The GAO Takes DoD to Task over JIE

Published: July 20, 2016

CybersecurityDEFENSEGAOInformation TechnologyJoint Information Environment (JIE)

The DoD plans to spend more than $1B on the Joint Information Environment by the end of fiscal 2016, an amount that has drawn the attention of Congress and the GAO.

The U.S. Government Accountability Office (GAO), the federal government’s budget and program watchdog, released a study recently criticizing the Department of Defense for lax governance and program management in its implementation of the Joint Information Environment (JIE). Finding that the DoD “has not fully defined [the] JIE’s scope or expected cost. [Defense] officials reported that assessing the cost of JIE is complex because of the size and the complexity of the department’s infrastructure and JIE’s implementation approach. However, without information about expected JIE costs, the ability of officials to oversee and make effective resource decisions is limited.” GAO investigators added that the DoD has also not adequately addressed the security of the JIE, claiming it “lacks a strategy to ensure required JIE security assessments are conducted,” resulting in the fact that “DoD risks having a deficient security posture” and that it will not be “able to ensure that it will have the appropriate workforce knowledge and skills needed to support JIE.”

DoD responded to the GAO’s findings by claiming that “the JIE is not a program of record or an acquisition program.” Rather, the JIE “is a construct for managing improvement and modernization of DoD’s IT infrastructure and the associated operational concepts, and does not have a discrete beginning or ending such as would be expected with a program. Furthermore, according to the JIE implementation strategy, the department plans to use existing DoD component programs, initiatives, technical refresh plans, acquisition processes, and funding to deploy and migrate the existing infrastructure to JIE standards.”

Here we have the crux of the dilemma. The DoD has always defined the JIE as an “initiative” or a desired end-state, not as an official program with definable parameters. Undoubtedly, the JIE’s squishy design concept is motivated in part by a desire to escape the budgetary and reporting confines of a formal defense Program of Record (PoR). However, according to my understanding of the initiative, there are other good reasons why JIE had been pursued in a non-programmatic manner.

The first of these is of course complexity. The JIE is truly a joint effort that spans all the military departments and defense agencies. It is a massive undertaking that requires budgetary and personnel resources from a large variety of participants. Compressing these into a single PoR might be well-nigh impossible. The second reason is the structure of federal budgeting. Because the JIE is largely a hardware intensive activity it makes sense to use tech refresh budgets to implement the new network and server stack gear required for the basic architecture. The DoD finds itself on the receiving end of 43,000 attempted intrusions into its networks daily. Faced with a threat of that magnitude, the DoD settled on a strategy for rapidly implementing a new network security construct – the JIE.

The GAO’s critique of the DoD’s JIE implementation is based on the fact that the DoD isn’t following accepted best practices for program management and budgeting. The criticism is valid, but the GAO also appears to be comparing apples and oranges. The JIE could almost certainly benefit from stronger governance by the DoD CIO and by better training of workforce personnel to address skillset and security shortfalls and DoD has embarked on an effort to address this by standing up the Cyber Mission Force (CMF). Ultimately, it will be the automated tools wielded by CMF cyber warriors that police the JIE and ensure the safety of the DoD Information Network (DoDIN), not better program management or bureaucratic governance.