Balancing DOD's security, tech needs
At a time of such heightened awareness of the security risks associated with technology, no one seemingly would advocate allowing users to disregard security policies in the interests of buying cheaper, faster commercial computers. But many Defense Department organizations have found themselves needing to do just that.
The problem stems from the growing gap between DOD's security policy and the rapid rate at which Defense agencies are deploying new technology. According to a 1988 directive, DOD users must buy commercial products that have been evaluated by the National Security Agency and designated as trusted computer products, with most programs requiring a basic C2 rating. But the evaluation process is a lengthy one, and often several new versions of a product will hit the market by the time the original evaluation is complete.
Always an inconvenience, this disconnection between policy and technology has become simply unworkable for many users across DOD. The services in particular recognize that fielding the latest technology enables them to launch new and more powerful applications often at a lower cost than previously possible.
For example, the Navy is looking to shift many of its command and control applications to Microsoft Corp.'s Windows NT operating system, yet only one version of the product, now outdated, has been C2-certified. To protect its systems, the Navy has developed its own Windows NT security configuration guidelines that the other services might adopt.
Clearly, many DOD users will deal with security responsibly, but the situation is otherwise untenable. The rapid rate of change is part of the very nature of the technology embraced by the department. DOD, like all agencies, must always balance the need to maintain standards with the need to buy and deploy the latest technology.
DOD must take steps to craft and enforce new security policies that allow the services to keep pace with technology without compromising the security of their systems.