Blog Administration
Saturday, October 30. 2004
Can You Hear Me Now
Federal Computer Week and other sources are reporting that EDS Corporation is planning to roll out "enterprise-based" cellular phone service as part of the NMCI contract. The contract would be managed by FISC San Diego. The move is expected to go forward by the end of 2004.
NMCI officials are touting the move as a cost savings measure, claiming savings can be realized by economies of scale. EDS is saying this would provide the DoN with a contract vehicle to negotiate for the best deal possible on cellular voice service and mobile data for Research In Motion BlackBerry devices.
Once again we hear the famous "economies of scale" argument -- the ultimate in sophomoric, restaurant and hotel management double-speak -- and as usual we hear it with no data to back up the claims. It seems that this tactic works consistently because nobody actually bothers to do postmortem analysis of these claims to see if they ever hold true. Hence the reason we have the NMCI debacle in the first place, now crawling out from a $2 Billion-plus overage.
It is unclear what advantage there is to adding EDS and NMCI into the process of obtaining cellular provider contracts. The economies of scale argument has merit (e.g. pooling of minutes, large user-base contract breaks, etc.) but these advantages are independent of the profit-skimming, middle man aspect of NMCI. Navy and Marine Corps facilities already have enterprise-wide contracts with the likes of AT&T Wireless, Nextel and others. The Navy is free to contractually pool these users between bases and commands already, as they always were, without the "help" of NMCI. Large corporations like Motorola and Ford manage to negotiate cellular contracts every day without the help of NMCI.
What infrastructure does EDS and NMCI bring to the party? How many cellular towers and backhaul circuits do they have to support cellular users?
If NMCI chooses to flex its muscle and interpret the contract as an enabler for this type of service, that's fine. If they would like to interpret the contract even more liberally and deem themselves as the required source for this type of service, that's fine. But don't blow smoke up our legs and tell us we are going to save money by outsourcing this. We've heard that somewhere before.
NMCI officials are touting the move as a cost savings measure, claiming savings can be realized by economies of scale. EDS is saying this would provide the DoN with a contract vehicle to negotiate for the best deal possible on cellular voice service and mobile data for Research In Motion BlackBerry devices.
Once again we hear the famous "economies of scale" argument -- the ultimate in sophomoric, restaurant and hotel management double-speak -- and as usual we hear it with no data to back up the claims. It seems that this tactic works consistently because nobody actually bothers to do postmortem analysis of these claims to see if they ever hold true. Hence the reason we have the NMCI debacle in the first place, now crawling out from a $2 Billion-plus overage.
It is unclear what advantage there is to adding EDS and NMCI into the process of obtaining cellular provider contracts. The economies of scale argument has merit (e.g. pooling of minutes, large user-base contract breaks, etc.) but these advantages are independent of the profit-skimming, middle man aspect of NMCI. Navy and Marine Corps facilities already have enterprise-wide contracts with the likes of AT&T Wireless, Nextel and others. The Navy is free to contractually pool these users between bases and commands already, as they always were, without the "help" of NMCI. Large corporations like Motorola and Ford manage to negotiate cellular contracts every day without the help of NMCI.
What infrastructure does EDS and NMCI bring to the party? How many cellular towers and backhaul circuits do they have to support cellular users?
If NMCI chooses to flex its muscle and interpret the contract as an enabler for this type of service, that's fine. If they would like to interpret the contract even more liberally and deem themselves as the required source for this type of service, that's fine. But don't blow smoke up our legs and tell us we are going to save money by outsourcing this. We've heard that somewhere before.
Sunday, October 24. 2004
NMCI Runs Afoul Of DISA
In what can only be viewed as an effort to expand their empire, EDS and NMCI have been bragging about their efforts to utilize voice-over-IP technology to provide voice (telephone) service to its customers. NMCI has not yet convinced anyone that they are contractually entitled to take over traditional switched telephone service on Navy and Marine Corps facilities. VoIP offers them an avenue to carry voice services over their existing IP-based infrastructure.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
(Page 1 of 1, totaling 2 entries)
