DOD CIO: Recent GAO criticism of JIE is off base

The CIO of the Department of Defense said that a recent Government Accountability Office report criticizing oversight and management of the DOD's Joint Information Environment initiative misses the mark.

"DOD has not effectively defined or managed JIE's scope," reads the GAO report, which is an Oct. 25 revision of an earlier report. "While the department has defined JIE scope at a high level, its scope is not sufficiently defined to determine what, specifically, is and is not included in JIE."

"As a result of the program's management and planning weaknesses," the report continues, "DOD decision makers and congressional stakeholders lack reliable information needed to make informed decisions about progress and needed changes."

But, DOD CIO Terry Halvorsen told reporters on Nov. 1 that JIE is not a program in and of itself and can't be evaluated or monitored in the way GAO is used to evaluating programs.

"What we have tried to tell GAO in this case, you don't measure JIE, you have to measure the components," said Halvorsen. "I can very clearly demonstrate to them and measure the components like [Joint Regional Security Stacks] that have set standards."

JRSS is a regional security suite of firewalls, intrusion detection, enterprise management and virtual routing capabilities that will replace locally based network security systems.

"JRSS has equipment that you can look at, see if it's working right, you can look at the software, we're doing that," said Halvorsen. "We're testing that... I think [GAO was] looking for a different acquisition answer that doesn't exist."

"Obviously we did not do a good enough job in educating GAO about the difference of what JIE was as a concept and what JRSS and [Mission Partner Environment] are as programs under that concept that are measurable," said Halvorsen.

Halvorsen said that when DOD launched JIE, it wasn't entirely clear within the department that JIE was a concept that set out the goal of a more consolidated, centralized and standardized IT system and that the components would change as technology evolves.

"I will take the hit that it really is an education problem," said Halvorsen. "I think it also means the people reading [the report] and learning it also have to understand we are in the midst of a major change both in speed, pace and how we the government move and take advantage of much more commercial technology, practices and procedures."

Halvorsen said that when it comes to testing and evaluating programs like JRSS and MPE, the focus needs to be less on the technology, because he said it's already proven technology, and more on the ability of the workforce to properly use the technology.

"I've got to be able to take and make sure that my training and education processes can be implemented for this type of technology," Halvorsen explained. "And can I do that not just at the individual level, but can I do that at the unit level and can I make that data be cohesive and intelligent up and down user chain?"

He said that training and operationalizing new procedures, and sustaining that training, will continue to be the long term challenge for DOD as it continues efforts to modernize its systems.

Another aspect of JIE is the consolidation of DOD data centers, and Halvorsen said that the newly formed data center consolidation team has begun its first site visit to Charleston, S.C. The team will spend roughly two weeks visiting data centers there to compile data on the cost and mission effectiveness of those centers and then recommend a course of action.

"Those next steps could be converging some of those data centers, could be completely converging them into one data center," said Halvorsen. "It could be that we look at all that, look at what we have other places and say all of those could be converged someplace else."

Halvorsen said that DOD is behind schedule in its data center consolidation process and he's trying to drive that mission, but also make sure that the process is comprehensive, transparent and focused on making a total value assessment in line with industry best practices. His goal is to have the team's report on the Charleston centers finalized with a recommended action determined by the end of the year.

Halvorsen also announced progress in a few other areas relating to JIE goals and improving DOD network security and efficiency.

On Oct. 21, the DOD published a final rule requiring contractors to comply with NIST security regulations to protect unclassified information on non-federal information systems. The rule also requires contractors and subcontractors to report cyber incidents "resulting in an actual or even a potentially adverse effect on covered contractor information systems, on a contractor's ability to provide operational critical support," said Halvorsen.

Last month DOD also updated the Defense Industrial Base cybersecurity program to enable all cleared contractors to participate in DOD's voluntary cyberthreat sharing program.

DOD also updated Defense Federal Acquisition Regulation Supplement to tighten security standards on cloud computing acquisition.

Lastly, Halvorsen said the upcoming political transition might briefly slow some of the DOD's initiatives, but is unlikely to cancel JIE, JRSS, cloud transition or the elimination of Controlled Access Cards, which he said is now moving more quickly due to new technological options presented by the Defense Innovation Unit Experimental.

----This Story Was Originally Published in Federal Computer Week----