DARPA creating enthusiasm for math and science through high-school outreach

The Defense Advanced Research Projects Agency (DARPA) announced this week a new initiative to “reignite a passion for exploration among our nation’s youth”. The program is called the Manufacturing Experimentation and Outreach (MENTOR) initiative.

As part of MENTOR, DARPA will contract multiple organizations to deploy a variety of programmable manufacturing equipment—such as 3D printers—to high schools throughout the country and orchestrate a series of prize-based challenges.  High schoolers will compete and collaborate as teams to design and build cyber-electro-mechanical systems. “The systems will be of moderate complexity,” said Paul Eremenko, DARPA program manager. “Challenges will involve the design and building of things like go-carts, mobile robots and small unmanned aircraft. And we’ll encourage collaboration during the challenges through the use of social media and social networking applications.”

The program encourages students in the science, technology, engineering and mathematics fields. Such skills are critical for careers in systems design and manufacturing, and a strong manufacturing base is essential to maintaining a well-built defense. DARPA will expand the program to over 1000 high schools over the next three years.

Partnet is no stranger to DARPA research projects or to students with great ideas. In 1992—at the dawn of the Internet Age and long before anyone had heard the term eCommerce—Dr. Don Brown’s engineering students presented a unique, yet simple question:  Could you connect databases together over the internet to find repair parts?

Don Brown, a mechanical engineering professor at the University of Utah, thought that the military might be interested in such a capability. He made a video documenting how it would work and sent it to DARPA.

DARPA was so impressed with the idea of a distributed architecture that could search for spare parts from multiple, remote databases, they decided […]

PKI Security Made Simple

What’s better:  having a lock on your door, or having a lock on your door AND a guy standing there making sure it’s you unlocking the door?

Obviously, the more security you have the better, which is why more Government eCommerce systems are moving towards PKI.   So, what does PKI mean? The acronym stands for Public Key Infrastructure and it refers to the use of hardware and software-based “keys”, or certificates, to verify a user’s identity and credentials online.

In order to get a key/certificate, you need to contact a Certificate Authority (CA). There are several CAs available, but the Defense Logistics Agency only recognizes Verisign, Identrust, and ORC as approved CAs on DOD EMALL.  And when it comes to establishing user identity, CAs don’t take the process lightly.  Getting a certificate issued generally requires paperwork, several forms of identification, a notary signature, and on occasion, an in-person visit.

After your identify is verified, the certificate is issued in one of two ways:

1) A software-based certificate installed directly to the user’s computer.

2) A portable, hardware-based certificate that the user physically carries with them (often in the form of a smart card or USB stick).

These certificates also include a user-associated PIN.  This is called two-factor authentication, and is why PKI is significantly more secure than the traditional username/password model. It’s more than just what you know (i.e., a password); it’s what you have and what you know.

So, now that you have a certificate, what can you do?

Some sites, such as the DOD EMALL, require users to present a certificate for accessing and using the site. Additionally, certificates enable users to send digitally-signed emails that provide proof of data integrity and origin, while also enabling receipt of encrypted email.

Users […]

By |September 2nd, 2010|DOD EMALL, Government eCommerce|Comments Off on PKI Security Made Simple|

DLA Support for Performance Based Logistics Contracts

The Performance Based Logistics 2010 Conference was held last week in Arlington, VA. It made me think about how much defense logistics has changed over the last ten years.

Performance Based Logistics (PBL) goes beyond traditional acquisition of contractor good and services.  PBL guarantees contractor performance and system capability based on declared performance-based agreements between the Department of Defense (DOD) and the contractor.

Before PBL, defense contractors simply provided a product or service.  A contractor would develop a weapons system, for instance, and DOD would subsequently assume complete responsibility for its storage and maintenance.

DOD advocated PBL in the 2001 Quadrennial Defense Review and called for the evaluation of a PBL approach for all new acquisition programs and systems.

As a result, a defense contractor awarded a PBL contract for aviation services, for instance, is required to provide more than just an aircraft, but all the services, support, and maintenance required to keep that aircraft mission-ready for a specified period of time.

In many cases, however,  DLA’s bulk purchasing capability allows it to acquire common repair parts at a lower cost than individual PBL contractors.

With the advent of PBL support contracts, DOD needed a way to allow defense contractors to purchase parts from DLA under PBL contracts.  The easiest way to support this capability was to enable PBL contractors with access to DOD EMALL.  Using DOD EMALL, contractors can purchase repair parts directly from the DLA and at lower cost to the government.

Today, Lockheed Martin, Boeing, Honeywell, and dozens of other defense contractors s are participating in this DLA program.

As the primary developer of the DOD EMALL, Partnet is pleased to support this innovative strategic sourcing initiative.

Beyond sales: Eight reasons why the DOD EMALL works for government

I was asked the question earlier:  “How is the DOD EMALL important other than as a sales tool?”

Apparently, the question took some people by surprise, but not me. The DOD EMALL provides several acquisition services that extend beyond traditional eCommerce (though that is certainly a big part of it).

Here are my top eight reasons why DOD EMALL works for government:

1. Saves money.  Buying online is inherently cheaper than going to a store or writing a contract for each purchase.

2. Global access – 24/7.  DOD EMALL provides a single point of access for users around the world, and around the clock.  This allows shoppers and vendors to work on their own schedules, regardless of time or location.

3. Innovation platform. For years, DOD EMALL has been a launching pad for several, new IT-acquisition practices and applications — resulting in a number of firsts for the Department of Defense:

Establishment of unique Service-acquisition rules like the Army JWOD/AbilityOne and the Army discount policy.
Strategic sourcing of office supply contracts — started by the Army, but now implemented for all the the Services.

4.   DLA enhancements.  DOD EMALL has opened up access to the Defense Logistics Agency’s managed items for Performance Based Logistics (PBL) contractors and state governments.

5.  NAVFAC base services.  For over ten years, the Naval Facilities Command has used the DOD EMALL to support base-services contracts on Navy and Marine bases worldwide.

6.  Government-wide Acquisition Contracts.  DOD EMALL allows  Military Services to grant and gain access to GWAC contracts from other federal agencies, enabling strategic sourcing across the Department of Defense.

7.  Data quality.  DOD EMALL regularly provides Level III credit card data to several Service systems, and soon the Federal Procurement Data System – Next Generation (FPDS-NG) as well.

8. […]

Partnet supports DOD EMALL sales halfway around the world

Last fall, Ronald Inman of Naval Facilities Engineering Command (NAVFAC) Public Affairs reports that the NAVFAC Far East command generated a total of 3,367 orders and approximately $13.8 million in sales on DOD EMALL in fiscal year 2009 — more than any other NAVFAC command.

The DOD EMALL is a web-based Government eCommerce site enabling authorized military and government customers to search for and order products and services from a global community of government and commercial vendors. Operated on behalf of the Defense Logistics Agency, the DOD EMALL contains over 2,000 commercial catalogs offering nearly 70 million items.

NAVFAC Far East is based in Yokosuka, Japan — nearly halfway around the globe from the DOD EMALL’s home in Ogden, UT.  Partnet keeps the DOD EMALL applications running smoothly — 24 X 7, 365 days a year. Over the last year, Partnet maintained system uptime at 99.75%.    Without high system availability, NAVFAC would have been relegated to slower, less efficient forms of procurement.

PKI Security in Large Scale Web Applications – Part 5: The Solution and the Result

This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD […]

PKI Security in Large Scale Web Applications – Part 4: Case Study of DOD EMALL

This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.

DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.

Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

Data integrity and confidentiality
User identification and authentication.
User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but […]

PKI Security in Large Scale Web Applications – Part 3: Partnet eValidate

This part of our series on PKI security in large scale web applications examines how the new Partnet eValidate solution effectively satisfies the unique PKI demands of large scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

Security. Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
Reliability. Robust design provides support for backup, load balancing, and failover.
Versatility. Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
Proven. eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

The next installment in this series will look at how Partnet eValidate was able to solve the PKI security challenges faced by the DOD EMALL, one of the largest Government eCommerce sites.

PKI Security in Large Scale Web Applications – Part 2: The Limits of Off-The-Shelf Solutions

This part of our series on PKI security in large scale web applications examines the limits of traditional Off-the-Shelf PKI-validation solutions.

Per Joint Task Force Global Network Operations (JTF-GNO), the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1) — implemented in the wake of September 11, 2001 — mandates a federal standard for secure and reliable forms of identification.

Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate-validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.

Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.

Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine.

Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance.  While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.

The next installment […]

PKI Security in Large Scale Web Applications – Part 1: The Call for PKI Validation

This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.

Part 1:  The Call for PKI Validation

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known […]

Google+