Building Multilevel Secure Web Services-Based by ygf25440


									                  Building Multilevel Secure Web Services-Based
                  Components for the Global Information Grid
Dylan McNamee                                              CDR Scott Heller                                                              Dave Huff
Galois Connections, Inc.                          Program Executive Office C4I and Space                              Fleet Numerical Meteorology and
                                                                                                                                Oceanography Center

                                               A consensus is growing that the Department of Defense’s vision of a future Global
                                               Information Grid will be built using architecture that takes advantage of Web services
                                               and uses standard Internet protocols, interchangeable components, and commercially
                                               available hardware and software wherever possible. This article describes the features and
                                               architecture of two systems: the Trusted Services Engine and the Multilevel Document
            Thursday, 4 May 2006

                                               Collaboration Server, including their use of a separation kernel with multiple indepen-
           Track 3: 9:55 – 10:40 a.m.

                                               dent levels of security, the design and assurance architecture of the cross-domain block-
                  Ballroom C

                                               access controller, and the composition architecture that extends the inter-level isolation

                                               property from the block access controller outward through complex services.
     he Global Information Grid (GIG) is       concerns. However, for the GIG to realize                domain systems using only standard
     the overall architecture intended to      its potential, some components must                      protocols and APIs.
replace current stovepipe information sys-     enable secure cross-domain data access.               This article describes the features and
tems. A consensus is growing that the          Clearly such components, while they must              architecture of both systems:
Department of Defense’s vision of this         conform to commercial protocols, must                 • The design and assurance architecture of
future GIG will use an architecture that       be developed to higher than commercial                   the cross-domain block access controller
takes advantage of Web services and uses       standards.                                               (BAC).
standard Internet protocols, interchange-                                                            • The use of a Multiple Independent
able components, and commercially avail-                                                                Levels of Security (MILS) separation
able hardware and software wherever pos-                                                                kernel.
sible. By adopting modern standards-based
                                                “In particular, the greater                          • The composition architecture that
protocols, the GIG will enhance current          security risks associated                              extends the cross-domain isolation
capability by enabling people and compo-                                                                property from the MILS separation
nents to work together dynamically with              with cross-domain                                  kernel to the BAC and outward
integrated data.                                                                                        through complex services.
    Protocols such as Hypertext Transfer             components – as                                 This article is focused toward a technical
Protocol, eXtensible Markup Language                                                                 audience familiar with Web services.
(XML), Web-based Distributed Authoring          compared to single-level,
and Versioning (WebDAV), Really Simple
Syndication, and Lightweight Directory
                                                                                                     Assurance Requirements for
                                                  commercial solutions –
Access Protocol allow the GIG to be made
                                                                                                     Cross-Domain GIG
of off-the-shelf components where               require a correspondingly                            Components
appropriate. Where custom components                                                                 The nature and mission of the GIG
are required, pervasive use of these proto-        higher level of trust.”                           makes it a prime target for trained, well-
cols preserves the component-based archi-                                                            funded, and resourceful adversaries. The
tecture of the GIG, thus protecting the           This article, which describes such a               threats posed by such adversaries, coupled
architecture from developing into a            component, has three main parts:                      with the value of the information on the
stovepipe system.                              1. We describe the security and assurance             GIG, require us to show that the GIG
    Many of these components and pro-             attributes required of a cross-domain              components are robust in the face of
tocols are mature and well understood,            component of the GIG.                              these threats. In particular, the greater
but they were not designed with security       2. We describe the architecture and tech-             security risks associated with cross-
as the paramount consideration. Securing          nologies we are using to achieve these             domain components – as compared to
the GIG is therefore a significant chal-          attributes in the Trusted Services                 single-level, commercial solutions –
lenge. Particularly critical is securing its      Engine (TSE), a network-enabled file               require a correspondingly higher level of
cross-domain services. For these, the             store with integrated read-down across             trust. The process of generating and eval-
GIG itself must somehow enforce sepa-             security domains.                                  uating evidence of trustworthiness is
rate levels of security.                       3. We conclude by describing a system                 known as assurance, the most difficult
    Today, physical isolation enforces sepa-      built on the TSE, the Multilevel                   aspect of security engineering.
ration, though other technologies such as         Document Collaboration Server, to                      Two processes in the defense and intelli-
cryptography may someday be used. Such            enable cross-domain collaboration                  gence communities support each other to
separation allows the use of commercial           within documents – an example of                   generate assurance evidence for a GIG com-
components as single-level components             using simple cross-domain compo-                   ponent: evaluation and certification.
not responsible for cross-domain security         nents to build more complex cross-                 Evaluation is the process of validating securi-

May 2006                                                                                                                    15
Transforming: Business, Security,Warfighting

ty claims for a particular component. For                         Read-down eliminates the need for          2. We can then extend these properties
example, the Common Criteria is an interna-                  low-security data to be explicitly copied          to physically separate networks by
tional standard for specifying claims of sys-                for users at high security. The single name        mapping the software components to
tem security functionality and generating                    space combined with read-down makes a              separate partitions in the separation
assurance that these claims are satisfied. We                wide range of applications and user work-          kernel.
have determined that the cross-domain com-                   flows easier, more dynamic, and less error-     3. Finally, the separation kernel is config-
ponents we are building will need to meet the                prone than existing solutions.                     ured to permit communication only
requirements for Common Criteria’s                                Developing, certifying, and evaluating        between appropriate components.
Evaluation Assurance Level 6 or 7 [1].                       a high assurance cross-domain compo-
    Certification focuses on verifying that a                nent such as the TSE at acceptable cost
                                                             requires a fundamentally different archi-       Together with the separation kernel, the
                                                                                                             The Cross-Domain Component
component can be securely deployed at a
particular site. Certification is best repre-                tecture from that of typical, single-level      BAC is responsible for isolating each level
sented by such processes as Secret and                       components. Our approach is the follow-         in the TSE. It is, therefore, the component
Below Interoperability, and Top Secret                       ing: Use as few high-assurance compo-           that needs to be evaluated and certified to
and Below Interoperability. What these                       nents as possible, each with a single pur-      the highest levels of assurance. The BAC’s
processes have in common is a way to tai-                    pose, to keep it small and simple, allowing     functions are the following:
lor requirements for evaluation or certifi-                  it to be analyzed formally. But security is a   • Mediate all disk block access.
cation of the following:                                     property of a whole system, not just a          • Connect single-level disks and parti-
• Sensitivity of the data that the compo-                    component. Appropriate composition                  tions.
    nent handles.                                            techniques can extend the security proper-      • Write blocks to the same level.
• Severity of the threats it must with-                      ties of the trusted computing base out-         • Read blocks from the same or lower
    stand.                                                   ward to the rest of the system.                     levels.
For example, under Director of Central                                                                           The keys to BAC security are that it
Intelligence Directive 6/3, a cross-                                                                         has a well-defined job and is constructed
domain component that needs to                                 “The problem is caused                        from very few lines of code. The current
demonstrate high assurance with respect                                                                      version of the BAC is 780 lines of C code.
to confidentiality must satisfy Protection                    by a read-down – a user                        To ensure that the BAC implements the
Level 4 or 5 assurance requirements.                                                                         required attributes, we do the following:
Evaluating or certifying a component to
                                                               on a high-level network                       1. Develop a formal model of the code.
one of those standards requires an                                                                           2. Verify that the model corresponds to
extensive investment in time and
                                                                 can read files from a                           the code.
resources. But given the responsibilities                                                                    3. Develop a formal model of the policy.
of a cross-domain component of the
                                                               lower level while a user                      4. Use model-based testing to check that
GIG, high assurance is a must.                                                                                   the code implements the policy.
                                                              on the low-level network                       5. Formally verify that the model imple-
                                                                                                                 ments the policy.
                                                                 changes those files.”                           Our formal verification ensures that
Architecture for a High-
Assurance GIG Component                                                                                      the TSE security policy maps directly to
The TSE, a government off-the-shelf                              The TSE’s trusted computing base            the model, and the model to the imple-
software development project funded by                       consists of the minimum number of               mentation. To map the policy to the
the Space and Naval Warfare Systems                          components: one. TSE functionality is           model, we use the Isabelle Higher Order
Command (SPAWAR) and National                                decomposed into a set of single-level           Logic (HOL) theorem prover [3]. The the-
Security Agency, is a network-enabled file                   components and only one cross-                  orems we prove in this logic are the fol-
store with integrated read-down across                       domain component. The underlying                lowing:
security domains. The TSE provides the                       MILS separation kernel separates com-           • None of the error states are reachable.
file store using the standard WebDAV                         ponents at different security levels.           • The noninterference property holds.
protocol. It has a separate hardware net-                    Each network security level has a set of            The noninterference property states
work interface for each network security                     clients, an authentication service, and         that all system actions by high security-
level and a separate file store for data at                  an integrity checker (see Figure 1).            level components are invisible to low
each level.                                                  Within the TSE, each network level has          security-level components; that is, the final
    The TSE enforces the Bell-LaPadula                       its own network interface card, hard            state of the low-level component is the
policy of information flow [2], in which                     drive, and software stack implementing          same as it would be if no actions had
users on each network can read from                          the TSE’s networking, WebDAV, and               occurred at the high-security level.
their own level and below, but can write                     file system services.                               To map the model to the implementa-
only to their own level. For example,                            The TSE’s only cross-domain compo-          tion, a code-to-spec review team of at
when one security level dominates                            nent, the BAC, mediates all access              least two people performs a line-by-line
another (for example, TOP SECRET                             between the TSE and each level’s disks.         inspection of the HOL code and the C
dominates SECRET), the TSE allows                                How can these components be                 implementation.
read-down – the ability for users at a high-                 assembled to provide secure, cross-                 The example in Table 1 – a single step
er level to access data from a lower level,                  domain services?                                of the BAC – shows how closely the
but not vice-versa. All levels share a sin-                  1. The base must be secure before build-        model matches the implementation. Our
gle name space, but views of that name                           ing on it. We must first establish the      model-based testing approach uses the
space differ according to the network                            isolation properties of the cross-          QuickCheck tool [4]. Based on a formal
security level accessing the TSE.                                domain component.                           statement of the security policy,

16   CROSSTALK The Journal of Defense Software Engineering                                                                                        May 2006
                                                              Building Multilevel Secure Web Services-Based Components for the Global Information Grid

QuickCheck generates test cases that
check whether or not the implementa-
                                                            CLIENT                    COMPANION

tion violates that policy. The policies we
                                                           NETWORK                     SERVICES                    TRUSTED SERVICES ENGINE (TSE)

have verified using this method are the
                                                   HIGH                       Authorization/

                                                  USERS                       Authentication

• Read-across: Reads fetch the data

                                                                                                                           HTTP      file                            High
                                                                                                                 TCP/IP                                              Disk
                                                                                                                          WebDAV   system

    written at that same level.
                                                                                       Content                                                   Block

• Read-down:
                                                                                       Checker                                                  Access

    ° Valid reads succeed.                       MIDDLE

    ° Invalid reads (that is, read-up) fail.
                                                 USERS                        Authentication

    ° Read-downs do not affect the
                                                                                 Server                                                          Read

                                                                                                                           HTTP      file                      Middle

       lower level being read (noninterfer-
                                                                                                                 TCP/IP                                         Disk
                                                                                                                          WebDAV   system

                                                                                       Content                                                   Write

                                                   LOW                        Authorization/
Other Key Components                              USERS                       Authentication

The BAC, when hosted by the MILS sep-
MILS Separation Kernel

                                                                                                                           HTTP      file                            Low

aration kernel [5, 6], is an instantiation of
                                                                                                                          WebDAV   system                            Disk

the reference monitor concept [7]. Unlike a
                                                                                                                      MILS Separation Kernel

traditional operating system that provides
many services and abstractions, a separa-       Figure 1: Trusted Services Engine (TSE) Architecture
tion kernel provides only data isolation
among separate partitions and controlled
                                                As Figure 1 shows, the TSE file system is a To minimize the trusted base and avoid
                                                The Wait-Free File System                               Outside Services
communication between partitions. Porting
an application to MILS also requires                                                                                           the TSE
                                                single-level component. We were surprised duplication of function, Unclassifiedwill use,
choosing a runtime or operating system to                                  single-level file sys- or uses outside services wherever possible.
                                                to find that no existing Edit
                                                           Unclassified                  Unclassified


run within each partition that provides the                our requirements. The problem is Key services are authentication and
                                                tem met Unclassified                     Unclassified         Merge           Unclassified

higher-level system services the applica-       caused by read-down – a user on a high- integrity-checking; so far we have evaluat-
tion requires, or porting one of your own       level network can read files from a lower ed Navy enterprise single sign-on for
                                                              Secret                        Secret                               Secret

choosing.                                       level while a user on the low-level network authentication and one-way file transfer
                                                changes those files. Ordinarily, locks could for integrity-checking, but final decisions
                                                           Unclassified                  Unclassified                         Unclassified

    It is not enough simply to port a sin-
gle-level application to a MILS separation      be used to solve this problem, but cross- will be driven by the demands of specific

                                                domain locks violate non-interference and installations at customer sites.

kernel, however. The system needs to be

thoughtfully decomposed and mapped to           are unacceptable in this case. How can the               Though it is conservative and efficient

MILS partitions. Further, some key com-         TSE present consistent data without intro- to draw on outside services, it also means
ponents (such as the file system) may need      ducing a proscribed communication chan- that we must build a chain of trust from
                                                                                    Unclassified                 Unclassified

to be radically restructured to function in     nel, overt or covert?                                              the outside
                                                                                                     our base to Unclassified service. We use
a multilevel environment.                            Designers of algorithms for shared- several methods to help us do so:

    While the TSE project aims to be            memory multiprocessors face a similar •Edit              Outside services are all single-level,
portable across separation kernels, the ini-                                         a method
                                                problem that they solve using Unclassified               which minimizes their trustworthiness
tial target is Green Hills Software’s           called wait-free synchronization [9]. Wait-free          requirements.

INTEGRITY Server. This platform                 synchronization guarantees that interac- • We choose services specified and
allows us to deploy software components         tions with concurrent objects take a finite              trusted by our customers that have
from different security levels on the same      number of steps instead of using critical                been vetted in similar deployment sce-
hardware, thus reducing space, weight,          sections, which block competing processes                narios.
and power requirements while retaining          for an indeterminate time. The wait-free file • The TSE and companion services use
isolation properties equal to those provid-     system adapts this idea for its own synchro-             the standard cryptographic protocols
ed by networks on physically separate           nization method. This preserves the isola-               SSL/TLS and digital certificates to
hardware.                                       tion property by the following:                          manage communication between
                                                • Writers are oblivious to readers.                      them.
                                                • Readers can proceed independently of                   The sum of the TSE and a specific
The single-level components of the TSE
The WebDAV Server
                                                     writers.                                        set of external services is submitted for
are the WebDAV server, the file system,
the network stack, and the secure sockets       Table 1: A Single Step of the Block Access Controller
layer/transport-layer security (SSL/TLS).
To provide the security aspects of
WebDAV with high assurance, we imple-
                                                   HOL Model                                                     C Code

mented the WebDAV server using
Haskell, a type-safe functional language
                                                   bacStep :: "config => (unit, store) m"                        void bacStep (config conf) {

[8]. We ported the Haskell runtime system
                                                   "bacStep conf ==                                                nat n = conf->numLevels;

to INTEGRITY server. The Haskell run-
                                                    let n = numLevels conf                                         processQueuedLevels

time system encapsulates services such as
                                                    in processQueuedLevels                                          (conf->requestsPerLevel, n);

networking, threading, and memory man-
                                                      (requestsPerLevel conf) n                                    queueLevels(conf, n);

                                                    >> queueLevels conf n"                                       }

May 2006                                                                                                                                      17
                                                   Table 1: A Single Step of the BAC
   Transforming: Business, Security,Warfighting

   the certification prerequisite to multi-                     on the Secret network publishes the docu-        We expect to begin Common Criteria eval-
   level deployment.                                            ment to the Unclassified network. The            uation at evaluation Level 6+ the following
                                                                DocServer filters the Secret content and         year. Phase 1 of the DocServer is near
   Building Complex Multilevel                                  submits the resulting unclassified document      completion. We hope to begin Phase II in
                                                                to the regrader. After regrading, users on       spring 2006, and commercial transition
                                                                both network levels make modifications to        sometime in 2007.N
   Services on the TSE
  The TSE can be used as a building block for
  more complex cross-domain services, as                        the document. Modifications made at
  demonstrated by another current Galois                        Secret are not visible below, but
                                                                Unclassified modifications are visible to
  project, the Multilevel Document                                                                               The authors would like to acknowledge
  Collaboration Server (DocServer). Its archi-                  users at Secret using the DocServer’s merge      contributions from the following people:
  tecture reuses the decomposition structure                    each time the document is read.                  David Burke with the evaluation and certifi-
  of the TSE to provide multilevel secure                           The DocServer is a Phase 1 Small             cation sections; John Matthews and Paul
  document-based collaboration.                                 Business Innovative Research project fund-       Graunke with the verification and validation
      The DocServer allows a user at a high                     ed by SPAWAR.                                    sections; and Lauren Ruth Wiener with the
  network level to make private modifications                                                                    clarity of thought and exposition.
  to an XML-based document stored at a                          Conclusion
  lower level. The DocServer supports ongo-                     The DocServer uses the TSE for file stor-
  ing modifications at multiple network levels;                 age and its sole cross-domain component.
                                                                                                                 1. Common Criteria <www.common
  modifications from the high network are                       Reusing the only high-assurance compo-    >.
  visible only to users on the high network,                    nent gains us a great deal – the DocServer       2. D. E. Bell and L. J. LaPadula. Secure
  while modifications from the low network                      should be certifiable to the same level as the      Computer Systems: Mathematical
  are visible to users at that level and above.                 TSE with little additional work.
                                                                                                                    Foundations and Model. The Mitre
                                                                    The DocServer’s use of the TSE to
            CLIENT                 COMPANION
      The DocServer also supports publish-                                                                          Corporation, 1976. <http://csrc.nist.
           NETWORK                  SERVICES                        TRUSTED SERVICES ENGINE (TSE)
 HIGH regraded documents from high network
  ing                                                           achieve high assurance, cross-domain func-
  levels to low, using XML Server and inte-
                                filtering                       tion mirrors the TSE’s internal use of the

                                                                                                                 3. Isabelle. “A Proof Assistant for

  gration with an outside regrading system                                              DocServer from High
                                                                BAC. By building the file                 this

                                                                                                                    Higher-Order Logic.” University of

  such as Radiant Mercury or ISSE Guard.                        core component, we once again take advan-

                                                                                                                    Cambridge Computer Laboratory
                                                                           WebDAV system                  Disk

  These systems enable transfer of docu-                                                        extending its
                                                                tage of the BAC, effectively Controller
                                      Content                                                    Block


  ments from high security to low security by                   security policy through to increasingly com-

  enabling a human reviewer to reliably                         plex systems.                                       Isabelle>.
                                                                                                                 4. QuickCheck Automatic Specification-

                                 contents (includ-
  review all of a document’sServer                                  The TSE’s component Read     architecture
                                                                                                                    Based Testing <

  ing possibly hidden content), and, upon suc-                  demonstrates a powerful technique Middle   for

                                                                            HTTP       file

  cessful review, write it to the low network.                  extending the security properties of a for-
                                                                  TCP/IP                                  Disk
                                                                           WebDAV system

      In the case of the DocServer, a high-                     mally analyzed core component to a wide          5. National Information Assurance
                                      Content                                                    Write

                                                                scope. In a similar manner, the DocServer           Partnership. U.S. Government Protec-

  level user marks up the document according
  to a
USERS new set of security levels, and submits
                                                                uses MILS to extend the security properties         tion Profile for Separation Kernels in
  it for regrading. The DocServer filters the                                            to
                                                                of the TSE outwardfile provide complex              Environments Requiring High Robus-

  document and sends the filtered version to                      TCP/IP functionality.
                                                                multilevel WebDAV system                            tness. Vers. 0.621. Ft. Meade, MD:


                                                                                                                    NIAP, July 2004 <http://niap.nist.

  the regrading system. After human review,

  the filtered version of the document is writ-                                                                     gov/pp/draft_pps/pp_draft_skpp_

                                                                TSE Status
  ten to the DocServer’s low-level file system.                 Development of Vers. 1.0 of the TSE will
                                                                    MILS Separation Kernel

      Figure 2 shows the publish, edit, merge                   be complete in summer 2006, and will be          6. Vanfleet, Mark W., et al. “MILS:
  workflow of the DocServer. At left, a user                    followed by certification at a customer site.       Architecture for High-Assurance
   Figure 2: DocServer Merge Operations                                                                             Embedded Computing.” Cross-
                                                                                                                    Talk Aug. 2005 <
         Unclassified                          Unclassified                                  Unclassified


                                                                                                                 7. Anderson, James P. “Computer
                                                                                                                    Security Technology Planning Study.”
         Unclassified                          Unclassified              Merge               Unclassified

                                                                                                                    Fort Washington, PA: James Anderson
                                                                                                                    & Co, Oct. 1972 <http://csrc.nist.
             Secret                               Secret                                       Secret

         Unclassified                          Unclassified                                  Unclassified

                                                                                                                 8. Haskell. Haskell: A General-Purpose
                           lte h

                                                                                                                    Purely Functional Language <www.


                                                                                                                 9. Herlihy, Maurice. “Wait-Free Synch-
                                                                                                                    ronization.” ACM Transactions on
                                         Unclassified                         Unclassified

                                                                                                                    Programming          Languages    and
                                                                                                                    Systems (TOPLAS) 13.1: 124-149.
                                         Unclassified                         Unclassified

                                                                                                                    New York: ACM Press, Jan. 1991
                                                                 Edit                                               <
                                         Unclassified                         Unclassified

   18   CROSSTALK The Journal of Defense Software Engineering                                                                                         May 2006
                                                           Building Multilevel Secure Web Services-Based Components for the Global Information Grid

                                                    About the Authors
               Dylan McNamee, Ph.D.,                          CDR Scott Heller is                                  Dave Huff serves as the
               is the technical lead for                      currently the Cross Do-                              director,    Exploratory
               cross domain projects at                       main Solutions lead at                               Projects Division at the
               Galois Connections. He                         PMW 160 within the                                   Fleet Numerical Meteor-
               received his doctorate in                      Program Executive Of-                                ology and Oceanography
               computer science from                          fice Command, Control,                               Center. His team is
the University of Washington.                 Communications, Computers, and                      focused on information assurance and
                                              Intelligence, and Space in San Diego,               Web-based techniques for establishing
      Galois Connections                      Calif. He has a master’s degree in com-             identity, authorization, and cross-domain
      12725 SW Millikan WY                    puter science with an emphasis in Multi-            information exchange.
      STE 290                                 level Security from the Naval Post-
      Beaverton, OR 97005                     Graduate School in Monterey, Calif.                      Fleet Numerical Meteorology
      Phone: (503) 626-6616 x137                                                                       and Oceanographic Center
      E-mail:                     Program Executive Office                            7 Grace Hopper AVE
                                                   C41 and Space                                       Monterey, CA 93943
                                                   626 Orange AVE #303                                 Phone: (831) 656-4569
                                                   Coronado, CA 92118                                  E-mail: dave.huff@
                                                   Phone: (619) 929-1451                            

                                                          WEB SITES
 Enterprise Software Initiative                                       browser, the Quadrennial Defense Review (QDR) 2006 Report                                                          overview page opens. The copy of the Department of Defense
 The Enterprise Software Initiative (ESI) is a joint Department       (DoD) QDR Report addresses key logistic and sustainment
 of Defense (DoD) project to develop and implement a DoD              points and can be accessed at the bottom of the page by click-
 enterprise process. The objectives are to save money and             ing <qdr2006.pdf>. The review points out successes of U.S.
 improve information sharing. The initial focus will be on com-       Transportation Command to improve the department’s stan-
 mercial off-the-shelf (COTS) products. The main problem              dard processes for providing materiel and logistics to meet the
 identified with procuring software for DoD is that the software      immediate needs of forces in the field. Also, the review identi-
 (including price, acquisition cost, distribution, training, main-    fies opportunities for continued transformation of acquisition
 tenance, and support) costs too much. Enterprise Software is         and logistics processes. The QDR outlines the department’s
 DoD common-use, standards-compliant software. The DoD                implementation of a number of specific initiatives aimed at
 ESI Steering Group, under the DoD Chief Information                  meeting supply chain objectives.
 Officers (CIO) Council, will develop and implement a DoD
 Enterprise Process to identify, acquire, distribute, and manage      Office of Force Transformation
 Enterprise Software. Comprised of agencies such as the Office
 of the Secretary of Defense – ASD(NII)/DoD CIO, the                  The Office of Force Transformation (OFT) is solely dedicated
 Department of the Navy, the Department of the Air Force, the         to transformation, linking creativity to implementation. OFT
 Department of the Army, the Missile Defense Agency, the              works at the intersection of unarticulated needs and non-con-
 Defense Finance and Accounting Service, the Defense                  sensual change, identifying and managing disruptive innova-
 Information Systems Agency, the Defense Logistics Agency, and        tion. OFT works outside the normal course of business activi-
 the National Geospatial-Intelligence Agency, ESI follows 14          ties with an entrepreneurial mindset. The OFT has outlined its
 principles to ensure cost effective software procurement and         Top Five Goals of the Director, Force Transformation: 1) Make
 provides 23 Best Practices to all Enterprise Software Agreements     force transformation a pivotal element of national defense strat-
 with the DoD and the corporate world.                                egy and Department of Defense corporate strategy effectively
                                                                      supporting the four strategic pillars of national military strate-
 Defense Acquisition University                                       gy; 2) Change the force and its culture from the bottom up                                                          through the use of experimentation, transformational articles
 The Defense Acquisition University (DAU) touches all areas of        (operational prototyping) and the creation and sharing of new
 Acquisition, Technology, and Logistics workforce throughout          knowledge and experiences; 3) Implement Network Centric
 all professional career stages. The DAU offers a range of basic,     Warfare as the theory of war for the information age and the
 intermediate, and advanced certification training, assignment-       organizing principle for national military planning and joint
 specific training, performance support, job-relevant applied         concepts, capabilities, and systems; 4) Get the decision rules
 research, and continuous learning opportunities.                     and metrics right and cause them to be applied enterprise wide;
           By typing <             and 5) Discover, create, or cause to be created new military
 php?ID=94877_201&ID2=DO_TOPIC> into your Web                         capabilities to broaden the capabilities base and mitigate risk.

May 2006                                                                                                              19

To top