[Oscmis] FYI - DISA makes 50 apps available - DISA and OSSI -CMIS (UNCLASSIFIED)

Nelson, Richard C CIV DISA MPS Richard.Nelson at disa.mil
Fri Oct 23 13:22:49 CDT 2009 

Classification:  UNCLASSIFIED 
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE

All,

I'm the DISA program manager for OSCMIS.  

What we're doing here is making available something we already use all
across DISA worldwide--a fully PKI enabled (CAC only access) suite of
Web based Federal workforce automation and administration tools and
automated workflow capabilities.  Although it's built to run together,
it is possible to separate out component pieces and use them standalone
or in more limited sets if that's what the end user wants.  This suite
is fully accredited in our environment with another three year
Authorization to Operate in August 2009.  Of course, since it's a
copyrighted open source product, it can also be modified at will by
users to remove or modify that capability.  We do recommend to one and
all NOT to use login/password of any length as those are inherently
unsafe.  We know.  Without hacker training or tools or familiarity with
the applications, OS, or products themselves, my developers cracked
major products' 16 character login and password encryption on a product
given to us to rebuild and incorporate into OSCMIS.  It took them an
average of 10 minutes for each product.  

We use the Open Software License v.3 specifically because unlike the GPL
type licenses, the OSL allows creation or extension of proprietary
products to interoperate with OSCMIS--yet remain proprietary.  We are
very much industry friendly, and want them to create new products that
are compatible with OSCMIS that we ourselves and others might use as
well as others, and we have NO problem with their making money on their
own work!  We also want them to learn the Federal processes used in
OSCMIS to build better products of their own that are inherently more
useful to the Federal government.

I've included some public handout information about what we're providing
in the attachments.  It's also on the codebase disc.

Navy is already licensed for OSCMIS, so other Navy commands can obtain
copies of the codebase simply by asking for it.

Regards,

Dick Nelson
Chief, Personnel Systems Support Branch (MP42)
Manpower, Personnel & Security Directorate
Defense Information Systems Agency
701 S. Courthouse Rd.
ATTN:  MP42
richard.nelson at disa.mil
Voice: 703.607.4464
Cell: 410.353.2316
Fax: 703.607.4511

A society grows great when old men plant trees in whose shade they know
they shall never sit.
                               Greek Proverb

-----Original Message-----
From: oscmis-bounces at oss-institute.org
[mailto:oscmis-bounces at oss-institute.org] On Behalf Of Davis, Michael H
CIV SPAWAR, 5.0.2 / CSE
Sent: Thursday, October 22, 2009 10:48 AM
To: Strini, Bob A CTR USAF ACC ACC/A8CI; Zimmerman, Lee CIV
SPAWARSYSCEN-PACIFIC, 53030; Cereola, Joseph CAPT SPAWAR, 5.0;
OSCMIS at oss-institute.org
Cc: Christensen, Peter H.; Schaefer,Lorrayne J.; Howell,Terry D CIV PEO
C4I; Liebermann, Roxanne J GOVT CIV DISA PEO-GES; Hendricks, James D
CAPT SPAWAR,51720; Stewart, Mike M CIV SPAWAR,51300; Purdy, Brian E CIV
DISA PEO-GES; Turner,Steven S CIV SPAWARSYSCEN-PACIFIC,55650; Morrow,
Tim; Johns, Kenneth CIV SPAWARSYSCEN-ATLANTIC,582J0
Subject: Re: [Oscmis] FYI - DISA makes 50 apps available - DISA and OSSI
-CMIS

It's really about DISA's CMIS and now partnership with OSSI to make it
"open" for all. (see enclosed links)

I Think it's a great idea and much needed in the government, yet I
wonder about the "built in IA / security" and C&A products that come
with that (and also support DOD reciprocity therein)... No small
factor...   As a complete offering would have these elements as part of
their "PPL"   The DISA folks I copied will know more than I.  

Whether "their methodology is worth entering into a major C2 weapon
system."  is an interesting question, as it seems they took an overall
"applications" approach, versus whole system like NECC, which has
significant development hurdles as we all know...  How all that operates
in an "open"  SOA/Service environment (and common infrastructure or
CCE), is unclear to me (as is their C&A process), but it seems no one
has got that to work yet...  And as we know, clearly not the level of IA
/ security needed...  As we continue to propose that NO ONE gets the
enterprise access control right to make all this work...
Automatically... And cross domain / COI... As your USAF ACC efforts also
show...  (of course we suggest that "ZBAC" can help make that aspect
more tractable and more effective too, though we all have many systemic
IA&A elements to still work to get "cyber IFF" to work... Whether that
is ABAC to ZBAC)


DISA's internally developed Corporate Management Information System,
CMIS is a Web-based federal workforce management and administrative
software suite with nearly 50 applications and tools to manage human
resource, training, security, acquisition and related functions ... 
The objective of the Cooperative Research and Development Agreement
(CRADA) between the Defense Information Systems Agency (DISA) and the
Open Source Software Institute (OSSI), is to perform the COOPERATIVE
WORK described in the SOW in partnership with academia, the private
sector and other organizations to: (1) research enhanced capabilities
and functionality (i.e. security and other unique features) for DISA
SOFTWARE; and (2) create DERIVATIVE WORKS such as
GOVERNMENT-Off-the-Shelf and commercial products that may be integrated
with DISA SOFTWARE for use by the DOD, the GOVERNMENT, state and local
governments, and the public. 

OSSI is tasked with making available copies of the Open Source Corporate
Management Information System (OSCMIS) under the Open Software License
version 3.0.   To get a copy of their license go to
http://www.oss-institute.org/index.php?option=com_content&task=view&id=3
32&Itemid=210
And / or engage OSCMIS at oss-institute.org


-----Original Message-----
From: Strini, Bob A CTR USAF ACC ACC/A8CI
[mailto:Bob.Strini.ctr at langley.af.mil] 
Sent: Thursday, October 22, 2009 6:22
To: Davis, Michael H CIV SPAWAR, 5.0.2 / CSE
Cc: Vandemeulebroecke, Peter CIV SPAWARSYSCEN-ATLANTIC, 60000;
Hendricks, James D CAPT SPAWAR, 51720; Stewart, Mike M CIV SPAWAR,
51300; Howell, Terry D CIV PEO C4I; Zimmerman, Lee CIV
SPAWARSYSCEN-PACIFIC, 53030; Cereola, Joseph CAPT SPAWAR, 5.0
Subject: RE: FYI - DISA makes 50 apps available for others to use and
improve

Mike,

I just went to the link provided and Gov't Comp News (GCN) talks about
what was done but no links to actually contact DISA was provided. The
list of apps developed is not readily available. Does anyone on this
email trail
(DISA?) have a link or POC that can support the sharing of the apps?

Appreciate any help to determine if what they developed and their
methodology is worth entering into a major C2 weapon system.

R,

Bob Strini
GCIC/JI
ACC/A8CI

http://www.disa.mil/news/pressreleases/2009/ossi_031709.html

DISA AND OSSI LAUNCH FORMAL COLLABORATION OF FEDERAL IT SYSTEM


ARLINGTON, Va - The Defense Information Systems Agency announced the
establishment of a Cooperative Research and Development Agreement
(CRADA) with Open Source Software Institute (OSSI) today. The agreement
will pave the way for collaboration and partnerships between the federal
government, non-profit organizations, academia, and industry to research
and develop cutting-edge software for users in DoD, governments at all
levels, and the public. 

The CRADA focuses on release of an open source version of DISA's
internally developed Corporate Management Information System. CMIS is a
Web-based federal workforce management and administrative software suite
with nearly 50 applications and tools to manage human resource,
training, security, acquisition and related functions for more than
16,000 DISA users worldwide "CMIS is a core product within the DISA's IT
systems," said Jack Penkoske, Director of Manpower, Personnel and
Security. "We have a lot invested in CMIS and many other government
agencies want to adopt it. Why not let them, using the CRADA and an open
source model? And why not also open it to industry, academia, and the
Open Source community? This approach not only lets them use CMIS but
also lets us leverage their good ideas and modifications to improve
DISA's system, and we believe this will be a win-win for all involved."

The announcement was made during a presentation at the National Security
Agency and DISA Technology Transfer Showcase hosted at the John Hopkins
University's Applied Physics Laboratory in Laurel, Md. The event
featured executives from both agencies who provided insights into their
latest technologies made available for licensing through Technology
Transfer programs.

"We did not want to re-invent the wheel," said Richard Nelson, DISA's
Chief of Personnel Systems Support Branch at the Manpower, Personnel and
Security Directorate. "We knew we had a solid product with CMIS, and we
use it every day. After we decided the best way to create enhancements
and modifications was through a collaborative partnership involving the
non-profit sector, academia and industry, we looked for a partner who
had experience with government, specifically DoD, as well as commercial
and open source community connections. OSSI has provided technical and
open source licensing expertise as well as insights in adoption and
distribution strategies. And in using the CRADA vehicle, we can
collaboratively pursue the three foci of research, development, and
training to support of this project." 

"Creating an Open Source CMIS is important in several ways," said John
Weathersby, Executive Director of the Open Source Software Institute.
"First, software developed by Government employees falls under "public
domain." By distributing the program under an open source license, the
Government retains access to the system without having to worry that
they'll have to repay for the development of something that was
originally created with public funds."

"Secondly, since CMIS is now released under an open source license,
commercial, academic and non-profit entities can adopt and support the
system, as long as they adhere to the license agreement. There are two
license variants available from OSSI: the Open Source License v.3 and
the Academic Free License v.3," he said.

"And finally, this demonstrates that the Government is looking forward
to find ways of using open source as a valuable tool within their IT
enterprise," Weathersby said. "We applaud DISA's foresight and believe
it will enhance the viability of the CMIS program. It is a wise use of
both technical and economic resources. We look forward to working with
DISA and other government agencies who are joining this effort and will
provide a schedule for updates and support services in the coming days."



-----Original Message-----
From: Davis, Michael H CIV SPAWAR, 5.0.2 / CSE
[mailto:Michael.H.Davis at navy.mil]
Sent: Tuesday, October 20, 2009 12:45 PM
To: Cereola, Joseph CAPT SPAWAR, 5.0; Zimmerman, Lee CIV
SPAWARSYSCEN-PACIFIC, 53030
Cc: Vandemeulebroecke, Peter CIV SPAWARSYSCEN-ATLANTIC, 60000;
Hendricks, James D CAPT SPAWAR, 51720; Stewart, Mike M CIV SPAWAR,
51300; Howell, Terry D CIV PEO C4I
Subject: FYI - DISA makes 50 apps available for others to use and
improve

So, seems the time has come for "government-sponsored open-source
software"

BUT will the major SW vendors play well there?  Even as those 50 apps
are "COTS" based...

Seems SOA should also be done this way...  (where "Services / Agencies"
provide their best core / global services to the common DoD pool...)
(yet we sort of tried that with "DII COE" and....)(still, the commercial
world already does that well - rather like all those apps/services for
the
Ipod...;-))

Still, I bet they did not integrate in "adequate security" yet... As NO
ONE really has.... (re: distributed transitive trust, security service
chaining,
etc...) ;-((
YET if they come with a C&A package TOO, a pedigree of sorts (aka, a PPL
package)that can be actually used wrt DOD reciprocity, THAT will be
impressive....;-))


DISA makes 50 applications available for others to use and improve By
Joab Jackson Oct 12, 2009 

The Defense Information Systems Agency is taking a new approach that
could promote the reuse of its applications at other agencies by making
its internal software open source. 
http://www.1105newsletters.com/t.do?id=3555994:194304


Web link's article verbige is enclsoed belew for easier skiming.....

For seemingly as long as the Defense Department has deployed software,
its leaders have pursued an elusive goal: software reuse. After a
military service spent the money to develop a piece of software or
commissioned a contractor to build an application, information
technology chiefs have sought to find a way for other branches of the
military to reuse that code.
Software reuse could save money and increase uniformity of operations. 

Now, the Defense Information Systems Agency has latched onto a new
approach that could help achieve that goal by making its own internal
software open source.

Earlier this year, DISA released as open source a suite of more than 50
different applications, collectively named the Open Source Corporate
Management Information System (OSCMIS). 
http://gcn.com/articles/2009/08/18/disa-open-source-application.aspxThe
idea is that other government agencies and commercial firms could reuse
the software for their own purposes. And if a few of the users are savvy
enough to make a few changes that improve the underlying code and then
share those improvements with DISA, everyone involved would reap the
benefits of the open-source model.

The team at DISA's personnel systems support branch have written about
50 open-source applications that could not be obtained commercially.

The idea was the brainchild of Richard Nelson, chief of DISA's personnel
systems support branch at the Manpower, Personnel and Security
Directorate.
Nelson has a team of seven hot-shot developers who developed the
applications in the OSCMIS package. Like the rest of the military, DISA
relies mostly on commercial software. However, for at least some office
tasks, the agency could not find an affordable or appropriate commercial
offering. Commercial products were either too expensive or did not fit
the government's workflows and requirements. In some cases, software
that could handle the task did not exist. 

The OSCMIS package is a collection of programs written by Nelson's staff
that fill those gaps. The developers started creating the applications
in 2006, and most applicatins use Microsoft SQL Server for a database
and Adobe ColdFusion for the Web-based user interfaces. They are
production use programs - already used on a regular basis by more than
16,000 military personnel worldwide. The 50 programs handle duties such
as human resources management, training, security, acquisition and
related functions.
Twenty-three were developed in the last half of 2008, including more
than a few that were complex in scope.

"The merits of the team's approach are apparent in the speed, ease of
use, and accuracy of the delivered solutions," said Barry Leffew, vice
president of Adobe's public-sector division.

Although the suite of applications is a success story, Nelson took an
uncharacteristically brave step for a program manager: He opened his
code for outside inspection and use. He consulted with DISA's legal
team, and in March, the agency signed a cooperative research and
development agreement with the Open Source Software Institute (OSSI), a
nonprofit organization that promotes the open-source model to
government, to help release the source code of the programs for other
organizations to inspect and possibly reuse. Because DISA, as a
government agency, cannot copyright its programs, OSSI holds the
copyright and offers OSCMIS under Version 3 of the Open-source License.

By making the code open source, DISA "hopes to get access to more
developers in the common community," Nelson said. The programs are fully
functional, but there are always more features that could be added and
technical issues to be resolved.

"My people are extremely fast, though we have to keep tweaking stuff,
too, as regulations and procedures change," Nelson said. "So there is no
way they'll be able to finish out the whole suite itself." By placing
OSCMIS in the open-source community, others might enhance the software
as a byproduct of inserting it into their own systems.

"DISA was able to recognize and leverage the open-source economic
model,"
said John Weathersby, president of OSSI. By now, most industry observers
note that the open-source model of collaborative development is one that
can pay off by sharing the development among everyone who uses the
product. In government procurement practices though, the open-source
model is still largely a novel one. 

Last month, Nelson and OSSI held a demonstration of the software's
capabilities in Washington, showing a packed room how some of the
programs worked. Many officials, from agencies such as the General
Services Administration and Air Force, showed an interest in the
applications, although just as many people in the audience had questions
about the process of releasing government software as open source, which
Nelson and his team are documenting.

The questions Nelson received were broad and varied. Can it still be
called open-source if it relies on proprietary products from Microsoft
and Adobe?
Nelson replied that open-source databases could be used in place of SQL
Server, though the stored procedures would need to be rewritten. Someone
else asked if the code would be posted online. Not yet, replied Nelson,
adding that the OSCMIS distribution could be obtained on a DVD from DISA
if requested by a government agency and through OSSI if requested by a
nongovernment organization.

After demonstrating the software, Nelson's office has had requests every
day from other government agencies for the package. Although it's too
early to tell if the idea of government-sponsored open-source software
will take off, much less pay off, Nelson and DISA have done much to
generate interest in the possibility.

"It takes leadership within an organization to recognize the opportunity
of open source and to have the fortitude to go for it," Weathersby said
of DISA. "They're working outside the box."
        Classification:  UNCLASSIFIED 
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Basic Corporate Management Information System.pdf
Type: application/octet-stream
Size: 52732 bytes
Desc: Basic Corporate Management Information System.pdf
URL: <http://oss-institute.org/pipermail/oscmis_oss-institute.org/attachments/20091023/df2c87ed/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Requirements to Field an OSCMIS.pdf
Type: application/octet-stream
Size: 41528 bytes
Desc: Requirements to Field an OSCMIS.pdf
URL: <http://oss-institute.org/pipermail/oscmis_oss-institute.org/attachments/20091023/df2c87ed/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Business Opportunities for Industry and Others.pdf
Type: application/octet-stream
Size: 44530 bytes
Desc: Business Opportunities for Industry and Others.pdf
URL: <http://oss-institute.org/pipermail/oscmis_oss-institute.org/attachments/20091023/df2c87ed/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OSCMIS Sitemap.pdf
Type: application/octet-stream
Size: 110544 bytes
Desc: OSCMIS Sitemap.pdf
URL: <http://oss-institute.org/pipermail/oscmis_oss-institute.org/attachments/20091023/df2c87ed/attachment-0007.obj>

More information about the OSCMIS mailing list