The US Missile Defense Agency is asking for guidance on the cloud, and is looking to replace its data center contract.

The agency's Missile Defense Data Center (MDDC), which stores data from the Ballistic Missile Defense System (BMDS), is primarily run by ASRC Federal Analytical Services under a $450m contract from 2013.

Now, the Agency has announced it will "re-compete" the contract according to a procurement notice. It says it is undertaking "market research," which appears to indicate it is contemplating a move to the cloud. The Agency has asked for companies to pitch ideas in Powerpoint presentations - but companies wanting to explain the cloud to the US Missile Defense Agency must move quickly: the closing date for applications is next week.

US left vulnerable to missile attacks

Back in 2013, ASRC Federal Analytical Services was awarded a $450 million indefinite-delivery contract to support the MDDC, leading a consortium that also included military contractor Kratos.

So far, $255.6m has been awarded, with the latest tranche of subcontracts handed out in December 2020 - with an end date of 30 November 2021. Further subcontracts could still be awarded.

A 2010 contract document explained: "The MDDC Program provides data collection from various sensor(s), networks, and platforms and includes telemetry, track data, translated Global Positioning System (GPS) data, as well as real-time distribution of test data in order to support Situational Awareness (SA) and mission execution.

"This data, along with other sources such as video and voice communications is disseminated throughout the MDA and Combatant Commands (COCOMs) with the Test and Evaluation Data Acquisition and Communication (TEDAC) Enterprise System (TES). The MDDC Program also supports the management and planning of resources associated with test execution via an automated government-furnished management tool, Test Resources Mission Planning Tool (TRMP-T), which identifies conflicts and helps provide resolution options."

A 2018 review by the US Department of Defense Inspector General found numerous security failings at the data centers and networks supporting the Ballistic Missile Defense System (BMDS).

The Inspector General investigated a nonstatistical sample of five out of 104 DoD locations, across four military installations that manage BMDS elements and technical information. The facilities investigated are not necessarily those run by ASRC or others in the consortium.

"The disclosure of technical details could allow US adversaries to circumvent the BMDS capabilities, leaving the United States vulnerable to deadly missile attacks," the report warns.

At each site, the Inspector General found numerous "systemic" security failings - for example, employees with access to the BMDS network in three of the five locations have yet to enable multi-factor authentication, a simple security technique widely used by the banking sector and many businesses. At one site, investigators found that "34 users accessed the [redacted] using single-factor authentication well past 14 business days, with some users not using CACs [Common Access Cards] to access the [redacted] for up to seven years."

Three of the five locations did not regularly apply patches for known security vulnerabilities across desktops, thin clients, support servers, domain controllers, backup servers, and security databases.

In March 2018, one of the bases was found to be susceptible to vulnerabilities classified as 'high' and 'critical,' disclosed way back in January. The vulnerabilities, "if exploited by unauthorized users, would likely result in privileged access to servers and information systems," the report warns. Another vulnerability at the same site had been identified in 2013, but was still not patched by the time of review.

Similar failings were found at the other sites - with perhaps the worst being an unpatched vulnerability that "was initially identified in 1990." The report notes: "The NIST assessment of this vulnerability concluded that it could be exploited multiple times by an attacker, and that the vulnerability could [redacted]."

Further failings were discovered with the data centers' physical security, with server racks routinely left unlocked. "In addition, the [redacted] data center manager did not control the server rack keys. NIST SP 800-53 requires organizations to secure keys, combinations, and other physical devices. In addition, the Defense Information Systems Agency Network Infrastructure Security Technical Implementation Guide requires all network infrastructure devices to be located in a secure room with limited access, and DoD Components to physically secure network devices using locked cabinets."

Elsewhere, investigators "found an unlocked server rack despite a posted sign on the rack stating that the server door must remain locked at all times."

It is not clear if the vulnerabilities have been addressed. At the time, the Inspector General said that it had received no response following its draft report.

"The Missile Defense Agency (MDA) is performing strategic market research within the realm of Data Strategy and Software Development Solutions in its preparation to re-compete the Missile Defense Data Center (MDDC) contract," the agency said in a procurement notice.

Among the subjects the MDA seeks to understand are the "migration of applications to government-approved commercial cloud provider(s)," and the "cloud utilization for mass data storage and distribution to include big data analytical capabilities."

Interested parties will be able to pitch a PowerPoint presentation to the government for up to an hour, with a maximum of twenty slides. Companies have until 1 November to apply.