Blog Administration
Monday, March 14. 2005
A Rumor From the East Coast
A reader from Norfolk writes to say that NMCI is considering disabling the USB ports on NMCI seats.
This is supposedly in response to users attaching "thumb" drives and external hard disk drives in an effort to increase storage space without paying exorbitant NMCI lease fees for larger hard drives.
Although this would not be surprising, one would have to ask how they are going to deal with the USB mice if they completely disable the ports. Perhaps a restricted driver subset. Or, perhaps its just a rumor. You heard it here first.
This is supposedly in response to users attaching "thumb" drives and external hard disk drives in an effort to increase storage space without paying exorbitant NMCI lease fees for larger hard drives.
Although this would not be surprising, one would have to ask how they are going to deal with the USB mice if they completely disable the ports. Perhaps a restricted driver subset. Or, perhaps its just a rumor. You heard it here first.
Monday, November 1. 2004
Wolf Guarding the Hen House
"EDS stands to reap financial rewards when NMCI customer service levels reach certain benchmarks, beginning at 85 percent. As customer satisfaction levels rise, EDS has the potential to earn as much as $100 per NMCI 'seat' for each financial quarter, according to program officials."
A follow-up article in Government Executive Magazine sheds (a little) more light on the NMCI "survey results" released by EDS Corporation earlier this year. An important take away from the piece is the fact that NMCI stands to make money -- a welcome change for them and NMCI -- if the satisfaction level reaches 85 percent. They just reached 80 percent satisfaction and are closing in on the 85 percent threshold. Wow, this NMCI thing must really be working well!
Hmmmm, let us look at the finer points of the "survey":
1. The survey was designed, constructed, distributed, collected and analyzed by EDS Corporation, the same company that stands to gain financially from a high satisfaction percentage.
2. The questions have not been released for review.
3. The sample size and response rate of the survey has not been released.
4. The detailed results (e.g. response statistics for individual questions) have not been released.
5. The Navy has expressed confidence in the survey results and EDS.
Interesting. Not sure which Navy officials GE Magazine interviewed to determine that they had confidence in the results but it was apparently someone who hasn't taken a high-school science class.
The article goes on to offer several quotes from national pollsters and statisticians such as the Gallup Organization, stating how there could be an appearance of impropriety in the fact that EDS did their own survey and now refuses to release details. Really? Wow.
Unlike the previous GE article on the survey, (see reference elsewhere on nmcistinks.com) for this article GE actually managed to track down someone who took the survey. The user reported that he was asked questions like, "Was the help desk person polite?" to which he was forced to respond honestly in the affirmative. However he said there was no opportunity for him to footnote that response with, "However, the help desk person failed to do anything about my problem." Another satisfied user!
Again, perhaps the most disturbing aspect of this entire episode is the Navy's overt support for the "survey" process and results. The official position of the Navy is that releasing the details of the study would compromise their ability to successfully conduct future surveys. How profound.
A final note. We should thank the folks at publications like Government Executive Magazine and Federal Computer Week for digging these stories out of the back rooms. I can only hope that congressional staffers and watchdog organizations are reading them as fervently as we are.
Sunday, October 24. 2004
NMCI Runs Afoul Of DISA
In what can only be viewed as an effort to expand their empire, EDS and NMCI have been bragging about their efforts to utilize voice-over-IP technology to provide voice (telephone) service to its customers. NMCI has not yet convinced anyone that they are contractually entitled to take over traditional switched telephone service on Navy and Marine Corps facilities. VoIP offers them an avenue to carry voice services over their existing IP-based infrastructure.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
Except for one problem. They might be breaking DoD regulations by doing it.
A Bit of Background
Voice-over-IP popularity exploded in 2002 or even earlier. Dozens of vendors offered hundreds of solutions from full-blown IP PBXs to desktop phones to box-to-box solutions. The salivating communications guru was greeted with nearly unlimited options to solve his voice requirements. VoIP was an elegant solution because of several reasons.
It was designed from the ground up to interface with traditional analog and digital phone switches so the engineer could create hybrid systems. It was easy to encrypt as individual circuits or in bulk. It offered a scalable solution where hundreds of users could be carried on a single CAT-5 cable as opposed to the huge bundles of copper required for traditional phone systems. It was extremely efficient in terms of bandwidth usage not only because of the packetized nature but because it did away with the 64 kbps DS0 barrier. It allowed "toll skipping" which could potentially save thousands of dollars on long distance charges.
Yet VoIP was not without its drawbacks. In an organization as technically and geographically diverse as the DoD, there are bound to be incompatibilities between VoIP systems and traditional phone systems (or even other VoIP systems). This problem was not helped by the VoIP industry that -- like nearly every other standards-based organization in the world -- failed to agree on universal protocols and interfaces. There was also the question of security. Who was making sure that these new-fangled VoIP boxes hitting the market didn't have security flaws or even malicious back door compromises in them? This was certainly a large concern for any organization but especially the US Military.
A Big Hand of Guidance
Enter DISA. The Defense Information Systems Agency is tasked with ensuring Information Assurance within the DoD and have, for better or worse, built an empire controlling information and communications systems within the Department of Defense. Their charter is beyond the scope of this posting but their web site has lots of information.
In April 2004 the Field Security Operations Division of DISA released the Voice over Internet Protocol Security Technical Implementation Guide (VoIP STIG) which gives DoD facilities guidance and best practices for implementing VoIP. Of course the focus of this document is on security and Information Assurance. This document is based on the overarching principles and authority of DoD Directive 8500.1.
The VoIP STIG does an excellent job of pointing out the vulnerabilities of VoIP (which will be left as an exercise to the reader) but more importantly identifies the urgent need for interoperability and security testing of any IP-based system. The need for this, especially in a command and control (C2) environment, should be self-evident.
Who does this interoperability and security testing? The Joint Interoperability Test Command out of Fort Huachuca, Arizona is the primary command currently allowed to "bless" these technical solutions. Simply put, if a VoIP solution has not been tested and approved by JITC, it is not supposed to be connected to a DoD phone network. And certainly not to a Defense Switched Network (DSN) backbone.
NMCI Says It Isn't Us
So who would dare violate a DISA directive? Who would subvert DoD 8500.1? Certainly not NMCI. Or would they?
Apparently NMCI and possibly others have run afoul of the DISA directive because an April 2004 advisory from the Navy's Network Warfare Command (NETWARCOM), in cooperation with the Marine Corps Network Operations and Security Command (MCNOSC), notified several commands that they were in non-compliance with DISA directives.
It states that at least 16 DoN commands have uncertified VoIP systems. This number resulted from a telephone switch inventory done as part of the National Defense Authorization Act FY2003 (Public Law 107-314). Although it does not state categorically that these non-certified systems are NMCI offspring, the advisory makes direct reference to the EDS VoIP solution and states that commands are not allowed to implement any VoIP solution without JITC certification.
It would be interesting to know how much JITC/DISA oversight was done on the VoIP solutions that NMCI is bragging about. Apparently it was not as complete as it should have been or NETWARCOM would not have felt the need to remind Navy and Marine Corps users of the certification and approval process. The rules are there for everyone.
Capt. Chris Christopher, deputy Director of future operations for NMCI has stated that making telephone calls over VoIP was "inevitable." Certainly it is. Let's just hope that NMCI is not usurping DISA in its effort to hasten the inevitable.
Monday, August 30. 2004
Silent Majority or Manipulation
"Several service personnel, however, said they do not know anyone who has taken the survey."
A recent article in Government Executive Magazine reports that the satisfaction level is "near 80 percent and rising" within the ranks of Navy Marine Corps Intranet users. The accuracy of these numbers will be left to the reader to ponder but there is a very important threshold not far from this 80 percent number. When the "satisfaction level" reaches 85 percent, NMCI contractor EDS Corporation is entitled to bonus payments for every NMCI seat, regardless of the satisfaction level of that seat user or the base where it is installed.
The article goes on to discuss the fact that a short and informal survey by GE staff could find no NMCI users who had actually taken the survey. More importantly NMCI officials have not released the details of the survey including number of surveys sent, number returned (sample size), the questions on the survey and a myriad of other factors that could lead to an honest, stoichiometric analysis of the vaunted survey.
Perhaps most disturbing, Navy officials have stood by quietly accepting, if not supporting, this junk science being proffered by EDS.
« previous page
(Page 2 of 2, totaling 11 entries)
