COMMENTARY: F-35 JSF Program, the 2018 “What’s Behind the Curtain” Candidate

Connect--But, be very careful

The Joint Strike Fighter’s (JSF) Autonomic Logistics Information System (ALIS)
“Most-Public-Secret”

The article, DOD Struggles with Risk Management Framework Adoption, https://defensesystems.com/articles/2018/11/30/dod-risk-management-framework.aspx is a sad commentary about the attitudes and commitment to protect our most advanced weapon systems and capabilities. It is especially sad when it is raised from within the Department of Defense(DOD). When has such a defeatist attitude been allowed to even be an answer to a 21st Century challenge that includes the protection of the nation’s vital weapon systems?

“It’s hard to train people to assess risk.”

Really? What are we paying the Senior Executives in DOD to do in the first place? As highlighted in the article, it has proposed a 3-year plan to get managers to follow NIST 800-53?  Oh, yes, that is the “plan.” In another three years we will redesign RMF to be easier because it’s too hard!  

Instead of properly training every one involved in the risk management process to include the leaders, we say it’s just too hard to understand and do.

The major problem missed by the article is a piece of inaccurate reporting. The reporter does not conduct effective due diligence of the existing information.  The need for at least looking at countering information that is in PLAIN SIGHT would have provided a more complete picture.  


“But there have been some successes. The Air Force’s agile software development factory, Kessel Run, has been able to build RMF controls into code for the F-35’s logistics system….”


The flawed information is that the F-35’s “logistic system” is in a poor cybersecurity state. The Autonomic Logistics Information System (ALIS) is that logistics system called out in the article. in July 2018, it received a HIGH RISK ATO with 11 provisions to comply with or lose its Authority to Operate. (ATO).  The Air Force may have resolved shortfalls in the secure coding arena, but that did not translate into a more secure and capable system. 

See the article… https://insidedefense.com/daily-news/f-35-jpo-issues-one-year-alis-30-operating-authority-11-provisions.

While the “coding” vulnerabilities may have been addressed by the Air Force’s initiative, it would appear there is no evidence of that led to a full ATO.  The article reported an unheard number of 11 provisions that must be met in order for it to gain a STANDARD 3-year ATO; here it has only received a highly cautionary 1-year ATO.

The article highlights one of those provisions. The developer “must ensure patches will be implemented as part of the information vulnerability management quarterly updates.”  The assumption is that the developer was not meeting DOD requirements to maintain proper patch levels of security, operating system, and applications every quarter–the current standard within the DOD of fully deployed systems is that patches are updated monthly.

When Dorothy pulled back the curtain and found the less-than statuesque Wizard, she had discovered the secret.  The secret seems to be right in front of us, and we are still no more startled how less-than secure our most valuable systems are in protecting this nation.



REFERENCES:


Albon, Courtney. (April 13, 2018) . Inside Defense. F-35 JPO issues one-year ALIS 3.0 operating authority, with 11 provisions. Retrieved from: https://insidedefense.com/daily-news/f-35-jpo-issues-one-year-alis-30-operating-authority-11-provisions

Williams, Lauren C. (November 30, 2018). Defense Systems. DOD struggles with Risk Management Framework adoption. Retrieved from: https://defensesystems.com/articles/2018/11/30/dod-risk-management-framework.aspx

Read this book, and see how China is infiltrating the US since the Nixon Administration