The US Department of Defense (DoD) is making rapid progress
toward the establishment of a department-wide mobile device service that will serve
both classified and unclassified communications. The mobility plan, which is being developed
by the Defense Information Systems Agency (DISA), features a converged
infrastructure that will transition its classified support components over from
the National Security Agency (NSA).
This is great news for both the warfighters and defense
system developers. DISA’s implementation
of a multi-domain mobile network represents a successful balance of new
technology adoption and safety and security requirements. Importantly, it signals a sea change away
from an ingrained technological conservatism that has long been the hallmark of
the defense acquisitions community.
The overall vision is breathtaking: DISA not only wants to expand wireless
functionality across the DoD and the services, but also to replace legacy
infrastructure such as laptop computers and desktop telephones. According to Jennifer Carter, DISA’s
Component Acquisition Executive:
The goal behind mobility is to
establish an integrated infrastructure that can be leveraged to get the mobile
device to have the capabilities that the warfighter needs, to bring that
capability to them [i.e., the warfighters] – the information they need, the
functionality they need – right at their fingertips at the tactical edge.
Unfortunately, the implementation of mobile networks solves
only part of the problem. In order to make the networks valuable, two things
have to exist: A strategy for approving
devices to operate on the network and an app ecosystem that leverages the power
of the devices and the network. The
device strategy seems to be well in hand.
Between October 2012 and September 2013, the new DISA mobile network
will support about 5,000 unclassified and 1,500 classified devices. This number is expected to jump to over
100,000 in FY 14. Plans for the future
include both expanding the number of supported devices (by orders of magnitude)
and adding additional types of devices, such as tablets.
The app strategy is less well defined. While DISA recognizes the need to manage apps
(it’s in the middle of a procurement process for an app store), it is still
somewhat stymied by the administrative and technical burdens imposed by the DoD Information Assurance Certification and Accreditation Process (DIACAP). DIACAP is the (DoD) administrative process that
ensures that risk management and mitigation activities are applied to
information systems and applications that will run on DoD and component service
networks. DIACAP defines a department-wide formal and standard set of
activities, general tasks as well as a management structure for the
certification and accreditation (C&A) of a system to ensure that it will
maintain the required information assurance (IA) posture throughout the
system's life cycle.
DIACAP is an essential and useful security mechanism; a
critical part of the overall protection mechanism that enables vital national
security systems to keep functioning.
It’s also very thorough and very detailed with no fewer than five
different phases and fifteen constituent activities.
DIACAP’s high level of scrutiny and detail
oriented approach results in a significant cost and time burden. How significant? A development effort to produce a significant
version update to a software application might encompass ten developers, five
systems engineers and a program management staff. Once coding is complete, the product is submitted
for C&A testing. This effort can
easily take four full time effectives (FTE) from six to eight months, as well
as the use of specialized government labs.
After this effort, staffing the completed C&A package can take
another four to six months. And that’s
for a program that has well vetted IA processes in place. For a program starting from scratch, tack on
another four or six months.
For an application with hundreds of thousands or millions of
lines of code developed over a long period of time, the standard DIACAP level
of scrutiny and effort makes sense.
However, when it comes to a small app for a mobile device that might be
developed in a week’s time, it’s harder to see the justification for what
appears to be a disproportionate IA administrative and technical burden.
Luckily for app developers, DoD IA mechanisms allow for an abbreviated
qualification effort, where appropriate risk mitigations are baked into the software
development process, resulting in dramatically shorter and less expensive
C&A effort. The question for
acquisitions program managers in general, and for the mangers of DISA’s cloud
infrastructure in particular, is how to apply these procedural mitigations –
effectively a development governance process – in a manner that is consistent,
repeatable and documented in such a manner as to satisfy IA requirements.
Fortunately, industry faces similar development governance
problems. These requirements led to the development
of Cloud-based distributed development environments designed from the ground up
to ensure that development efforts were framed within the context of
organization’s business rules. An
example of such a distributed development environment is the WSO2 App Factory.
Cloud-based, the WSO2 App Factory operates as a set of
pluggable applications on top of a runtime Platform-as-a-Service (PaaS)
framework. It integrates a development
forge, enterprise best practices and a Cloud runtime. Additionally, it ships with open source
version control (Subversion, Git), continuous integration (Jenkins, Bamboo),
continuous build (Ant, Maven),Test Automation (Selenium) and project management
and bug tracking (Redmine) tools.
Additionally, the WSO2 App Factory provides a customizable,
extensible governance and compliance modeling framework, project and portfolio
dashboards and an App Store for deploying services and applications built
within the WSO2 App Factory framework. It’s
also open source, meaning that there are zero acquisition costs associated with
the WSO2 App Factory.
For DISA, numerous positive results stem from using such a
tool. The obvious benefit is that IA
requirements can be rolled into the governance framework, ensuring that no app
built within the environment gets deployed or published without adhering to the
required IA standards. In addition to
this, however, it provides a mechanism to require developer organizations to
adhere to a single set of department-wide organizational policies and values when
developing apps. Vagaries and resulting
risks associated with service and component interpretations of the IA policies
are therefore eliminated. Additionally,
costs and time burdens associated with redundant, service-level implementations
of IA mechanisms are eliminated, resulting in a leaner, faster and more cost
efficient method for delivering capability to the warfighter.
DISA is to be applauded for implementing a mobile
infrastructure for the warfighter. The
next step is to provide an environment in which the creativity and capacity of
industry to provide solution apps can be efficiently harnessed, robustly governed
and rapidly converted into combat capability.
No comments:
Post a Comment