic. Two stacks in Southwest Asia have achieved operational status, and are being prepared for migrated traffic. JRSS installation and configuration are still underway in the Pacific theater.
According to Griffin, two Pacific area NIPRNet stacks are scheduled to be ready to handle traffic from throughout the region in late 2019.
In addition, Secret IP Router Network (SIPRNet) stacks in and outside of the Continental U.S. are scheduled to be ready by the end of the year, with traffic flow expected to begin this summer.
Looking ahead, DISA said the vision for JRSS is to ensure DoD and mission partner traffic moves effortlessly throughout the Joint Information Environment. Services, combatant commands, and defense agencies will be able to see more network activity, defend the network more easily, and share information seamlessly – throughout their organizations and with mission partners.
“The JIE is powerful,” said Griffin. “But to fully realize its power, we need to help our mission partners arrive in standardized fashion.”