TurnLevel

Government IT: Looking forward to 2011

Debra Fryar — Thu, 23 Dec 2010 16:01:02 +0000

A number of predictions are being made about the direction of government IT for 2011. The Obama administration is taking a look at the effectiveness of the “grand design approach .” These costly, massive IT projects aim for sweeping reinvention of agency computer systems and business processes. Unfortunately, these large-scale projects are frequently plagued by cost overruns and schedule delays.

Government watchdogs say there are two critical elements that will make or break the effort to end the grand-design era: the ability to embrace agile development techniques and the creation of a well-trained acquisition and project management corps to oversee the new rapid delivery style.

Nearly 20 years ago, the General Services Administration advocated that government avoid giant, multiyear IT modernization projects and instead deliver new systems in small chunks and solicit user feedback to identify problems early and facilitate frequent course corrections. Few government agencies have taken that advice, but tighter IT budgets in the foreseeable future may cause them to re-think the idea.

In addition, OMB is calling for a number of IT Acquisition reforms including increased training for government IT program managers and increased oversight of IT products with better defined milestones and the use of agile development.

Over the last 10 years, Partnet has been the major developer of the Defense Logistics Agency’s DOD EMALL. Partnet has stressed the importance of agile development within the DOD EMALL program. The DOD EMALL PMO has an outstanding record of continual system improvement over the system life cycle. Due to the use of agile development, projects have been able to stay within a tightly controlled budget and on schedule. We hope the rest of the government will embrace the use of agile development as recommended by OMB.

DOD Security Needs are both Internal and External

Debra Fryar — Tue, 14 Dec 2010 17:58:16 +0000

Security has been a top priority for DOD in 2010. On November 3, 2010, the Department of Defense announced that U.S. Cyber Command had achieved Full Operational Capability (FOC). The mission of Cyber Command is to keep intruders out of government websites. This has been a primary focus of security personnel over the past several years with the alarming increase of attacks on government websites.

In November, the Defense Information Systems Agency (DISA) announced the development of an application that provides smart phone users with a secure way to access DOD networks. Designed by Good Technologies, Go Mobile is intended to allow DOD end-user employees to use their smart phones in a secure way. It uses a plug-in, called a dongle, to connect via Bluetooth to a Common Access Card (CAC). A personal identification number ensures the physical security of the phone. When Go Mobile is active, it disables other features on the phone to secure data storage and provide safe data transfer. The application supports DOD security policy management, enforcement and compliance while providing a secure web browser and a secure apps container. The application is still under testing and evaluation but should be available sometime in 2011.

While these efforts are extremely important and help safeguard external access to government networks and websites, a bigger threat may come from government personnel working within the highly-secure government network. WikiLeaks is a prime example of this internal threat where a single rogue U.S. Army Private was able to download thousands of secret cables and hand them over to Assange’s fledgling organization. No matter how secure a network is, there is always the possibility of a breach from the inside.

Just weeks after the Wikileaks initial release of information, the Department of Defense, Defense Advanced Research Projects Agency (DARPA), Strategic Technology Office (STO) announced the latest government effort to monitor internal networks to identity hostile insider activity. DARPA is seeking novel approaches to insider threat detection by monitoring specific user and network behaviors. As stated in the project description, “insiders are a dangerous threat to our network systems because insiders operate from within our networks; and easily evade existing security measures. Insiders do not attack—instead they use legitimate access points in support of their operations. Traditional defenses operate under the assumption that existing systems and networks are currently uncompromised.” DARPA is seeking ways to identify “tells” within the normal activity of users that would indicate malicious activity.

We certainly seem to be entering an age where you can literally “Trust no one.”

Congress to Consider Cyber-Security Legislation on the Heels of Report that Top Government Sites were Hacked by Chinese

Terryl Benson — Fri, 03 Dec 2010 17:40:58 +0000

An important piece of legislation focused on addressing the cybersecurity challenges faced by the Federal Government is currently awaiting debate in congress. Sponsored in the Senate by Senators Kit Bond of Missouri and Orrin Hatch of Utah, the National Cyber Infrastructure Protection Act of 2010 was introduced in June and aims to set guidelines on what congress should legislate regarding cybersecurity. The bill also authorizes the Cyber Coordinator to coordinate U.S. cybersecurity efforts and creates a voluntary partnership between the government and the private sector, known as the Cyber Defense Alliance. These steps are intended to facilitate the flow of information regarding cyber threats and promotes the sharing of technologies between the private sector and government.

The importance of this bill becomes more apparent in light of a story published on November 17 by United Press International (UPI) reporting the April hijack of US government and military sites by Chinese servers. According to the story, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. The attack lasted approximately 18 minutes. Read the entire UPI story.

In a statement introducing the bill to congress on June 24 of this year, Senator Bond spoke of the threat presented by cyber attacks:

“These cyber attacks happen every day, but have remained largely under the public radar. Our government, businesses, citizens, and even social networking sites all have been hit. Cyber attacks are on the rise and unless our private sector and Congress start down a better path to protect our information networks, serious damage to our economy and our national security will follow.” Read the entire transcript from the Congressional Record.

This bill is notable because it seeks to create a public-private partnership, which among other things will examine current and emerging technologies available from the private sector as a means to mitigate the threats. Having served as an IT contractor for the DOD for more than a decade, Partnet understands security and the threats presented by cyber attacks. Partnet has developed a number security applications to safeguard sensitive information and thwart external attacks on its servers. Partnet will continue to watch with interest as this bill makes its way through congress.

DLA Team Investigates Security Measures

Terryl Benson — Thu, 18 Nov 2010 16:43:15 +0000

Agencies across the Federal Government are increasing efforts to identify and fix security flaws. These programs are probing both IT Security and Physical security in an attempt to measure the effectiveness of current security measures.

One of the agencies testing the effectiveness of current security measures is the Defense Logistics Agency (DLA). A recent article published by the DLA News Center, titled Investigative team uncovers security flaws, details the work performed by members of the DLA Accountability Office. The team scrutinized screening and property pick-up procedures at several DLA Disposition Services facilities. Because the investigation included members of law enforcement, many details of the operation have not been released. However, it was reported that the team was able to identify weaknesses and take corrective actions.

Proactive efforts like this are a good way to ensure the effectiveness of current security measures–and with the success of the investigation–it is likely that similar investigations will be conducted in the coming months.

Future-Proofing Enterprise IT with SOA

Debra Fryar — Mon, 25 Oct 2010 20:47:14 +0000

Continuing our discussion of Service Oriented Architecture, let’s look at some of the chief benefits.

SOA is designed to eliminate dependencies on a particular implementation technology. When services are accessed through a common interface, the underlying implementation can change without changing the systems that build upon them. The implementation of the service can change for many reasons, such as:

Replacement of aging hardware
Changes to operating systems or application servers driven by security policy or cost considerations
Selection of a more productive software development platform

One or more of these components can change without impacting any of the dependent processes if implemented within a proper architecture.

This is valuable when trying to leverage legacy systems for new applications. Perhaps there are many potential clients for the legacy system, but the respective clients might use different software development platforms. Hand-writing the software necessary to integrate with a system of moderate complexity can take several weeks.

Rather than asking each client to duplicate this effort, the legacy system can provide a web service adapter with a machine-readable description. Then, each client or business process can automatically integrate with the service—skipping the time-consuming, expensive, and error-prone process of manual integration.

Reliability is enhanced as well, since there is only one piece of software to be tested (the web service adaptation layer) rather than an integration layer within each client.

There are cases when an entirely new system is being designed, and an architect might have the power to mandate a particular implementation technology. Even then, accessing the constituent services through a standard interface is a wise choice for two reasons:

1) It provides a measure of “future-proofing” to the system. As new implementation technologies emerge, they can be adopted piece-meal by different services and their dependent processes.

2) As unforeseen service applications arise—perhaps to meet a need in some outside organization—the service can easily be made available without exposing implementation details and complexity, or requiring a particular implementation technology that may not be available to the new client.

So how does SOA affect a real web application like DOD EMALL? The following provides a few examples of how Partnet has used SOA to interface with existing DOD systems and their dependent services and processes to provide critical web services.

DLA Enterprise Business System suite
- EBS Pre-order query—for real-time item pricing availability.
- DLA Orders—EBS order status look-up on existing orders.
DLA Transaction Service Center
- WebLots—online requisition tracking system
- DODAAC validation query
DLA Data Fusion System
- Supportability Analysis—Stock Out Report (SA-SOR)
- Weapon System Designator Code queries
- NSN/NIIN queries
- Critical Item List management
Central Contractor Registration (CCR)—vendor information query
Defense Security Cooperation Agency (DSCA), Security Cooperation Information Portal (SCIP)—FMS sales interface

SOA on the DOD EMALL has resulted in lower implementation and development cost to the government.

DOD’s Use of Service Oriented Architecture

Debra Fryar — Wed, 13 Oct 2010 20:09:29 +0000

Over the years, Service Oriented Architecture (SOA) has increasingly become a “hot button” among CIOs and IT professionals inside the Department of Defense. But what is SOA and how is it helping the DOD . . . ?

SOA emphasizes the flexible composition of distinct business functions—or services—into a complete business process. In its most recent and successful manifestation, SOAs have been developed around standards for web services. These build on widely used protocols and formats, such as HTTP (used for serving web pages) and XML (used for web content and increasingly for electronic office documents). Because these standards are not coupled to a particular hardware platform, operating system, or programming language, the business processes built using such services are insulated from the underlying implementation of any particular service.

Illustration provided by the MITRE Corporation.

When individual web services are developed to conform to standards such as the World Wide Web Consortium’s (W3C) Web Services Description Language (WSDL), Simple Object Access Protocol (SOAP), and XML Schema, they can be assembled into larger processes using a common tool. Such tools are available for most platforms and are integrated into many general-purpose application servers.

The WSDL document plays a vital role in the orchestration of services. This document is a machine-readable description of the interface provided by a particular service. It allows an SOA tool to understand what inputs are required by a service, what outputs it will provide, and how to communicate with the service. The tool can then generate any code necessary for the designer’s preferred software development environment to make use of that service. Without a common descriptive format like WSDL, system designers would be confronted with a bewildering array of different implementation technologies, communications protocols, and message formats.

Message formats are described using an XML schema. As with WSDL documents, XML schema documents are machine-readable documents that can be processed by a tool to generate the software necessary to convert the platform-neutral messages into the form most natural for the target platform.

By using a common messaging protocol (SOAP), web services are invoked over a variety of transports, including HTTP/S and email. As with other layers in the web service stack, SOAP provides a common language so that tools can automatically interpret the contents of a message.

Underpinning all of this functionality is the World Wide Web. Universal connectivity and widespread support for the HTTP protocol greatly simplifies the deployment of web services. Rather than learning and supporting an entirely new protocol, system administrators and network engineers can leverage their understanding of HTTP to support new services that run on top of it.

Over the years, one of the biggest problems faced by the DOD is the myriad of computer systems and their inability to speak with one another. Each Military Service had it own stove-piped systems and each worked independently. Even before the DOD Net Centric Data Strategy was published in May 2003, DOD policies existed supporting the use of SOA technologies. DOD believes that the continued application of SOA technologies will facilitate communication between the Military Services, industry partners, and international allies.

For more information on SOA and its application within DOD, check out the following:

DARPA creating enthusiasm for math and science through high-school outreach

Debra Fryar — Mon, 04 Oct 2010 15:24:48 +0000

The Defense Advanced Research Projects Agency (DARPA) announced this week a new initiative to “reignite a passion for exploration among our nation’s youth”. The program is called the Manufacturing Experimentation and Outreach (MENTOR) initiative.

As part of MENTOR, DARPA will contract multiple organizations to deploy a variety of programmable manufacturing equipment—such as 3D printers—to high schools throughout the country and orchestrate a series of prize-based challenges. High schoolers will compete and collaborate as teams to design and build cyber-electro-mechanical systems. “The systems will be of moderate complexity,” said Paul Eremenko, DARPA program manager. “Challenges will involve the design and building of things like go-carts, mobile robots and small unmanned aircraft. And we’ll encourage collaboration during the challenges through the use of social media and social networking applications.”

The program encourages students in the science, technology, engineering and mathematics fields. Such skills are critical for careers in systems design and manufacturing, and a strong manufacturing base is essential to maintaining a well-built defense. DARPA will expand the program to over 1000 high schools over the next three years.

Partnet is no stranger to DARPA research projects or to students with great ideas. In 1992—at the dawn of the Internet Age and long before anyone had heard the term eCommerce—Dr. Don Brown’s engineering students presented a unique, yet simple question: Could you connect databases together over the internet to find repair parts?

Don Brown, a mechanical engineering professor at the University of Utah, thought that the military might be interested in such a capability. He made a video documenting how it would work and sent it to DARPA.

DARPA was so impressed with the idea of a distributed architecture that could search for spare parts from multiple, remote databases, they decided to fund the project. Soon after, the Defense Logistics Agency (DLA)—recognizing a new way to support its military customers—joined the project. By 1998, DOD EMALL—DLA’s first Government eCommerce system—was born.

Over the years, DOD EMALL has grown from a research and development project to a billion-dollar government enterprise. Today, the DOD EMALL hosts a virtual catalog of over 70 million items from 1,900 individual suppliers.

Partnet applauds DARPA’s initiative to promote mathematics and the sciences in our nation’s high schools, and for recognizing that young minds are the key to overcoming technological barriers in the new century.

Avoiding Pitfalls – Strategies for Large Enterprise Projects

Terryl Benson — Thu, 23 Sep 2010 21:16:11 +0000

Organizations have been using large enterprise systems for decades to improve business intelligence and processes. These systems—when correctly designed and implemented—provide organizations with important strategic advantages, including improved efficiency and reduced costs. However, implementing the wrong system or implementing it the wrong way can have the opposite effect—making an organization less efficient and ultimately more expensive to operate.

According to a recent report, 70 percent of large-scale government software projects fail to achieve their stated business objectives, are delivered late, or are substantially over budget. In August of this year, White House officials identified 26 high-risk programs within the federal government that are experiencing significant cost increases and schedule delays. These projects, which span 15 departments and would cost $30 billion for completion, are all mission-critical programs that are being put through a fast-paced reassessment process to move them forward, possibly in modified forms.

Below are three strategies organizations can take to avoid these pitfalls. These proposed strategies are based on nearly two decades of research, experience, and lessons learned by Partnet in developing and implementing large-scale Government web applications.

Strategy 1: Use Custom Code and Open Standard Technologies to Increase Interoperability of COTS Products

When introducing a new enterprise system, it is important to recognize COTS products can be difficult to integrate. While COTS products normally work fine independently, combining them together so that they function seamlessly is the real challenge.

One key to interoperability is understanding when to use custom code as a means to more tightly integrate COTS components. It is important to determine when custom code is called for, and when an existing tool will work best. Using open commercial standards like XML helps to balance the costs and risks associated with the long-term development and support of COTS products.

These standards make COTS product evolution and substitutability more manageable. Partnet has combined a variety of EAI technologies with custom code to enable diverse systems and applications to share data and business processes. This includes application servers like WebLogic, databases and reporting tools like Oracle and Business Objects, and EAI tools like WebMethods and Partnet ePort™. Since the glue that ties these all together is custom-coded to the specific business processes for the target organization, it always satisfies the requirements.

Strategy 2: Use Agile Software Development Methodology

Another strategy is to follow iterative software development processes, like the Agile methodology. The nature of large-scale enterprise software projects makes it difficult for managers to determine where a project really stands. This is largely due to the inability of project managers to visually inspect software code and accurately identify critical benchmarks in the development process. Failing to confront delays early on—even minor ones—can lead to cost and schedule overruns.

To avoid delays and keep projects on schedule, Partnet follows proven Agile software development methodologies that don’t require the completion of all requirements prior to the start of design. It also shortens the time between builds or new releases. Shortening the amount of time between builds of the software allows project managers to more frequently examine the quality of code and verify against the customer requirements—keeping the project on schedule.

Another key factor is following Capability Maturity Model Integration (CMMI). CMMI is a process improvement approach that helps optimize task execution, service delivery, and project performance.

Strategy 3: Use Pilot Project as an Effective Risk Mitigation Strategy

Developing and running a pilot project is an excellent risk mitigation strategy for new large-scale systems. A pilot project is an initial rollout of a limited production system designed to test functional components, validate requirements, and ensure the system works as designed. Even a brief pilot period can greatly reduce the odds of a large-scale project failing.

For large, robust systems, Partnet recommends a three-to-six month pilot demonstration to observe and verify system capabilities in a more controlled manner and on a smaller scale.

The pilot phase will highlight any integration deficiencies or requirement gaps. These issues can then be remedied during the validation and demonstration phase, so that larger problems are avoided during full system implementation.

Conclusion
Although large system modernization will always be challenging, taking a few precautions will put you on the right track for success.

Department of Defense Gets B in Small Business Use

Debra Fryar — Tue, 07 Sep 2010 22:04:42 +0000

The Department of Defense gives itself a B in overall use of Small Business in FY2009. As a Small Business Prime Contractor for the DOD, Partnet is proud of our contributions to the DOD and feel that we give the America Taxpayer a good buy for their money. Small businesses frequently operate with lower overhead than large companies, giving a lower overall cost of development for a project. Small businesses are usually juggling fewer projects than their large business counterparts and can give full attention to a project and great customer service.

Shay Assad, director of defense procurement and acquisition policy, the final speaker during the two-day 2010 DLA Enterprise Supplier Conference and Exhibition, held in Columbus, Ohio, Aug 24-25, commented that the Defense Logistics Agency and its industrial partners must improve buying power and create more value for warfighters and taxpayers. He said, “What we’re looking to do is partner with industry to find ways to become more efficient.”

One of the ways that the DOD can achieve this goal is to increase the use of small businesses. The amount of business going to small businesses should also increase in the coming year, Assad said. The current Defense Department goal for small business partnerships is 23 percent, but currently stands at about 19 percent. Out of $400 billion spent by the department on supplies and services, about $12 billion is going toward small businesses.

DLA recently honored small businesses with a number of awards at their DLA Supplier’s Conference. Though we didn’t win an award this year, we had the honor of attending the awards ceremony and supporting our fellow small businesses. We know we give great service and value to our customers and who knows – there is always next year.

PKI Security Made Simple

Jonathan Barrett — Thu, 02 Sep 2010 23:13:22 +0000

What’s better: having a lock on your door, or having a lock on your door AND a guy standing there making sure it’s you unlocking the door?

Obviously, the more security you have the better, which is why more Government eCommerce systems are moving towards PKI. So, what does PKI mean? The acronym stands for Public Key Infrastructure and it refers to the use of hardware and software-based “keys”, or certificates, to verify a user’s identity and credentials online.

In order to get a key/certificate, you need to contact a Certificate Authority (CA). There are several CAs available, but the Defense Logistics Agency only recognizes Verisign, Identrust, and ORC as approved CAs on DOD EMALL. And when it comes to establishing user identity, CAs don’t take the process lightly. Getting a certificate issued generally requires paperwork, several forms of identification, a notary signature, and on occasion, an in-person visit.

After your identify is verified, the certificate is issued in one of two ways:

1) A software-based certificate installed directly to the user’s computer.

2) A portable, hardware-based certificate that the user physically carries with them (often in the form of a smart card or USB stick).

These certificates also include a user-associated PIN. This is called two-factor authentication, and is why PKI is significantly more secure than the traditional username/password model. It’s more than just what you know (i.e., a password); it’s what you have and what you know.

So, now that you have a certificate, what can you do?

Some sites, such as the DOD EMALL, require users to present a certificate for accessing and using the site. Additionally, certificates enable users to send digitally-signed emails that provide proof of data integrity and origin, while also enabling receipt of encrypted email.

Users can also restrict access to their computers and other devices by requiring a PKI certificate.

So what happens if you lose your certificate? That’s where the CA comes back in. CAs maintain Certificate Revocation Lists (CRLs) that track the revocation status of all issued certificates. So every time a hardware or software-based certificate is presented, its status is validated against the associated CRL. This prevents lost or compromised certificates from being used for unauthorized access. Just like changing the lock on your door.

Makes you wish more things used two-factor authentication, right?