recommended reading

Why Feds Are Still Buying IT That Works With Windows XP

Ted S. Warren/AP file photo

During the past year, various agencies have bought or expressed interest in buying products compliant with a Microsoft operating system set to lose security support next week, according to a review of federal solicitations and the agencies themselves. The Air Force, Navy and Marine Corps, as well as the Veterans Affairs, Labor and State departments are a few of the Windows XP holdouts.

Microsoft will stop updating the 12-year-old operating system on April 8. With the company's software developers out of the picture, hackers who find holes can drop "0-day exploits,” or malicious software that penetrates systems running XP before anyone has time to fix them. 

But some agencies need Windows XP to run mission-critical applications that are incompatible with newer operating systems. Others, fearing they might miss the cutoff date for security support, want products that will function on existing systems. 

Here's a sample of the roughly 195 solicitations posted within the past year specifying Windows XP compliance:

  • The Air Mobility Command in May 2013 bought a $6,875 touch screen computer that was required to support "Windows XP Professional SP3 32 bit."
  • The Naval Research Laboratory announced in April 2013 that it intended to award a contract for a computer, with various accessories and "Windows XP Installation." 
  • In April 2013, the I Marine Expeditionary Force at Camp Pendleton, Calif., solicited software to model sound propagation that was "compatible with a Windows XP OS."
  • Last month, Veterans Affairs posted an ad seeking an XP-compatible system to enable online registration for the National Veterans Golden Age Games, an event for older vets currently under care of the VA medical system. 
  • Two special notebooks at a Labor agency needed Windows XP to run software that supports a critical-mission function.
  • State announced roughly 175 solicitations and awards for XP-compatible information technology tools and services. 

A Legacy Issue 

Roughly 3 percent of the Pentagon's several million unclassified and classified Windows machines are still running XP software, according to military officials.

Machines remaining on XP tend to require special engineering and testing "to make sure that function and dependability are still correct after an operating system change,” Richard Hale, deputy chief information officer for cybersecurity at Defense, said during an interview. “Those tend to also be systems that get deployed often in places that have high operations tempo like ships. So it then takes us a while to deploy those." 

Defense has been upgrading, primarily to other Windows versions, at a rate of up to 60,000 computers a month. 

“It will probably take us several years to get the last Windows XP" machines transitioned, Hale said of approximately one percent of the department’s Windows machines. "There may be some special cases that take longer.”

The Pentagon is negotiating prices with Microsoft for extended Windows XP support, which will be lower than the commercial rate of $300 per PC per year, he said.

Hale could not speak to the specific solicitations the services have issued but said he believes they pertain to systems stuck in the changeover. “As recently as a year ago, we had hundreds of thousands of Windows XP machines, and so people have had to support them as they transitioned their networks to Windows 7 or Windows 8," he said. "They’ve had to support them and they will need to support them until they are completely out of the inventory.”

All military devices, whether on XP or upgraded software, are protected by layers of security systems, Hale said. 

For instance, “we have perimeter defenses that look for malware and can block it,” as well as Defensewide email scanning and intrusion detection systems, he said.  

Cyber Command to the Rescue

Military cyber personnel will be paying attention to XP-enabled threats. "Cyber Command is the top operator for the department and top defender for all of this stuff," Hale said. Every information security employee takes orders from the command.

While the military is not adding extra levels of defense as a direct consequence of Microsoft's decision to terminate support for the old operating system, “our operations force will be attuned to Windows XP attacks just in case those go up after April 8,” he said.

Not all federal contracting documents mentioning XP required technology dependent on that platform alone, indicating the purchasing agency could be planning to soon switch platforms. For example, in May 2013, Veterans Affairs asked for a mobile device security tool that "must be compatible with [i]OS, Android, Windows Mobile, Blackberry, Windows XP, Windows 7, and Windows 8." 

VA needs a Windows XP system for the Golden Age Games because agencies are at different stages of the conversion, according to a March 18 solicitation. "Migration from Windows XP to Windows 7 is not yet complete within all of VA," the request for proposals states. "As a result, compatibility with and support on Windows XP, Internet Explorer 7 and Microsoft Office 2007 are also required until April 2014 when Microsoft’s extended support for Windows XP ends."

Veterans Affairs officials said that more than 99 percent of the department's IT inventory -- about 390,000 Windows computers -- is now on Windows 7. The systems still on XP "are not compatible with Windows 7 and must be updated before the systems can be upgraded to the new operating system," VA spokeswoman Genevieve Billia said in an email.

Those outliers seem to be creating disruptions and racking up expenses, even if not creating risks.  

"Some of the remaining XP systems will be removed from the network and other mitigation strategies will be put into place for those that remain," Billia said, adding that the department might purchase extended support from Microsoft.

Additional security measures include an external firewall, network monitoring, intrusion protection software and USB drive controls, among other things.

Labor officials expect to move all computers to newer Windows platforms by May. As with all such transitions, officials said, the department is encountering some exceptions, such as the two notebooks. 

"We continually monitor for security vulnerabilities, and those efforts include XP-based systems that are being discontinued as well as the few XP-based functions that will remain in place until replacements are implemented," a Labor spokeswoman said in an email. 

State, during the past year, apparently wanted a lot of technology that would work with Windows XP but not necessarily depend on it to function properly.

“The U.S. Department of State does not have any 'XP reliant' initiatives, and our intent is to be off of Windows XP by the April 8 deadline," a senior State official said in an email. "We will not be paying Microsoft for additional XP support after April 8. Our solicitations do indeed work with Windows 7, and may have been requested to be compatible with Windows XP out of an abundance of caution.”

Threatwatch Alert

Stolen laptop

3.7M Hong Kong Voters' Personal Data Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.