Air Force handles network security

Last month, the Air Force started testing securely configured Microsoft software that will be distributed servicewide beginning in October. The Air Force's use of standard security configurations will improve network management and security, Air Force officials said.

Microsoft sent the Air Force a preconfigured bundle of the company's software that includes the Windows XP operating system, Office suite, Internet Explorer and portions of Windows Server 2003. Air Force officials will test for hardware and software compatibility, said Ken Heitkamp, assistant director for life cycle management in the Office of the Secretary of the Air Force, Chief of Warfighting Integration and Chief Information Officer.

The preconfigured package, also called a software image, will help the Air Force better manage systems enterprisewide. "This is most important and most difficult," Heitkamp said.

The Air Force signed two Microsoft consolidation contracts last year to streamline the service's software and support contracts with the company. Microsoft officials are delivering common configurations of the company's operating system and applications under terms of those contracts.

The deals, worth $500 million during the next six years, will also let the Air Force obtain and test software patches before the company publicly releases them. The service will receive confirmed patches of the company's software for automated installation on the Air Force's 525,000 computers within 48 hours of their release.

The Air Force will first install the securely configured Microsoft software on computers at a U.S. base. The service will then deploy the software at two more bases, followed by the rest of them, a process that should be completed by June 2006, Heitkamp said.

Air Force command leaders must use the preconfigured software or risk being kicked off the service's network. This approach will help achieve the One Air Force-One Network-One Information Technology Business Strategy, which seeks to create standard software configuration, configuration management, network management and improved security enterprisewide, he said.

Lawmakers think so highly of the Air Force's initiative that Congress wants the Pentagon to consider using it throughout the Defense Department.

The House version of the fiscal 2006 National Defense Authorization Act called for Ken Krieg, DOD's undersecretary for acquisition, technology and logistics, to review the Air Force's enterprise license agreement with Microsoft and submit a report to the House Armed Services Committee by March 1, 2006.

"The committee believes the department should explore the successful Air Force model for possible emulation throughout the department," House lawmakers wrote in their version of the legislation passed May 25.

Committee members also think DOD can increase savings and computer security by requiring software companies to deliver products that meet the department's configuration standards.

"Additional stipulations that the vendor will update the software to meet any necessary DOD-driven configuration changes will yield further changes," House lawmakers wrote in the legislation. "The committee notes that the Air Force entered into such an agreement in June 2004 that has accomplished these results."

Congress is not the only government organization to support the Air Force's model. Karen Evans, the Office of Management and Budget's administrator for e-government and IT, said she likes the Air Force's plan and thinks it should be implemented at all federal agencies.

Heitkamp said Air Force officials prefer to install the preconfigured Microsoft software at the first Air Force base before sharing it with DOD and other federal agencies. In the meantime, agencies can prepare by getting enterprise licenses in place, deciding how to test the software and selecting a program office for oversight, he said.

The call by Congress and OMB to implement the Air Force's initiative across DOD and the federal government represents a step toward greater operational standardization of IT, said Clint Kreitner, president of the Center for Internet Security, a nonprofit organization that helps government and industry officials better manage risks related to information security.

"The wide variety of IT systems and configurations is very difficult, if not impossible to manage right now," Kreitner said. "If you standardize the software that is installed on computer systems, when patches come along, you can centrally test them then ship them out across your enterprise."

Air Force officials estimate they can save $100 million by eliminating manual patching costs, he said.

"You have a much better handle on security," Kreitner added.