Joint Information Environment:
DOD Needs to Strengthen Governance and Management [Reissued on October 25, 2016]
GAO-16-593: Published: Jul 14, 2016. Publicly Released: Jul 14, 2016.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
What GAO Found
The Department of Defense (DOD) plans to spend almost $1 billion by the end of this fiscal year to implement one element of the Joint Information Environment (JIE); however, the department has not fully defined JIE's scope or expected cost. Officials reported that assessing the cost of JIE is complex because of the size and the complexity of the department's infrastructure and JIE's implementation approach. However, without information about expected JIE costs, the ability of officials to oversee and make effective resource decisions is limited.
In addition, DOD has begun to assess the workforce needed to operate JIE, but has not determined the number of staff and the specific skills and abilities needed. DOD also lacks a strategy to ensure required JIE security assessments are conducted. Officials stated that the department has taken steps to address JIE personnel and security needs, but it does not have plans in place to address these existing gaps. As a result, DOD risks having a deficient security posture and not being able to ensure that it will have the appropriate workforce knowledge and skills needed to support JIE.
Table: JIE Elements
|
Element |
Description |
|
Single security architecture |
Department-wide network security architecture |
|
Optimized networks |
Reduced number of networks |
|
Identity and access management |
Capability to create and administer identities across the department |
|
Data centers and nodes |
Core data centers and nodes to provide fast and secure connections to any application or service from any authorized network at any time |
|
Software application rationalization and server virtualization |
An effort intended to enable efficiencies and enhance information sharing |
|
Desktop virtualization |
A standardized virtual desktop environment |
|
Mobility services |
Integration of secure and non-secure communications and portable, cloud-enabled command and control capability |
|
Enterprise services |
Services, such as e-mail, provided in a common way across the department |
|
Mission partner environment |
A common set of standards, protocols, and interfaces to enhance data sharing with other agencies; allies; coalition partners; and private sector organizations |
Source: GAO analysis of agency data. I GAO-16-593.
DOD has recently begun efforts to update the JIE governance structure and processes, including identifying the decisions and processes that it needs to document to support the effort. For example, it identified the need to document the process for planning and approving deployment of new JIE capabilities. However, the department has not established associated time frames. Until DOD establishes processes for helping to ensure that JIE decisions are based on reliable scope, cost, and schedule information, the department will face continued challenges in its ability to effectively oversee the initiative.
Why GAO Did This Study
For fiscal year 2017, DOD plans to spend more than $38 billion on information technology to support thousands of networks and millions of computers and other electronic devices connected to its networks. In August 2010, the Secretary of Defense announced an initiative, the JIE, to consolidate infrastructure in order to improve mission effectiveness, achieve savings, and improve network security.
A Senate Armed Services committee report included a provision for GAO to evaluate JIE. GAO's objectives were to (1) determine the extent to which DOD has effectively established scope, cost, and implementation plans for the initiative and (2) determine the extent to which DOD is executing effective oversight and governance of JIE. GAO compared JIE scope, cost, schedule, workforce planning, and security planning with leading program management practices, DOD guidance, and statutes. In addition, it compared JIE governance with leading practices.
What GAO Recommends
To help achieve JIE benefits and to enable effective oversight and governance, GAO recommends that DOD, among other things, fully define JIE's scope and expected cost, and take steps to improve workforce and security planning. DOD described steps it is taking or plans to take to address all of GAO's recommendations.
For more information, contact Carol C. Harris at (202) 512-4456 or chac@gao.gov.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: DOD partially concurred with our recommendation and has implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2017, the Joint Information Environment Executive Committee approved a scope statement that describes priority JIE infrastructure efforts and the relationship of key components through Fiscal Year 2021.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD Chief Information Officer (CIO), and other entities, as appropriate, to develop a detailed JIE scope statement that is verified by stakeholders and approved by the Executive Committee.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD partially concurred with our recommendation and has implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2017, the department established a scope statement, which documents the scope of JIE and met the intent of this recommendation by describing how its scope will be periodically reviewed and approved.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to establish a plan for managing, documenting, and communicating scope.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks. However, the cost estimate for this component was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In August 2018, the department stated that it had developed a cost estimate for another JIE initiative and provided information for our review. The department further stated that as solutions for other JIE efforts are established, their cost baselines will be added as appropriate. We will continue to monitor the department's efforts to implement this recommendation.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2018, the Office of the DOD CIO stated that another JIE initiative, in addition to the Joint Regional Security Stacks initiative, had progressed sufficiently to formulate a capability delivery schedule. The office stated that after a contract has been awarded, a reliable schedule for this capability will be developed per the recommendation. The office added that schedules for other JIE initiatives will be provided as approaches for delivering these capabilities are established.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule is not consistent with the practices described in our report. In August 2018, the Office of the DOD CIO said that the JRSS schedule is in the process of being re-baselined. In addition, the department has not developed a schedule management plan.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department plans to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. The office said that these efforts are being overseen by the DOD Cyber Workforce Management Board, which according to the office provides the department a mechanism to continually assess the knowledge and skills needed, including those needed to implement, operate and sustain JIE capabilities. We will continue to monitor the department's efforts to implement this recommendation.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2018, the office of the DOD CIO described steps it was taking to address cyber security; however, the department did not demonstrate that it has developed a strategy for conducting JIE security assessments that includes the elements of our recommendation.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD partially concurred with our recommendation; however it has fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In August 2018, DOD demonstrated that the Joint Regional Security Stacks transitioned to the Risk Management Framework and has developed the security plan required by the framework.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy and schedule to transition JRSS to the Risk Management Framework, and develop the security plan required by the new framework.
Agency Affected: Department of Defense
Status: Open
Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In August 2018, the Office of the DOD CIO stated that ongoing mitigation actions to address operational and system performance issues may drive an update to the cost estimate. We will continue to monitor the department's efforts to address the recommendation.
Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.
Agency Affected: Department of Defense
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Dec 17, 2018
![defense icon, source: [West Covina, California] Progressive Management, 2008](https://www.gao.gov/images/rip/defense.jpg "defense icon, source: [West Covina, California] Progressive Management, 2008")
Missile Defense:
Air Force Report to Congress Included Information on the Capabilities, Operational Availability, and Funding Plan for Cobra DaneGAO-19-68: Published: Dec 17, 2018. Publicly Released: Dec 17, 2018.
Dec 14, 2018
-
DOD Depot Workforce:
Services Need to Assess the Effectiveness of Their Initiative to Maintain Critical SkillsGAO-19-51: Published: Dec 14, 2018. Publicly Released: Dec 14, 2018.
Dec 13, 2018
-
Military Personnel:
DOD Needs to Improve Dental Clinic Staffing Models and Evaluate Recruitment and Retention ProgramsGAO-19-50: Published: Dec 13, 2018. Publicly Released: Dec 13, 2018.
Dec 12, 2018
-
National Guard:
Office of Complex Investigations Should Update Policies to Require Additional Documentation for Sexual Assault CasesGAO-19-109: Published: Dec 12, 2018. Publicly Released: Dec 12, 2018. -
Navy and Marine Corps:
Rebuilding Ship, Submarine, and Aviation Readiness Will Require Time and Sustained Management AttentionGAO-19-225T: Published: Dec 12, 2018. Publicly Released: Dec 12, 2018.
Dec 4, 2018
-
Military Retirement:
Service Contributions Do Not Reflect Service Specific Estimated Costs and Full Effect of Proposed Legislation is UnknownGAO-19-195R: Published: Dec 4, 2018. Publicly Released: Dec 4, 2018.
Nov 30, 2018
-
Nuclear Weapons:
NNSA Has Taken Steps to Prepare to Restart a Program to Replace the W78 Warhead CapabilityGAO-19-84: Published: Nov 30, 2018. Publicly Released: Nov 30, 2018.
Nov 29, 2018
-
Maritime Security:
DOT Is Still Finalizing Strategy to Address Challenges to Sustaining U.S.-Flag FleetGAO-19-260T: Published: Nov 29, 2018. Publicly Released: Nov 29, 2018.
Nov 19, 2018
-
Navy Readiness:
Actions Needed to Address Costly Maintenance Delays Facing the Attack Submarine FleetGAO-19-229: Published: Nov 19, 2018. Publicly Released: Nov 19, 2018.
Nov 15, 2018
-
Agent Orange:
Actions Needed to Improve Accuracy and Communication of Information on Testing and Storage LocationsGAO-19-24: Published: Nov 15, 2018. Publicly Released: Nov 15, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on National Defense
- Best Practices and Leading Practices in Acquisition Management
- Countering Overseas Threats
- Department of Energy's Contract Management for the National Nuclear Security Administration and Office of Environmental Management - High Risk Issue
- DOD Approach to Business Transformation - High Risk Issue
- DOD Contract Management - High Risk Issue
- DOD Supply Chain Management - High Risk Issue
- DOD Support Infrastructure Management - High Risk Issue
- DOD Weapon Systems Acquisition - High Risk Issue
- Energy Management in DOD Facilities
- Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests - High Risk Issue
- Military Base Realignments and Closures
- Military Force Sizing and Organization
- Modernizing the Nuclear Security Enterprise
- NASA Acquisitions - High Risk Issue
- National Defense System Acquisitions
- Public Health Emergency Preparedness and Response
- Unmanned Aerial Systems (Drones)
- U.S. Arctic Interests
- U.S. - China Economic and Military Relations
Explore our other Key Issues here
