N/MCI Security Doubts Persist

Computerworld - NEW ORLEANS -- The need for a more secure network infrastructure was one of the driving forces behind the U.S. Navy's quest to build the $6.9 billion Navy/Marine Corps Intranet. But with only a few months left before the majority of N/MCI seats are deployed, questions and concerns about security remain.
During the Navy/Marine Corps Intranet Industry Symposium here last week, officials from both the Navy and its prime contractor, Electronic Data Systems Corp., touted N/MCI as "the most secure network in the Department of Defense" and possibly in all of the federal government.
"Today, N/MCI is an industry standard," said Al Edmonds, president of EDS Government Solutions.
But some Navy users, senior officials and even EDS business partners raised concerns about the N/MCI program's approach to security.
"N/MCI is the most secure network in DOD? It's kind of hard to judge that," said Cathy Baber, director of information assurance at the Naval Network and Space Operations Command, which the Navy formed last year to oversee security for N/MCI. "There are still concerns. There are a lot of things that weren't thought about," she said.
One such issue is managing the certification process for connecting N/MCI users to the current Defense Information Systems Network (DISN), the Pentagon's main telecommunications backbone for both classified and unclassified data.
Vanessa Hallihan, program manager for IS security at the Space and Naval Warfare Systems Command, manages the DISN connection process. "We haven't yet come to grips with [N/MCI] as an enterprise process," she said. "The workload is very intense, and I don't have the resources."
Bart Abbott, director of information assurance programs at Raytheon Co., a subcontractor to EDS on the project, said he believes that the N/MCI project team has delivered on the Navy's need for a more secure network, though he acknowledged that there are still wrinkles in the N/MCI security fabric that need to be ironed out.
For example, EDS has piloted the use of public-key infrastructure (PKI) technology at two user sites and plans to roll out PKI for all N/MCI users in conjunction with common access cards, or smart cards. But more work needs to be done to make PKI and smart cards easier to use, he said.
Abbott also acknowledged performance problems resulting from various security mechanisms, such as e-mail and Web content filtering at the connection points between N/MCI and the Defense Department's unclassified network, which is known as the Non-secure Internet Protocol Routing Network. In addition, users have reported full disk scans taking place during the