zlacker

The memo does say each agency needs to pick one system that is not internet accessible and make it accessible in the next year. The way I read this memo is pushing that VPNs don't add much in the way of security (if you follow the rest of the memo) and should be removed.

>>server+(OP)
The other way to read that part of the memo is that the exercise of exposing an application on the public Internet is a forcing function that will require agencies to build application security skills necessary whether or not they use VPNs. Note that the memo demands agencies find a single FISMA-Moderate service to expose.