Joint Information Environment: DOD Needs to Strengthen Governance and Management [Reissued on October 25, 2016]
Highlights
What GAO Found
The Department of Defense (DOD) plans to spend almost $1 billion by the end of this fiscal year to implement one element of the Joint Information Environment (JIE); however, the department has not fully defined JIE's scope or expected cost. Officials reported that assessing the cost of JIE is complex because of the size and the complexity of the department's infrastructure and JIE's implementation approach. However, without information about expected JIE costs, the ability of officials to oversee and make effective resource decisions is limited.
In addition, DOD has begun to assess the workforce needed to operate JIE, but has not determined the number of staff and the specific skills and abilities needed. DOD also lacks a strategy to ensure required JIE security assessments are conducted. Officials stated that the department has taken steps to address JIE personnel and security needs, but it does not have plans in place to address these existing gaps. As a result, DOD risks having a deficient security posture and not being able to ensure that it will have the appropriate workforce knowledge and skills needed to support JIE.
Table: JIE Elements
Element |
Description |
Single security architecture |
Department-wide network security architecture |
Optimized networks |
Reduced number of networks |
Identity and access management |
Capability to create and administer identities across the department |
Data centers and nodes |
Core data centers and nodes to provide fast and secure connections to any application or service from any authorized network at any time |
Software application rationalization and server virtualization |
An effort intended to enable efficiencies and enhance information sharing |
Desktop virtualization |
A standardized virtual desktop environment |
Mobility services |
Integration of secure and non-secure communications and portable, cloud-enabled command and control capability |
Enterprise services |
Services, such as e-mail, provided in a common way across the department |
Mission partner environment |
A common set of standards, protocols, and interfaces to enhance data sharing with other agencies; allies; coalition partners; and private sector organizations |
Source: GAO analysis of agency data. I GAO-16-593.
DOD has recently begun efforts to update the JIE governance structure and processes, including identifying the decisions and processes that it needs to document to support the effort. For example, it identified the need to document the process for planning and approving deployment of new JIE capabilities. However, the department has not established associated time frames. Until DOD establishes processes for helping to ensure that JIE decisions are based on reliable scope, cost, and schedule information, the department will face continued challenges in its ability to effectively oversee the initiative.
Why GAO Did This Study
For fiscal year 2017, DOD plans to spend more than $38 billion on information technology to support thousands of networks and millions of computers and other electronic devices connected to its networks. In August 2010, the Secretary of Defense announced an initiative, the JIE, to consolidate infrastructure in order to improve mission effectiveness, achieve savings, and improve network security.
A Senate Armed Services committee report included a provision for GAO to evaluate JIE. GAO's objectives were to (1) determine the extent to which DOD has effectively established scope, cost, and implementation plans for the initiative and (2) determine the extent to which DOD is executing effective oversight and governance of JIE. GAO compared JIE scope, cost, schedule, workforce planning, and security planning with leading program management practices, DOD guidance, and statutes. In addition, it compared JIE governance with leading practices.
Reissued on October 25, 2016
Recommendations
To help achieve JIE benefits and to enable effective oversight and governance, GAO recommends that DOD, among other things, fully define JIE's scope and expected cost, and take steps to improve workforce and security planning. DOD described steps it is taking or plans to take to address all of GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD Chief Information Officer (CIO), and other entities, as appropriate, to develop a detailed JIE scope statement that is verified by stakeholders and approved by the Executive Committee. |
DOD partially concurred with our recommendation and has implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2017, the Joint Information Environment Executive Committee approved a scope statement that describes priority JIE infrastructure efforts and the relationship of key components through Fiscal Year 2021.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to establish a plan for managing, documenting, and communicating scope. |
DOD partially concurred with our recommendation and has implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2017, the department established a scope statement, which documents the scope of JIE and met the intent of this recommendation by describing how its scope will be periodically reviewed and approved.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report. |
The Department of Defense has not sufficiently implemented this recommendation, and in April 2020, the department's office of the Chief Information Officer stated that the department was in the process of retiring JIE. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Given that the department is in the process of retiring JIE, and therefore does not plan to implement the recommendation, we are closing the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report. |
The Department of Defense has not implemented our recommendation. As of December 2021, the department had not demonstrated that it had developed a reliable JRSS cost estimate and baseline. In December 2021, the department reported that it plans to phase out JRSS within five years. Specifically, the department reported that it plans to implement a new security and network architecture approach instead of JRSS. Given that the department plans to end the JRSS program, we are closing the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report. |
As of June 2020, DOD had not developed a JIE schedule management plan or a reliable JIE schedule. Furthermore, the department does not plan to develop them. DOD developed schedules for two JIE components, Joint Regional Security Stacks and Enterprise Collaboration and Productivity Services Defense Enterprise Office Solutions; however, neither schedule demonstrated that the department had sufficiently addressed the weaknesses discussed in our report. In April 2020, DOD stated that it was impractical to provide a comprehensive JIE schedule because no other JIE initiatives had been established as acquisition programs. DOD also said that its approach to modernizing IT was evolving and that it was in the process of retiring JIE. Given that the department is retiring JIE, and therefore does not plan to implement the recommendation, we have closed the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report. |
The Department of Defense has not implemented our recommendation. In December 2019, the department developed a JRSS Schedule Management Plan; however, as of December 2021, the department had not demonstrated that it had developed a schedule consistent with the practices described in our report. In December 2021, the department reported that it plans to phase out JRSS within five years. Specifically, the department reported that it plans to implement a new security and network architecture approach instead of JRSS. Given that the department plans to end the JRSS program, we are closing the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report. |
As of April 2020, the Department of Defense (DOD) had taken steps to address, but had not sufficiently implemented this recommendation. In 2016, we reported that, according to the March 2014 JIE Personnel Plan, the department planned to develop and document the knowledge, skills, and abilities required for JIE. According to the plan, the department's DOD Cyberspace Workforce Framework would define the department-wide cyberspace workforce and the work it performs, and relevant work roles in support of JIE would be identified predominantly from the roles of the IT and cybersecurity workforces. Since then, the department developed an inventory of cybersecurity knowledge and skills of existing staff. The department also identified work roles of critical cybersecurity need and determined the staffing level shortage for these roles. However, as of April 2020, the department had not demonstrated that it had assessed the knowledge and skills needed specifically to execute JIE. The department stated that its approach to IT modernization was evolving and the department was in the process of retiring JIE. Accordingly, the department does not plan to implement the recommendation and we are closing the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments. |
As of April 2020, the Department of Defense had not demonstrated that it has developed a strategy for conducting JIE security assessments. According to an update on the status of the recommendation, provided by the Office of the DOD CIO, JIE is a management framework for coordinating and synchronizing modernization of the DOD Information Network (DODIN). The department provided a schedule for conducting fiscal year 2020 "no notice" DODIN site inspections. However, the department did not demonstrate that it has developed a strategy for conducting JIE security assessments that describes the plans and resources needed to execute the strategy. The department stated that its approach to modernizing IT was evolving and that it was in the process of retiring JIE. Accordingly, the department does not plan to implement the recommendation and we are closing the recommendation as not implemented.
|
Department of Defense | To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy and schedule to transition JRSS to the Risk Management Framework, and develop the security plan required by the new framework. |
DOD partially concurred with our recommendation; however it has fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2018, DOD demonstrated that the Joint Regional Security Stacks transitioned to the Risk Management Framework and has developed the security plan required by the framework.
|