Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaws Could Cripple Defense Network

Posted by ryuzaki0 on from the good-enough-for-government-work dept.

userexec wrote to mention an FCW.com article about the uninspiring future for the Missile Defense System's software. The developers are apparently very worried about poor information security on the project. From the article: "The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement 'was not in the contract.' The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. "

1 of 137 comments (clear)

  1. Re:This is bad. by NecroPuppy · · Score: 1, Troll

    Depends.

    If it was part of a Military Specification (or MilSpec), then the contractor had to follow it regardless of whether it was in the contract or not.

    However, if it was Military Standard instead, then the contractor doesn't have to follow them, even if the Standard is referenced in the contract. Only if the applicable part of the Standard is put into the contract without reference, thereby making it a contract term, is the contracted entity required to follow it.

    I realize that may be confusing, so I'll give an example.

    If the contract references MilSpec 2020.1, then it is the contractor's job to look up that Spec and make sure they follow it.

    If the contract references MilStandard 1043.7, then the contractor doesn't have to look it up or follow it, thought they can.

    If the contract instead takes the text out of MilStandard 1043.7 and puts it into the contract, without reference to it as a MilStandard or with the copied text referring to another MilStandard, then the contracted entity has to follow it as it is a contract term.

    And given the reliance on 20 year old legacy standards in this, it also sounds like the Contracting Officer and Program Officer (CO and PO respectively) didn't consider JTIC interoperability requirements as part of this.

    Shit, that's twice in one week my Systems Acquisitions classes have been useful. Just not at work.

    --
    I like you, Stuart. You're not like everyone else, here, at Slashdot.