DISA is working on unified plan to phase out Joint Regional Security Stacks
As the Defense Department's top IT agency moves forward with Thunderdome, it's answer to zero trust, it's also mapping out how the embattled JRSS program feeds into it.
The Defense Information Systems Agency is working on a "single strategic vision" as it prepares to meld the legacy Joint Regional Security Stacks program with its zero trust efforts, according to defense IT officials.
Jason Martin, the director for DISA's Digital Capabilities and Security Center, said the agency is working to synchronize the program offices for JRSS and Thunderdome, DISA's initiative for building zero trust architecture.
"It has really been a true team effort to lay down the Thunderdome strategy, and what that really means for JRSS," Martin said Jan. 13 during a virtual conference hosted by AFCEA's Northern Virginia chapter.
Martin noted that the strategic shift has caused some contention as some users "really do enjoy and like JRSS, and have really adopted it and had incredible experiences with it." So the goal is to begin coordinating with users across the department, and also evaluate spending for the legacy program's requirements with the Joint Information Environment Executive Committee and Thunderdome program office.
"So what we've done is looked at the requirements from JRSS in coordination with the JIE [Executive Committee] and also in coordination with the newly set up Thunderdome program office as to what can we spend now, what do we need to spend now, all the while balancing what security is required, whether it's in the Pacific theater, or you know, in Europe, for example, based on you know, current events," Martin said.
"And what we're in the process of doing now is truly building out an executable schedule from both the JRSS program office and the Thunderdome office," which are organized under DISA's cybersecurity and analytics directorate, and produce a "single strategic vision for how to do that."
Once completed, Martin said DISA will publish the milestones and continue syncing and coordinating with the transitional components.
The JRSS program has faced criticism from oversight bodies and security issues in recent years, including complaints that the program was understaffed and the suggestion that implementation should be halted until cybersecurity problems were resolved.
But complications aside, the program isn't going anywhere anytime soon as the transition to Thunderdome will take some time, said Maj. Gen. Garrett Yee, DISA's assistant to the director.
"JRSS isn't going away right away, it'll be here for some time. And what will happen is Thunderdome will cut into it over time. And eventually JRSS will transition to, you know, something else, which is the future of Thunderdome," Yee said. "Firewalls aren't going away; they're just going to different places in the system of systems that we have to defend."
The recently passed 2022 National Defense Authorization Act mandated the Defense Department to create a zero trust strategy, principles, model architecture and implementation plan. Part of that includes assessing "the utility of the Joint Regional Security Stacks, automated continuous endpoint monitoring program, assured compliance assessment solution, and each of the defenses at the Internet Access Points for their relevance and applicability to the zero trust architecture and opportunities for integration or divestment."
The law also authorized $9.34 million in research, development test, and evaluation funding for JRSS.
Stephen Wallace, the Defense Information Systems Agency's chief technology officer, said that while the program has had it's challenges, it also provided a platform for evolution in IT security.
"JRSS is very network focused from that perspective. And so it's really, you know, layer 3, layer 4 focused in many of the things that it does. What we're looking at here is capabilities that move all the way up to layer 7 in the [Open Systems Interconnect] model," Wallace said of the pivot to Thunderdome.
"And that's kind of the focus there. It's really a routing platform, but then there's also the network security platform of JRSS. So this is really, ultimately a step in evolution, if you will."