The NDAA for Fiscal Year 2017, which was discussed previously by EZGovOpps for the small business provisions it included, also holds an important provision regarding the implementation of the Joint Regional Security Stack (JRSS), a massive cybersecurity upgrade designed by the Defense Information Systems Agency (DISA) for what the agency hopes will one day be a unified network and security system for the entire DOD known as the Joint Information Environment (JIE). The new provisions, however, have placed restrictions on JRSS operations until the work and implementation, conducted by Lockheed Martin through the GSM-O contract, passes certified operational tests and evaluations conducted by the DOD. This could mean that full JRSS implementation might be delayed past the current GSM-O contract, and it could also impact other programs attempting to integrate with JRSS and JIE, such as the large NGEN-R contract that EZGovOpps covered in December.
Much like goals of the NMCI project that began in 2000, DISA sought to integrate separate military communications systems into a single infrastructure. DISA awarded contracts under the DISA Global Solutions (DGS) solicitation in 2001 to meet this goal. SAIC and other companies including Apptis (formerly known as SETA Corp.) were awarded the DGS contract to update, manage, and expand the Defense Information Systems Network (DISN), with set-asides included for small businesses. This contract allowed for network management, engineering, installation, and expansion, paving the way for DISA to plan larger operations and goals for DISN.
In 2010, DISA released a solicitation for a new Global Information Grid Service Management-Operations (GSM-O) contract that would allow for the daily maintenance of DISN, the unclassified NIPRNet and classified SIPRNet, and other assorted networks falling under the DISA’s purview in the Global Information Grid. GSM-O awardees would also be required to implement new networks as designed under a separate contract: GSM Engineering, Transition and Implementation (GSM-ETI), awarded as a small business set-aside in 2012 to 7 companies and joint ventures including Digital Management, Inc. and IPKeys Technologies LLC.
In total, the GSM-O performance work statement (PWS) outlined 6 functional task areas including program management and network operations, and 24 network and systems areas to be supported under those functional tasks. These tasks fell under the NAICS code of 541513 – Computer Facilities Management Services, with a small business size standard of $27.5 million.
After competition between teams lead by Lockheed Martin and SAIC, the incumbent in the DGS contract, Lockheed won the award in 2012 for GSM-O with a potential value of $4.6 billion for a 3-year base period and two 2-year options. SAIC protested the decision, but the Government Accountability Office denied the protest, and continued the award to the Lockheed-lead team which includes BAE Systems, ManTech, Heptagon, and specialized small businesses whose subcontracting was mandated in the solicitation.
Much like the trend across the federal government for stronger cybersecurity measures, DISA began planning and designing two major security goals: JIE and JRSS. Recognizing that “Right now, we don’t have a DOD network and we don’t have a department that is able to operate in a cyber domain,” with the DOD fragmented into separate networks such as the NMCI, DISA took on the lofty goal of developing, finally, a interdepartmental network and cybersecurity structure which would create more easily accessible, more secure information environment for the warfighter.
In the JIE program, DISA’s stated goal is to create a network “that optimizes the use of DOD’s IT assets by converging communication, computing, and enterprise services into a single joint platform that can be leveraged for all missions.” Utilizing new technologies and services including Multi-Protocol Label Switching (MPLS) and cloud-based computing, JIE would be a make a major impact on the speed and accessibility of information across the DOD.
However, cybersecurity has continued to dominate IT evolution discussions and implementation, and became a major component to the JIE platform. The JRSS was designed to mitigate the “seams and gaps” of current, separate cybersecurity platforms utilized by the DOD branches and their networks, and transition all of the branches into a single security environment, the first step towards completing the goals of the JIE.
These literal stacks of security equipment were designed for installation in bases located both CONUS and OCONUS. According to DISA, all DOD network traffic would be funneled through one of the 25 security stacks handling either unclassified traffic on the NIPRNet or Secret traffic on SIPRNet. The security stacks would utilize state-of-the-art network, firewall, and other security components to detect and prevent cyberattacks, as well as monitor user activity and break SSL encryption in an effort to predict and stop insider threats.
DOD Contracts and JRSS
Implementation of these goals through JRSS installation would first be handled by Lockheed Martin and its partners under the GSM-O vehicle. The original installation would be broken up into three phases, known as JRSS 1.0, 1.5, and 2.0, allowing for the evolution of the security stacks from basic operating capabilities to more advanced enhancements. The first installation of JRSS was completed at Joint Base San Antonio in 2014, but even that installation experienced problems early on. However, the pilot program proved successful enough that in 2015 DISA decided to move forward with the JRSS program, with continued implementation under GSM-O by Lockheed Martin and partners.
Prior to the new NDAA testing requirements, DOD in 2016 intended to complete full implementation of the JRSS by 2019 – the same year the GSM-O contract is slated to end. The new NDAA requirements could impact the timeline of JRSS installation and improvements, delaying full completion past the end of GSM-O. The DOD Chief Information Officer also admitted that because technology is evolving so quickly, JRSS standards moving on from version 1.5 onward may look very different than originally planned.
Beyond impacting the original GSM-O contract, the new NDAA clause may impact decisions by other DOD agencies, as the Navy has been hesitant in accepting JRSS until it is certain that it is more secure than the existing NMCI security platform. While the Navy may start planning for JRSS upgrades and funding in 2017, it will not be through the GSM-O contract or its successor, but through the Navy’s own NGEN contract which is due to end in 2018. This could impact future solicitation requirements for NGEN-R.
However, the NDAA stipulation also includes a section on testing waivers. If the DOD agency heads and CIOs prove that testing requirements are inadequate or unnecessary, prior testing was sufficient, or that national security needs outweigh any potential delay, they may then declare full operational capability of the JRSS.
Regardless of the NDAA impact, JRSS is a major DOD program which has provided for large and small business contracting, and is bound to require further contractor involvement until at least 2019. It will be important to keep an eye on JRSS and contracts related to it during this important phase of work.
For a closer look at GSM-O and NGEN, sign up for a free trial with EZGovOpps. In less than 60 seconds, you will have access to the premier government market intelligence tool, allowing for access to more history on the NGEN and GSM-O programs, custom analyst updates, Industry Day information, and daily tracking from the solicitation period through to final contract awards. Easily set up your profile for alert notifications on these exciting RFPs.
For more contracting news, stay tuned for updates on EZGovOpps GovCon News.