A Senate committee’s version of the annual defense policy bill would ban the Department of Defense from spending money to deploy a controversial cybersecurity program on its secret network.
The Senate Armed Services Committee’s version of the National Defense Authorization Act for fiscal year 2021, released June 23, would preclude the department from spending fiscal 2021 funds on the Joint Regional Security Stacks (JRSS) program for use on its Secret Internet Protocol Router Network. JRSS, run by the Defense Information Systems Agency provides cybersecurity services for many DoD components through intrusion detection and prevention, enterprise management, and virtual routing. DISA is tasked with operating and maintaining DoD networks,
The Senate bill authorizes cuts of about $11.6 million from the JRSS, including $11.1 million in JRSS procurement funds for SIPRNet and about $500,000 in research, development, testing and evaluation. The House bill authorizes deeper cuts, slashing procurement dollars from $88 million to $8 million and research and development funds to zero from $9 million.
Because of the continued challenges plaguing the program “the committee believes that the deployment of JRSS on the Secret Internet Protocol Router Network is thus inappropriate, given JRSS’ limited cybersecurity capability and the existence of alternative capabilities to execute its network functions,” the Senate committee wrote in a report accompanying the bill.
As Congress questions the efficacy of the program, it also wants answers. Under the legislation, the Secretary of Defense would have to answers the following questions by Dec. 1, 2021.
If the DoD finds that JRSS should move forward, it must develop a plan to transition it to a program of record by October 2021.
The fiscal 2019 report from the Pentagon’s Office of the Director of Operational Test and Evaluation recommended that the DoD chief information officer refrain from migrating more users to JRSS until “the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyber‑attacks.”