To achieve this goal and meet the objectives, the HOST project will undertake five specific tasks.
These five (5) specific tasks are:
1) Establish a government-member Advisory Council;
2) Establish an OTS resource and information portal;
3) Facilitate development and adoption of resource information and standardized documentation formats for Open Technology Solutions important to national technology systems;
4) Establish an Information Assurance/Security and Vetting [IA/SV] Program for OTS; and,
5) Conduct NSS/OTS Development Community relations.
The University of Southern Mississippi (USM) has been working in partnership over the past seven years with and as a sponsor of the Open Source Software Institute (OSSI),. OSSI in partnership with USM has established a reputation within government, industry and software development communities as a trusted agent and a dedicated and determined advocate for open source technologies. OSSI is a recognized provider of program management, governance and acquisition policy information and source of subject matter expertise regarding open source software adoption within the United States Government.
For additional information click "read more" below
The HOST Program
OSSI's mission is to promote the development and implementation of open source software solutions within U.S. Federal, state and municipal government agencies. Many of OSSI's programs represent cutting edge technologies or changes in “status quo” development and business models. Within the Federal government, OSSI has successfully performed two Cooperative Research and Development Agreements (CRADAs) with the U.S. Department of the Navy concerning technical and business case analysis of open source software usage within active Navy IT systems and served as an advisor to the Department of the Navy's Office of Chief Information Officer (DONCIO) in their crafting of the Navy's official Open Source Software User Guidance. OSSI was also tasked by the Defense Medical Logistics Standard Support (DMLSS) to coordinate and manage the securing of the Federal Information Processing Standard (FIPS) 140-2 validation for the OpenSSL cryptographic module. To date, OSSI has been awarded four FIPS 140-2 validations for the OpenSSL Crypto Library.
OSSI also served as member of the program development team for U.S. Department of Defense-sponsored Open Technology Development Roadmap study and will launch a new CRADA with the DoD's Defense Information Systems Agency (DISA) in 2009 focusing on the transition and maintenance of government developed software code from public domain to an open source software version for broad area adoption within Government systems.
Addressing Government Cyber Security Goals
The HOST program will support the Government's ability to use Open Source Software (OSS) as part of their information technology portfolio in support of computer network defense systems and Information Assurance (IA) capabilities to protect and defend IT systems. The HOST project will identify and address Information Assurance and Security Vetting (IA/SV) requirements for OTS applications designated as important to National Security Systems in support of identified needs of both military and civilian government IT systems. HOST will develop an information assurance vulnerability management plan for OTS systems that can be managed through the HOST program.
Demonstrated Value of Open Technology Systems
In recent years, the Open Source Technology model has gained considerable momentum in the commercial market, as well as throughout Government IT systems. Early Government adopters tended to shy away from the terms “Open Source” and “Free Software.” In 2006, a modified term “Open Technology Development” or “Open Technology Solutions” (OTS) was adopted within Government circles to describe collectively “Open Source Software,” “Open Architecture,” and “Open Standards.” While there is considerable difference between each term, OTS is used to describe IT solutions using code information sharing, manipulation and distribution without most restrictions of ownership or copyright.
The OTS model provides economic benefits to government users in several ways, among them:
It encourages competition for the development, service and support of OTS applications.
It discourages “vendor lock-in”.
It increases technical efficiency and security by permitting access and code review by large communities of users and developers alike.
The United States Government relies on a broad array of digital IT systems to meet a range of critical needs including national security, governance, financial operations, health care, as well as other core services for its citizenry. However, the benefits of these digital IT systems come at a high cost. Within its realm of influence, the Federal Government constantly juggles the inherent risks associated with developing and maintaining complex IT systems.
The core risks include:
Economic/Budget Limitations – from continual escalation of budget demands due to program development, system obsolescence and upgrade, maintenance and program failure and loss
Technical Complexity - decreased efficiency due to lack interoperability, common standards or system compatibility
Security – due to inherent complexity of systems, poor development practices, lack of IA coordination and compliance, and malicious attack
The economic burden of maintaining and securing our National IT system is daunting. According to reports, the US Federal Government is expected to spend approximately $100 billion on IT goods and services by 2012, despite economic conditions.
In addition, the cost of software program failures is staggering. A recent example of an expensive Government system development failure is the FBI's ill-fated Virtual Case File (VCF) project. The VCF was supposed to automate the FBI's paper-based work environment, allow agents and intelligence analysts to share vital investigative information, and replace the obsolete Automated Case Support (ACS) system. Ultimately, the VCF contractor, delivered 700,000 lines of code so bug-ridden and functionally off target that the bureau had to scrap the US $170 million project, including $105 million worth of unusable code.
The U.S. Department of Justice's Inspector General described eight factors that contributed to the VCF's failure. Among them: poorly defined and slowly evolving design requirements; overly ambitious schedules; and, the lack of a plan to guide hardware purchases, network deployments, and software development for the bureau.
US Government IT systems are always high-value targets for foreign adversaries as well as criminal elements. Security for Government IT systems is paramount. The Government deploys a wide range of strategies to fend off attacks. DHS maintains the National Vulnerability Database (NVD) in order to monitor and assist in vulnerability management, security measurement, and compliance.
Attacks on US systems can compromise national security and affect millions of Government and civilian computer users. There is no single answer or one way to magically address all the technical and economic challenges facing the US Government IT systems. However, there are new tools and development methodologies which can be adopted as part of the US' overall IT strategy.
The model proposed through the Homeland Open Security Technology (HOST) program incorporates an “Open Technology” development model which relies on the sharing of software code information, development architecture and use of common, open standards in a broad community of collaborative developers. Open Technology use within Government IT systems has been demonstrated to increase technical efficiency, reduce total cost of ownership and increase security by allowing wide review of code for design flaws and malicious bugs.
There has been a growing momentum for adoption of Open Technology Solutions (OTS) within Government agencies. Some of the major obstacles to more widespread Government adoption of Open Technology Solutions (OTS) include the lack of an acknowledge governance structure; qualified and trusted information and documentation; reliable resource availability; standardized information assurance and security vetting processes; and, open communication and interaction with the many independent Open Technology development and support communities.
The HOST program is designed to address each of these challenges and thereby facilitate the broad adoption of Open Technology Solutions for the technical and economic benefit of US Government IT systems.
HOST Program Technical Scope and Goals
A critical Department of Defense (DoD) goal is achieving an interoperable net-centric environment to improve the warfighter's effectiveness through seamless access to critical information. A key piece in supporting this DoD goal is the ability to use Open Source Software (OSS) as part of the DON's information technology portfolio. On June 5th, 2007 the Department of the Navy Chief Information Officer (DON CIO) signed a DON OSS Guidance Memorandum. This memo provides guidance for all Navy and Marine Corps commands regarding the use of open source software.
The goal of the Homeland Open Security Technology (HOST) project is to facilitate the adoption of Open Technology Solutions (OTS) and by doing so realize technical, security and economic benefits from Open Technology development and implementation for the Navy and all U.S. Government IT systems through the definition and development of a HOST Program.
To achieve this goal, the HOST project will address issues of:
IT governance;
Policy;
Information Assurance (IA) evaluation and security;
Collaborative development and availability of OTS resources.
Critical Issues, Proposed Work and Technical Approach
Critical issues to be faced under this project and effecting the widespread Government adoption of OTS are the lack of:
an acknowledged governance structure
a qualified and trusted information and documentation
a reliable resource availability
a standardized information assurance and security vetting processes, and
an open communication and interaction with the many independent Open Technology development and support communities.
The HOST Approach
The technical approach and proposed work under this project includes undertaking five (5) independent and complementary tasks that support the definition and development of a HOST Program addressing these aforementioned issues. The carrying out of these tasks will facilitate additional open development and support resources for next generation Open Intrusion Detection System (IDS), Open Intrusion Prevention System (IPS) and Open Technology Solutions (OTS) and OTS software analysis tools supporting the Navy and other Military and Civilian Government IT needs. The HOST Program when established will facilitate the adoption of OTS and help realize technical, security and economic benefits from Open Technology development and implementation for all U.S. Government IT systems.
The HOST project’s 5 independent and complementary tasks are:
Task 1: Establish an OTS Governance Board made up of Government Members;
Task 2: Create and support an OTS Resource and Information Portal
(GovernmentForge.org/gov/mil);
Task 3: Create a suite of Reports, Guidance and Reference Documentation for
government usage of OTS;
Task 4: Implement an Information Assurance and Vetting Program for government OTS;
Task 5: Facilitate and manage community relations with OTS development communities
as directed the OTS Governance Board
Execution of these independent and complementary tasks will logically expand with rational program growth to be carried out under the HOST Program.
This technical approach and related proposed work is based on the fact that the US Government relies on a broad array of digital Information Technology (IT) systems to meet a range of critical needs including national security, governance, financial operations, health care, and other core services for its citizenry. We are indeed a digital society.
According to Moore's Law, computational capacity doubles every 18 months. This exponential growth creates a continual opportunity for hardware upgrades and software updates on a daily basis. However, the same growth exacerbates security vulnerabilities, can exaggerate hardware and software incompatibilities, and taxes even the most resolute budgetary discipline as demands on rigid existing IT systems continue to mount.
Since the late-1970s, the standard software business model has been based on a proprietary development and distribution model where the developer retains restrictive rights to the application and its code through copyright. The Government retains broad “government use rights” through Federal Acquisition Regulation (FAR)7 and Defense Federal Acquisition Regulation System (DFARS)8 as well as through laws such as the Bayh-Dole Act9, for Federally-funded IT systems and research and development projects. Even so, proprietary solutions do not generally provide the Government with realistic, cost-effective alternatives if the systems fail to perform or the primary vendor ceases to support the solution. Nor can the US Government always assert ownership of remnant code.
Over the past 15 years a paradigm shift away from a strictly proprietary software model has occurred within the IT marketplace. The new model centers on the concept of shared ownership and sharing with regards to software development, code, architecture, and standards. The basis of the new model is primarily Free (as in “freedom”) and Open Source Software.
HOST Program: Scope of Work
Background: While there has been a growing momentum in the adoption of OTS within Government agencies, as previously noted some of the major obstacles to more widespread Government adoption of OTS, as well as critical issues facing this project, are the lack of:
an acknowledged governance structure
a qualified and trusted information and documentation
a reliable resource availability
a standardized information assurance and security vetting processes, and
an open communication and interaction with the many independent Open Technology development and support communities.
The HOST project will address these challenges in order to help facilitate the broad adoption of Open Technology Solutions for the technical and economic benefit of US Government IT systems under the HOST program.
It is the intention of the HOST project, that any and/or all original software developed, information gathered, reports prepared, sites developed and relationships established will be licensed or otherwise protected under accepted “Open Source” or “Creative Commons” license for the widest possible dissemination and use by public and private sources.
This effort is for the study, programming and planning efforts that will establish the initial feasibility and practicality of proposed IDS/IPS and OTS solutions to the technological challenges which serve as roadblocks to the continued and expanded adoption of OTS. To address these issues, the HOST project will build upon the foundational successes of prior research and related efforts (described below), to develop substantive templates and organizational structures to allow continued growth of the OTS adoption process, a process important to all agencies and branches of government, our national security, and commercial industry.
The United States Government, both military and civilian, and commercial industry currently use a wide variety of “Open Source Software” that fall under the definition of “Open Technology Solutions” [OTS], including operating systems, encryption, web browsers, server and network management. In Government, the rapid growth of OTS use rests upon its demonstrated benefits of increased efficiency, enhanced security,, reduced total costs of ownership (TCO), and higher return on investment (ROI) for Government IT systems.
The primary challenge to even broader adoption and implementation of OTS has been the lack of an organized and universal set of acquisition, implementation, and governance policies, as well as a standardized methodology regarding documentation and Information Assurance (IA) guidance. While there have been numerous independent efforts in various Government agencies to address these matters, the challenge remains to create and facilitate cross-agency cooperation to standardize the adoption of policies and guidelines.
Some early foundational Government research, policy and adoption efforts are listed below. They represent a basic foundation for the larger efforts to come.
U.S. Naval Meteorology and Oceanography Command – October 2001-04 – Open Source Software Cooperative Research and Development Agreement (CRADA) between Naval Oceanographic Office and Open Source Software Institute to identify adoption and usage of open source software within deployed NAVOCEANO systems.
MITRE Report – January 2, 2003 - Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense – a survey conducted by MITRE Corporation regarding the adoption and use of Free and Open Source Software within DoD systems. This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD) . The report identified the usage of 115 FOSS applications and 254 examples of their usage within DoD systems. http://terrybollinger.com/dodfoss/dodfoss_html/index.html
DoD/CIO Stenbit Memo - May 28, 2003 - DoD CIO Open Source Software in the Department of Defense (John Stenbit) issued a memorandum to reiterate (current) policy and provides additional guidance on the acquisition, use and development of OSS within DoD. iase.disa.mil/policy-guidance/oss-in-dodmemo.pdf
DoD Advanced Systems and Concepts Open Technology Development Roadmap – June 7, 2006 – DoD guidance roadmap issued by Deputy Under Secretary of Defense, Advanced Systems & Concepts detailing benefits of adopting “Open Technology” methods within DoD and support vendor communities. http://www.acq.osd.mil/jctd/articles/OTDRoadmapFinal.pdf
Department of the Navy, Office of Chief Information Officer (DONCIO) Open Source Guidance Document – June 5, 2007 – According to DONCIO, “this memorandum provides guidance for all Navy and Marine Corps commands regarding the use of Open Source Software (OSS). The objective of the Department of Defense (DoD) goal of achieving an interoperable net-centric environment is to improve the warfighter’s effectiveness through seamless access to critical information. A key piece in supporting the DoD goal is the ability to utilize OSS as part of the Department of the Navy’s (DON) Information Technology (IT) portfolio.” http://www.doncio.navy.mil/Download.aspx?AttachID=261
DoD Assistant Secretary of Defense for Networks and Information Integration Open Source Guidance Document – (Pending – Expected Jan/Feb 2009) - final release efforts are underway by DoD's CIO (NII) on an Open Source Guidance document similar to that of the Department of the Navy.
HOST gathers expertise that has played key roles in foundational efforts listed above. In addition to these policy efforts undertaken within the U.S. Department of Defense, numerous acquisition and security policies and mandates will be addressed with regards to collective guidance for internal Government adoption, as well as service and support from the vendor communities.
National Center for Open Source Policy and Research
