[bmelton]

Just to speak to the one point of security measures, government computers do perform data at rest encryption and network access control. Threat heuristics are done off-the-shelf with something like McAfee/Norton on the workstation end, and with commodity IDS software running at the edge, which I think sounds about right.

For most government machines, they're required to be connected via VPN, and all traffic funneled through the respective agencies in order to be on the internet at all, so at least the cloud data they do access has the opportunity to be logged, scrubbed and sanitized by the agency in question.

I can't speak specifically for Navy, but with most agencies I've dealt with (including DOD,) this is how things are.

So, long story short, if they aren't required to perform any security measures like the above-mentioned, then they should really get kudos for going above and beyond. That said, at least where I am, those are requirements, so I'm guessing the reporter either misspoke or was uninformed.