Cross Domain Knowledge Forum

Sherryl Dorch, VP Marketing, RTCS

The Common Operating Environment that is being embraced across the Intelligence Community is enabling NGA to make users “both contributors and collaborators.” In the April issue of Signal Magazine, an article by Bob Ackerman, entitled “Geospatial Intelligence Embarks on Dual-Hatted Mission” addresses the agility and ease of access to information that NGA will realize by totally separating their data from applications and infrastructure with cloud virtualization. Letitia A. Long, director of NGA, describes in the article how NGA teams with other intelligence agencies. “NGA data helps NSA visualize its signals intelligence ..., NGA data helps DIA visualize its measurement and signature intelligence … and NGA data helps CIA visualize its human intelligence.” This all requires an open information technology architecture that allows customers to access NGA information and be able to add to that information. According to Long, “the Common Operating Environment across the intelligence community is extremely important.”

Long goes on to state, “that (this) goal is not easily attainable.” NGA operates at three classification levels: Top Secret/Sensitive Compartmented Information, Top Secret and Secret plus unclassified where first responders operate. “The agency must be able to move information seamlessly across these three environments without compromising classified information.”

Michael Miller, Development Manager, RTCS

The transition to mobile cross domain access is inevitable as agencies are challenged to increase efficiency and responsiveness. Mobile access to critical mission data can extend greatly the range of an agency’s effectiveness in the field. The ability to roam with uninterrupted access to MLS assets increases the opportunity for collaboration within the secure facility. A mobile strategy that enables secure access to cross domain resources is now widely recognized as a core IT capability. Mobile is not coming; Mobile is here.

The benefits are many however mobile access presents significant challenges. A mobile device is uniquely vulnerable to attacks that are not possible against a dedicated workstation in a secure facility. A mobile device is subject to casual theft or loss, which puts at risk any sensitive data at rest. Communications over wireless or public networks can be intercepted without detection. Agencies that implement a Bring Your Own Device (BYOD) mobile policy, are at particularly high risk of attack by malicious apps and compromised system software.

A mobile access policy must balance security and usability. BYOD postures favor cost, flexibility, and personal preference. Risk is addressed by securing communications channels and constraining the scope of access to sensitive resources. The highest security postures require a trusted platform and strict enforcement of mobile device policies. At the extreme, agency issued trusted devices are the most secure but must provide a personal use context to achieve wide acceptance and user satisfaction.

BYOD solutions are appropriate for many agency applications. Security is implemented in the application space, usually by wrapping functionality in a secure container that encrypts network traffic and data at rest. Mobile device management balances flexibility and exposure to risk. Higher levels of network security can be achieved on devices with kernel level support for VPN clients. Redisplay technologies can ensure that sensitive apps and data never touch the device where they may be vulnerable to attack.

A trusted platform provides the highest level of mobile assurance. A trusted OS on supporting hardware can ensure that no user or system process will access resources that are not explicitly permitted by policy. Access to storage, capture devices, and networking is tightly controlled and the kernel level policy enforcement cannot be circumvented by any malicious app. With the addition of a secure type-1 hypervisor, the trusted platform can coexist with a personal use context. A dual persona capability brings a new level of security and user acceptance to the agency issued mobile device.

Raytheon Trusted Computer Solutions recognizes the scope of benefits, threats, and postures that define the mobile space. Drawing upon a well developed understanding of the cross domain environment and industry leading experience in the delivery of MLS solutions, RTCS is actively researching solutions that address the need for secure mobile access by intelligence, defense, and governmental agencies. Solutions are currently in development for BYOD and trusted platform access to MLS resources that were previously available only within the secure facility.

Steve Welke, Principal Consultant, RTCS

Recently, I made mention of the various ways the Unified Cross Domain Management Office (UCDMO) is working to streamline cross domain solution (CDS) Certification and Accreditation (C&A). In a nutshell, C&A describes the process of comprehensively evaluating technical and non-technical features of an information system, as approved by a Designated Approving Authority (DAA). The DAA must determine acceptable levels of risk based upon technical, managerial and procedural safeguards.

Undergoing C&A can be a laborious task, taking two years or more for some government agency customers. The good folks at the UCDMO — which currently oversees all cross domain efforts within the Department of Defense (DoD) and Intelligence Community (IC) — continue to seek a better way. Here are two encouraging, ongoing developments:

*Assurance controls. The National Institute of Standards and Technology (NIST) is creating guidelines for a common set of controls for information assurance, called Special Publication 800-53. This is worth staying on top of, because the UCDMO is looking to add controls for cross domain products to this publication.

Why is this important? Because NIST typically doesn’t deal with cross domain. A standard set of requirements would provide greater clarity for agencies as they seek to implement cross domain solutions. They’d know, for example, what kind of testing to expect and prepare accordingly. Greater clarity should result in faster deployment.

*A unified testing landscape. Currently, CDSs deployed in a Secret and Below Interoperability (SABI) environment are tested in a completely different manner than CDSs deployed in a Top Secret and Below Interoperability (TSABI) environment. TSABI refers to both the “secret” and the very highest of security clearance levels within U.S. government. Agencies with SABI users will essentially top out at the “secret” classification, and also support users with the lowest of security clearances. Now, however, the UCDMO’s Cross Domain Security Test Group (CSTG) is attempting to come up with a unified test approach. This is a complex task that involves much discussion. Those within SABI environments require more testing because lower-level clearances translate to greater risk. TSABI environments can accept less testing because the risk exposure is lower. This development will progress along like any negotiation, and, most likely, the resulting unified testing structure will end up somewhere in the middle.

Both of these developments signify the extent to which UCDMO wants to make the adoption of cross domain solutions easier — not harder — for the government customer. That’s a good thing.

Steve Welke, Principal Consultant, RTCS

This is an exciting time for Raytheon Trusted Computer Solutions (RTCS). We recently wrapped up our annual users group conference at the Lansdowne Resort in Leesburg, Va. More than 125 people attended the two-day event, which presented literally dozens of sessions that showcased the theme, “Taking Cross Domain to the Enterprise.” Why this theme now? Because our industry is working hard to come up with more technology solutions that meet the security and mission needs of military, government, civilian, and corporate organizations all with the joint goal of facilitating or enhancing robust information sharing across different networks (classified and not) in a real-time, seamless fashion with total security assurance.

One of the Day 1 sessions provided the attendees with an update on the latest developments from the Unified Cross Domain Management Office (UCDMO), especially with respect to what the UCDMO is doing to support the enterprise customer.

First of all, we need to be realistic with expectations. The UCDMO which oversees all cross domain efforts within the Department of Defense (DoD) and Intelligence Community (IC) can’t address all enterprise-based needs overnight. It’s safe to say that none of us would expect that. But we all appreciate that the UCDMO is highly focused on the community’s needs and is making significant progress, and that it really wants to champion the capabilities that cross domain solutions can bring to the table. With this in mind, here are a few significant steps that the UCDMO is taking:

Expanding product inventory. We all know that there are 20+ solutions on the UCDMO’s cross domain product list. But it is just a baseline. It’s not like the UCDMO designates these two-dozen or so products and then goes away. The UCDMO wants new products to come on board as part of an expanding baseline. So, if a company is starting to develop something, UCDMO officers want to know about it to help move it toward maturity. The upshot: The baseline is only a list. The UCDMO aims to keep adding products and solutions that meet the community’s needs.”

International impact. Obviously there’s a global demand for cross domain solutions, and the UCDMO is well aware of this. It’s working with foreign partners to come up with certification, testing and evaluation (CT&E) policies that aim to foster a culture of collaboration between coalition partners. The UCDMO is currently doing a pilot that shares test evidence between countries, and it’s progressing well. That’s good news for prospects of cross domain availability within the international community.

Assurance standardization. As we reported in September, the National Institute of Standards and Technology (NIST) is developing a common set of information assurance controls, called Special Publication 800-53. The UCDMO remains well in the loop with the NIST folks, because it’s looking to add guidelines for cross domain products (called “overlays”) to this effort. This is great news, as NIST controls typically don’t deal with cross domain. With the guidelines in place, government agencies would know what to expect with respect to testing and other assurance requirements and that could potentially reduce time to deployment. We will be tracking these ongoing activities, so stay tuned for updates.

Capabilities portal launch. The UCDMO now features a portal that keeps engineers, developers and other key parties up-to-date on the very latest news about cross domain capabilities. This is a clear, collaborative gateway to increasing the presence of cross domain solutions within the enterprise. Information posted includes recent architectures, approved products, R&D efforts and solutions that can improve your devices.

Offline efforts. The UCDMO keeps a high profile with various boards and councils that serve to elevate the potential for cross domain solutions as risk assessment/mitigation tools. Among other organizations, it works with the Information Security Risk Management Council, the Cross Domain Resolution Board and the Cross Domain Security Test Group. This is where enterprise-level concerns can get needed representation that will make a difference.

The UCDMO is out there highly visible and proactively involved – on multiple fronts. As a leading provider of cross domain products/solutions, it’s our job to stay on top of these and other related developments so we can keep you, our customers, partners, and community, posted with future updates.

Doug Norton, Senior Manager Professional Services, RTCS

We take much pride in our work with the various agencies and organizations – both domestic and international. Especially those sponsoring large-scale enterprise deployments. In many cases we are part of a larger team that includes virtualization, desktop delivery, hardware, and storage experts; such as NetApp storage, VMWare server virtualization, Cisco networking capabilities and blades/Trusted Thin Client (TTC) servers from HP. It will greatly reduce hardware, energy consumption and even log-in/log-out time, all while greatly boosting the security factor. By December, one such enterprise deployment of TTC will be operating in 75 different locations worldwide, with 12,000 employees accessing 15 different networks from a single screen without a keyboard, video, mouse (KVM) switch or use of hot key sequences.

Obviously, it’s a big job. Here are five valuable lessons we’ve learned along the way:

Keep your eyes and ears open. We’re rolling this out throughout the world. There are all kinds of different personalities and geographical/structural logistics involved. To maximize value for the customer, we’re conducting assessments of future users to get a strong read on expectations. We’re establishing a total awareness of how the solution will “look and feel” with respect to the user experience. (The more they know about “what they’re going to get before they get it,” the better they’ll adjust once it’s there.)

We’re also constantly identifying bottlenecks they’ve run into in the past, and coming up with ways to “uncork” the logjams. You discover what “pain points” exist – and really understand those intricacies – before moving forward. Keep your vendors involved as well. Read their white papers and product reports. Allow them to visit on site while the work is getting done to gain their input. The only way they can help you (and the customer) is for them to have a hands-on comprehension of the system.

Steady as you go. For a complex undertaking like this, you don’t want “pedal to the floor” activity periods and then others that are fairly quiet. That’s when you end up needing 30 hands on deck one week and then just three the other. It simply isn’t a good work model for international locations of a large enterprise. So we’re pacing our enterprise deployments with a very even-keeled, consistent workload, to make the best use of everyone’s time, resources and investment.

This takes a fair share of pre-project planning, but it’s worth it. Otherwise, you’re spending an enormous amount of time coordinating on the fly. That could make for a negative customer impression, and may toss a wedge in the Certification and Accreditation (C&A) process. C&A is something we’re thinking about every step of the way. Because if you stumble, the entire effort is tossed for a loop – possibly indefinitely.

With training, timing is everything. The training experience means so much with respect to success. So be careful about when you schedule this. You can’t host these sessions at the last minute, because the sense of immediacy may lead to a bit of user panic. You want to give users a chance to familiarize themselves with the new equipment and system before it’s “thrusted upon them.” On the other hand, if training is conducted six months in advance, they’ll likely forget everything they learned by the time they have to make the transition.

That said, we’re finding that the retention is enhanced if participants are allowed to determine the method. There is no one right way to train 12,000 people at once. So offer up a number of options – in person, online, PowerPoint, simulations, etc. – and you’ll get better results/retention.

Stay flexible. Even with a game plan in hand, keep in mind that circumstances will change. Requirements will shift. Schedules will get revised. Yes, there are cases in which we’ve had to redo major designs of the network or access infrastructures. To stay on top of these shifts, we maintain an active, open dialogue with the customer to understand the true requirements that we must address.

Document your experiences. Our involvement with these large-scale enterprise deployments isn’t just a job. It’s an opportunity to learn how to effectively support a large customer. So we’re capturing our experiences in working documents that neatly summarizes in “lessons learned” fashion what could be passed on to the next location. Ultimately, our next TTC enterprise customers will reap the greatest rewards here.

Ed Hammersla, Chief Operating Officer, RTCS

If you’re reading this, then you’re most likely familiar with cross domain solutions and how they enable users with varying security clearances to access multiple networks without risking unauthorized access to data. You’re probably also familiar with having to log in and out of multiple computer systems to perform a single task. But did you also know that cross domain solutions can dramatically reduce your agency’s operating costs?

It’s simple math, really. Before cross domain solutions were introduced, it was quite typical for government employees from the Department of Defense (DoD) or Intelligence Community (IC) to use three, five or even seven computers just to do their jobs. That’s because each computer was tied to a specific network with a specific security classification. Access was restricted to authorized employees only.

Enter cross domain solutions such as our Trusted Thin Client® (TTC). It allows you to reduce the number of computers you use within a given space from seven or five to just one. Which means you’ll only need a fifth or one-seventh of the power you normally would use to run and cool the machines. Trust us, the savings are considerable: In the last five years, our cross domain solutions have eliminated the need to purchase more than 50,000 new computers among our customers. We’ve also helped them reduce data center power consumption by 70 percent within that time.

All agencies are being pushed to pursue all manner of budget cutting measures these days, especially with the Energy Independence and Security Act of 2007 mandating that the federal government improve its energy-efficiency performance. In fact, we have deployed cross domain solutions for an Air Force base in Southwest Asia, and the Lieutenant Colonel there tells us that he’s not only saving that 70 percent in energy consumption, he’s also eliminating what was a major noise problem in the process.

That’s right. Before implementing TTC, the computers were so noisy that Air Force personnel had to yell at each other in the command center. Because we eliminated the need for all of these computers via thin clients, the decibel level there now is as quiet as a conference room. There’s no compromise of mission readiness either, as is the case for all of our DoD and IC customers.

Want to consider other cost-savings advantages? With Trusted Thin Client, you don’t have to replace desktops every three to five years to account for outdated technology. That’s because all the infrastructure/data etc., is virtualized, pushed out from data center or the cloud. Less hardware replaced, less technology trash filling up landfills.

So let’s tally up the advantages here:

Reduced carbon footprint … check.

Increased operational savings … check.

Elimination of hardware replacement costs … check.

Improved security/disaster recovery preparedness … check.

Sounds like a convincing argument to us.

Ed Hammersla, Chief Operating Officer, RTCS

The Unified Cross Domain Management Office (UCDMO) currently oversees all cross domain efforts within the Department of Defense (DoD) and Intelligence Community (IC). Why is this so important? Well, let’s go back in time, to a period we unfortunately recall all too well: the months – actually years leading up to 9/11.

Information sharing among federal agencies was a mess. Al-Qaeda terrorists trained and plotted as they pleased in states such as Arizona and Minnesota. FBI agent John P. O’Neill warned of a grave Al-Qaeda threat to the U.S. as early as 2000. He quit in frustration because of a lack of response, later dying in the 9/11 attacks as he worked his new job as director of security at the World Trade Center.

Somehow, intelligence officials issued a dozen reports over seven years indicating that terrorists may use planes as weapons, but the information was never elevated to the point where effective preventative action could be taken. Investigative work and findings from the FBI, CIA and other agencies all amounted to random, disconnected collections of data. Data that should have been consolidated to present the “big picture” to Washington leaders. Taken as a whole, the information that was known revealed a degree of danger that was “blinking red,” as CIA Director George Tenet put it. The 9/11 Commission Report concluded that the 9/11 attacks were a shock, but they should not have come as a surprise. Islamic extremists had given plenty of warnings that they meant to kill Americans indiscriminately and in large numbers.”

These revelations amounted to a sobering splash of water on the state of our information sharing capabilities at the time. To address this, the Intelligence Reform and Terrorism Prevention Act of 2004 established the position of Director of National Intelligence, to oversee all intelligence agencies and report directly to President Obama. At the same time, a group of technologies emerged to greatly enhance the federal government’s ability to share information: cross domain solutions. Agencies now depend upon cross domain solutions and they’re able to do so thanks in large part to the efforts of the folks at the UCDMO. This office is responsible for validating the number of cross domain products that are made available for use among agencies. Generally, there are anywhere from 15 to 20 products on the list.

For agency IT/procurement supervisors, this office provides a great service. They don’t have to conduct extensive research to figure out which of these solutions are the best fit. There is no need to go DIY here and build the entire process from the ground up. The field is now narrowed down to those 15 to 20 products – a reasonable number to consider while still leaving a good range of options. Because the solutions on the list have undergone community testing, the next agency to deploy the solution in a similar manner can benefit from that test evidence and decrease the time to production.

If the UCDMO didn’t exist, purchasing these solutions would resemble the wild, wild, West out there. Every tech guy in every agency would be trying to figure out which cross domain solution to use. Let’s not forget about the very serious purpose behind the UCDMO’s mission: to help these agencies work together to make better sense of information/data.

We’re already seeing results in countless ways since the UCDMO opened its doors. In fact, it’s hardly a stretch to say that cross domain solutions from the UCDMO Baseline made a valuable contribution to the elimination of Osama bin Laden in May. Multiple Intelligence/DoD agencies collaborated on efforts to produce a large volume of individually generated information that – taken together – gave President Obama and his team enough confidence to give the go-ahead for the operation. That level of information sharing is made possible today through cross domain solutions.

UCDMO may do its job quietly. It doesn’t generate the headlines of an FBI or CIA. But the good people who work under the UCDMO do something that every person who works in military and intelligence can appreciate: They allow agencies to maximize results on the good information they find.

Which means the UCDMO is keeping our nation – and our world – safer. That’s something to be proud of.

Ed Hammersla, Chief Operating Officer, RTCS

Do you ever get the feeling that government agencies could be so much more innovative if they could, well, innovate?

Don’t get us wrong. In our many discussions with government customers, we’re constantly impressed with their command of emerging technologies. And they’re eager to deploy them. Only, in many cases, they can’t.

That’s because of a factor that’s outside of their control: federal requirements for procurement.

We understand that requirements are necessary. You can’t give an agency wide-open latitude to make purchase decisions without standards in place. But the whole idea behind innovation is the pursuit of the unknown to solve problems. Requirements, however, force government-contract officers to deal only with the “known.” This means so much innovation out there – proven advancements that can help agencies better accomplish mission objectives while saving significantly on costs is automatically discounted.

Raytheon Trusted Computer Solutions (RTCS) knows all about this first hand. Our SimShield product, for example, is a fixed-format, cross-domain solution that supports real-time simulations for warfighter exercises. Previously, participants who took part in the same kind of “real-life” missions couldn’t take part in simulations together. That’s because they all had different security clearances, and there was no way to guarantee that sensitive data wouldn’t be accidentally disclosed to an unauthorized party. So they had to bring in a particular “class” of trainee (all with the same security clearance) and then bring in another class with another security clearance level after that. They’d use different simulation machines too, to avoid unauthorized data disclosure. This presented all kinds of logistical complications – not to mention a huge drain on budgets.

Our solution, SimShield, is helping eliminate this because it allows for secure, interoperability among distinguished security levels. Participants can now experience simulations together regardless of individual clearances. Not only does this save a lot of money, but it offers a better simulation experience that’s more reflective of a “real-world” combat situation. We’d help the government reduce even more expenses and improve simulations if we didn’t run up against requirements restrictions so often.

If a particular agency’s job requirements state, for example, that the solution must contain multiple machines to serve users with multiple security clearances, then the agency can’t use us. Nevermind that we can demonstrate to that customer that we can eliminate the need for multiple machines entirely, saving that customer a bundle.

Can you believe that? It’s as if we were stuck in time back to more than a century ago, and the government put out a Request for Proposal (RFP) for gas lamps at military installations, and Thomas Edison submitted a bid to deliver light bulbs instead. With the requirements mindset, he’d be rejected because a light bulb isn’t a gas lamp. Nevermind that a light bulb would work better at a lower cost.

In the commercial world, the only requirements amount to “Will it reduce costs?” and “Will it expand profit?” If the government can build requirements based more upon perceived need (like “cut warfighter simulation training expenses by 50 percent,”) and left the “how” part of the equation relatively open, that would be a good start.

That’s the mindset that must take hold in the federal marketplace. Maybe before RFPs are issued, procurement officers could issue a “Statement of Objective.” This statement would contain no requirements other than specifying the desired outcomes. Then, let tech companies respond with what they already have up and running that would deliver these results. Then issue the RFPs with a sense of what’s out there that would achieve the expected results.

Perhaps such an idea would need refinement to work within a structure as massive and complex as the federal government. But it’s a concept with merit that deserves consideration. The bottom line is that some kind of expanded flexibility would allow agency officials to avoid the more stifling qualities of requirements to focus on what innovations out there can best help them meet objectives – and save millions or more in the process.

Sherryl Dorch, VP Marketing, RTCS

On the battlefield, an Army sergeant pulls out a mobile device to pinpoint obtainable targets within a 12-mile radius – data delivered by an unmanned aerial vehicle (UAV) that scours rugged terrain high over Afghanistan. The sergeant inputs this to a command post 75 miles away, where his captain evaluates which of those targets to pursue. Then, nearly 7,000 miles away, a senior intelligence analyst in Washington, D.C., is monitoring this entire sequence, looking to gain insight about the use of UAVs in surveillance and reconnaissance.

This kind of mission-focused information exchange remains vital to the success of our military efforts overseas. Yet, because the sharing of this information involves multiple levels of command and clearance – as in the hypothetical scenario described above – the process has often presented layers of logistical difficulties. A sergeant in the field can’t simply log onto the same network as the senior intelligence analyst, if his clearance level prohibits it.

In the past, this would present operational hurdles, not to mention considerable expense. Depending upon current tasks and clearance levels, we’ve seen officials such as intelligence officers working three, four or more separate computer devices in cramped spaces. Given this, you’d have to think that there’s a better way.

Fortunately, there is.

Cross domain IT solutions enable military/intelligence officials to separate these networks so users may obtain and share data within their allowable clearance level while still using only one device. Users tap into multiple, secure networks from a single device, with one wire connected to a backend server that maintains network separation. There’s no need for an operative to work on a separate computer for every network needed, because the cross domain solutions sorts this out automatically to ensure secure, reliable access.

This technology matters greatly because the potential savings for the government customer are enormous. You get rid of multiple computer devices for a single user, along with all of the day-to-day expenses that go with it: maintenance, power, office space, etc. As a result, the cross domain solution replaces a cumbersome, time-consuming way of conducting business with a fluid, seamless one, helping further the missions of our agency customers.

Raytheon Trusted Computer Solutions has established itself as an industry leader in cross domain solutions, building its entire business around best-in-class products for customers such as the Defense Intelligence Agency (DIA), Air Force and other high-profile customers. Our solutions are recognized by the Unified Cross Domain Office (UCDMO), a DoD/Intelligence Community effort to establish best practices in cross domain capabilities.

In future articles, we’ll explore how cross domain solutions are supporting the needs of military customers as well as those organizations that function outside of the military/intelligence space, and even the commercial sector. We’ll also reveal how much impact these solutions can contribute to an organization’s “green” efforts, reducing carbon footprint and dramatically cutting operational costs.