Overcoming the Governance Challenge of Providing Mobile Apps to the Warfighter

The US Department of Defense (DoD) is making rapid progress toward the establishment of a department-wide mobile device service that will serve both classified and unclassified communications.  The mobility plan, which is being developed by the Defense Information Systems Agency (DISA), features a converged infrastructure that will transition its classified support components over from the National Security Agency (NSA).  

This is great news for both the warfighters and defense system developers.  DISA’s implementation of a multi-domain mobile network represents a successful balance of new technology adoption and safety and security requirements.  Importantly, it signals a sea change away from an ingrained technological conservatism that has long been the hallmark of the defense acquisitions community. 

The overall vision is breathtaking:  DISA not only wants to expand wireless functionality across the DoD and the services, but also to replace legacy infrastructure such as laptop computers and desktop telephones.  According to Jennifer Carter, DISA’s Component Acquisition Executive:

The goal behind mobility is to establish an integrated infrastructure that can be leveraged to get the mobile device to have the capabilities that the warfighter needs, to bring that capability to them [i.e., the warfighters] – the information they need, the functionality they need – right at their fingertips at the tactical edge.

Unfortunately, the implementation of mobile networks solves only part of the problem. In order to make the networks valuable, two things have to exist:  A strategy for approving devices to operate on the network and an app ecosystem that leverages the power of the devices and the network.   The device strategy seems to be well in hand.  Between October 2012 and September 2013, the new DISA mobile network will support about 5,000 unclassified and 1,500 classified devices.  This number is expected to jump to over 100,000 in FY 14.  Plans for the future include both expanding the number of supported devices (by orders of magnitude) and adding additional types of devices, such as tablets.

The app strategy is less well defined.  While DISA recognizes the need to manage apps (it’s in the middle of a procurement process for an app store), it is still somewhat stymied by the administrative and technical burdens imposed by the DoD Information Assurance Certification and Accreditation Process (DIACAP).  DIACAP is the (DoD) administrative process that ensures that risk management and mitigation activities are applied to information systems and applications that will run on DoD and component service networks. DIACAP defines a department-wide formal and standard set of activities, general tasks as well as a management structure for the certification and accreditation (C&A) of a system to ensure that it will maintain the required information assurance (IA) posture throughout the system's life cycle.

DIACAP is an essential and useful security mechanism; a critical part of the overall protection mechanism that enables vital national security systems to keep functioning.  It’s also very thorough and very detailed with no fewer than five different phases and fifteen constituent activities.  

DIACAP’s high level of scrutiny and detail oriented approach results in a significant cost and time burden.  How significant?  A development effort to produce a significant version update to a software application might encompass ten developers, five systems engineers and a program management staff.  Once coding is complete, the product is submitted for C&A testing.  This effort can easily take four full time effectives (FTE) from six to eight months, as well as the use of specialized government labs.  After this effort, staffing the completed C&A package can take another four to six months.  And that’s for a program that has well vetted IA processes in place.  For a program starting from scratch, tack on another four or six months.

For an application with hundreds of thousands or millions of lines of code developed over a long period of time, the standard DIACAP level of scrutiny and effort makes sense.  However, when it comes to a small app for a mobile device that might be developed in a week’s time, it’s harder to see the justification for what appears to be a disproportionate IA administrative and technical burden.

Luckily for app developers, DoD IA mechanisms allow for an abbreviated qualification effort, where appropriate risk mitigations are baked into the software development process, resulting in dramatically shorter and less expensive C&A effort.  The question for acquisitions program managers in general, and for the mangers of DISA’s cloud infrastructure in particular, is how to apply these procedural mitigations – effectively a development governance process – in a manner that is consistent, repeatable and documented in such a manner as to satisfy IA requirements.

Fortunately, industry faces similar development governance problems.  These requirements led to the development of Cloud-based distributed development environments designed from the ground up to ensure that development efforts were framed within the context of organization’s business rules.  An example of such a distributed development environment is the WSO2 App Factory.

Cloud-based, the WSO2 App Factory operates as a set of pluggable applications on top of a runtime Platform-as-a-Service (PaaS) framework.  It integrates a development forge, enterprise best practices and a Cloud runtime.  Additionally, it ships with open source version control (Subversion, Git), continuous integration (Jenkins, Bamboo), continuous build (Ant, Maven),Test Automation (Selenium) and project management and bug tracking (Redmine) tools.

Additionally, the WSO2 App Factory provides a customizable, extensible governance and compliance modeling framework, project and portfolio dashboards and an App Store for deploying services and applications built within the WSO2 App Factory framework.  It’s also open source, meaning that there are zero acquisition costs associated with the WSO2 App Factory.

For DISA, numerous positive results stem from using such a tool.   The obvious benefit is that IA requirements can be rolled into the governance framework, ensuring that no app built within the environment gets deployed or published without adhering to the required IA standards.  In addition to this, however, it provides a mechanism to require developer organizations to adhere to a single set of department-wide organizational policies and values when developing apps.  Vagaries and resulting risks associated with service and component interpretations of the IA policies are therefore eliminated.  Additionally, costs and time burdens associated with redundant, service-level implementations of IA mechanisms are eliminated, resulting in a leaner, faster and more cost efficient method for delivering capability to the warfighter.

DISA is to be applauded for implementing a mobile infrastructure for the warfighter.  The next step is to provide an environment in which the creativity and capacity of industry to provide solution apps can be efficiently harnessed, robustly governed and rapidly converted into combat capability.