KCNSC is a large organization that will have hundreds of distinct networks at different risk and control levels. Every variation of "public internet" to "single-site air-gapped network" probably exists there, including many levels in between like multi-site secure networks and networks with limited internet connectivity. Many networks air airgapped, this sometimes means that they consist of a small number of assets in a single room, and it sometimes means that they have connectivity to airgapped enclaves of AWS and hundreds of other military, government, and contractor sites. All of these controls will have been determined by a combination of risk scoring, compliance policies, legal requirements, office politics, and happenstance. Multiple contracting authorities will periodically audit many of these networks against various standards, which may or may not allow connectivity to specific other networks depending on risk levels. Connectivity between networks is sometimes controlled by NSA accredited cross-domain solutions and multi-level security systems that enforce complex policy, in other cases it's controlled by an administrative assistant with a DVD burner. There will be case-by-case risk analysis decisions made for specific systems, ultimately signed off by a government official who may or may not have read them. Inevitably some of these will appear reasonable and cautious in retrospect and others will not.

The root fault with this article, and the resulting discussion, is the extent to which it generalizes over one of the larger organizations in a very complex part of the defense industrial complex. Many parts of KCNSC's operations are absolutely not exposed by this incident. Other parts absolutely are. Determining which fall into which category, and to what extent that is acceptable, keeps quite a few people employed.