Balancing DOD's security, tech needs

At a time of such heightened awareness of the security risks associated with technology, no one seemingly would advocate allowing users to disregard security policies in the interests of buying cheaper, faster commercial computers. But many Defense Department organizations have found themselves needing to do just that.

The problem stems from the growing gap between DOD's security policy and the rapid rate at which Defense agencies are deploying new technology. According to a 1988 directive, DOD users must buy commercial products that have been evaluated by the National Security Agency and designated as trusted computer products, with most programs requiring a basic C2 rating. But the evaluation process is a lengthy one, and often several new versions of a product will hit the market by the time the original evaluation is complete.

Always an inconvenience, this disconnection between policy and technology has become simply unworkable for many users across DOD. The services in particular recognize that fielding the latest technology enables them to launch new and more powerful applications often at a lower cost than previously possible.

For example, the Navy is looking to shift many of its command and control applications to Microsoft Corp.'s Windows NT operating system, yet only one version of the product, now outdated, has been C2-certified. To protect its systems, the Navy has developed its own Windows NT security configuration guidelines that the other services might adopt.

Clearly, many DOD users will deal with security responsibly, but the situation is otherwise untenable. The rapid rate of change is part of the very nature of the technology embraced by the department. DOD, like all agencies, must always balance the need to maintain standards with the need to buy and deploy the latest technology.

DOD must take steps to craft and enforce new security policies that allow the services to keep pace with technology without compromising the security of their systems.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.