The Department of Defense introduced the concept of the Joint Information Environment (JIE) to enable a secure information environment with enhanced cybersecurity by leveraging a unified security architecture. The DoD aims to collapse network security boundaries, reduce external attack surfaces, and standardize the management, technical and operational security controls in an overall effort to improve the DoD Information Network (DoDIN) defense-in-depth.
The objective is to ensure DoD military commanders, civilian leadership, warfighters, coalition partners, and other non-DoD mission partners have access to information and data provided in a secure, reliable, and agile DoD-wide information environment.
The Defense Information Systems Agency (DISA) initialized the first Joint Regional Security Stacks (JRSS) in 2014. The JRSS acts as a firewall between the JIE connected services — a federation of networks — and the internet. As a key enabler of JIE’s security architecture, JRSS provides uniform network defense capabilities and boundary protection across all DoD component networks, according to DISA.
Cmdr. Hofheinz laterally transferred to the Information Professional Community in August 2005. His sea tours include electrical and ordnance officer on USS LAKE ERIE (CG 70); operations officer on MCM Rotational Crew Bravo; assistant operations officer, Destroyer Squadron Eighteen; operations officer on USS GONZALEZ (DDG 66); operations officer on USS AUSTIN (LPD 4); C4I Officer and Staff Director; Destroyer Squadron Two Six.
Ashore, he served as the as the primary representative for the U.S. Fleet Forces Echelon II Chief Information Office coordinating issues for Cyber Asset Reduction with OPNAV N6 and Federal Information Security Management Act (FISMA) compliance with the Department of the Navy Chief Information Officer (DON CIO); Executive Officer for the Multi-National Force J6; Deputy for Information Assurance (IA), U.S. Fleet Forces; N6 and Director Command Information Office, Naval Warfare Development Command; and Current Operations Officer, U.S. Fleet Cyber Command.
Hofheinz holds a Master of Science degree in Electrical Engineering from the Naval Post Graduate School Space Systems Engineering curriculum and is a graduate of the National Defense University Eisenhower School. He is currently the Joint Information Environment Division Head at OPNAV N2N6.
CHIPS asked Cmdr. Damen Hofheinz, lead for JIE/JRSS in the office of the Deputy Chief of Naval Operations for Information Warfare (N2N6BC), to talk about the Navy’s perspective on the JIE/JRSS environment in late June.
Q: With the Department of the Navy’s launch of the Navy Marine Corps Intranet in 2000, the Navy has already consolidated its networks and established boundary levels, similar to what the JRSS can provide. So the Navy is way out in front of the Army and Air Force in this regard, according to Vice Adm. Ted Branch, DCNO for Information Warfare. Will the Navy eventually migrate its full enterprise to the JIE, and if so, when?
A: Yes, the Navy will start migrating two legacy networks behind JRSS 1.5 in FY16 and continue migrating excepted networks in FY17, FY18 and FY19. We will peer our enterprise networks through JRSS 1.5 in FY17 and migrate behind JRSS 2.0 in FY19 and FY20. Our main focus will be to ensure strong IA controls will continue to be available to the Navy while the JRSS solution matures in both concept and deployment.
Q: Since the JIE/JRSS is not a program of record is funding a concern for migration?
A: The Navy has allocated funds for our DoD CIO enterprise bill. The Navy internal bill to fund our migration behind JRSS was submitted as a POM18 issue. I believe that we will be able to work through any funding shortfalls.
Q: According to a report in Breaking Defense, the Navy plans to begin moving networks behind JIE/JRSS this summer with about 53 excepted networks that don’t work well within the NMCI environment. Can you discuss the type of networks these are? Will the Navy have visibility into how the networks are performing to make an assessment for further migration of other networks?
A: These are networks that due to their functional requirements were difficult to transition into NMCI such as the METOC (meteorology and oceanography) networks. These networks have high processing requirements and provide data to a large portion of the government and civilian agencies. Their mission requirements did not facilitate them being integrated into NMCI.
The other networks targeted for migration behind JRSS have similar requirements and restrictions. The first two networks to migrate will allow the Navy to standardize our migration process, command and control (C2), and the engineering required to harness the JRSS controls.
FLTCYBERCOM will gain an understanding of the capabilities of JRSS and the management of the Navy Virtual Routing and Forwarding (VRF) in JRSS. A VRF, to me, is similar to a community of interest (COI). Each VRF that the Navy creates in JRSS will be controlled by Navy. The Navy will be responsible for deploying the signatures and security policies that impact each VRF. Once integrated, we intend to use the tools available in the Joint Management Solution (JMS) to gain further C2 of these networks.
Q: Is the Navy participating in JIE/JRSS planning?
A: Yes, Navy has personnel from OPNAV, SPAWAR, PEO-EIS, NAVIFOR, FLTCYBERCOM, and PEO-C4I actively engaged in a host of IPTs, IDTs (integrated process teams, integrated design teams) and working groups with DISA and [the] other services. We also have internal teams working diligently to plan the Navy migration behind JRSS. OPNAV holds a bi-weekly JRSS sync meeting to coordinate Navy efforts. Additionally, SPAWAR is holding quarterly security syncs to support migration planning efforts.
Q: Would there be advantages to the Navy migrating to the JIE/JRSS environment?
A: Absolutely, Navy will share a common enterprise level protection with the other services. This will allow us to share and develop common solutions and signatures. Additionally, we will have insight into what the other services are experiencing.
Q: Are there cybersecurity concerns about moving so much sensitive data into a centralized location?
A: Aggregation of data is always a concern. With the JMS being built with the intention of processing all traffic for all services, the Navy is working keenly on how to best secure this data from an eventual breach and how best to situate the DoD in that event. That is why the Navy is leading the charge on building the Installation Processing Node Security Stack (IPNSS) and providing that segmentation. This will be the protections required for the servers. As not all missions allow for their applications to move to a Central Datacenter (CDC), IPNSSs will give the CND (computer network defense) operators the IA controls necessary to defend the network, while protecting the data, the real goal.
The Navy is planning on testing the JIE/JRSS and IPN Security Stack Architecture in the latter part of FY16 with Navy users and applications. This testing will inform the Navy’s deployment strategy and build-out of the IPN Security Stacks as we migrate behind, and leverage the capabilities of JRSS.
Q: I read the JIE/JRSS poses some concern for the Army and Marine Corps because there is a borderline where JIE ends and the tactical edge begins. For Navy ships that rely on satellite and radio-frequency driven systems, are there concerns about connectivity to the JIE/JRSS? Isn’t the Navy already collapsing, modernizing, and improving networks and cybersecurity for its shipboard networks with Consolidated Afloat Networks and Enterprise Services (CANES)?
A: Yes, we are. The Tactical Processing Node (TPN) security stack will be the IA control point for those types of communications. The TPNSS will be a subset of the IPNSS configuration. The Navy is planning on testing the JIE/JRSS architecture in the latter part of FY16 with Navy users and applications. This testing will give us insight into the impact of JRSS on Navy traffic. However, not all traffic traverses a JRSS, as it [is] only traversed internally to the Navy; that is where the IPNSS and TPNSS protections come into play.
Q: Is there anything else you would like to discuss?
A: The JRSS is replacing the discretionary service-level enterprise security boundary with a standardized solution. Working in collaboration, the JRSS will provide security for the inter-service and internet bound traffic; while the IPNSS secures and protects the services’ data, wherever it is being accessed from. As the JRSS matures and version 2.0 is fully deployed, the Navy will migrate our Boundary 1 (B1) Security IA controls to the JRSS and decommission the B1s.