Secret sharers gain security, time

Busy intelligence analysts' workstations often
look like mini-command centers, crowded
with multiple computers and monitors, each
with specific capabilities and access only to
limited classified information. To
access, collate and disseminate data,
analysts must switch from one
secure network to another ? a time-consuming
effort that can delay the processing of
intelligence information.

But a collaboration by two industry giants
with one of the country's most secretive intelligence-gathering agencies is working to simplify
the analysis process without compromising
security.

General Dynamics Corp.'s C4 Systems division
and IBM Corp. are working with the
National Security Agency to enable intelligence
analysts and others to use a single computer
to work on multiple classified networks.
They are designing and building the second
iteration of NSA's high-assurance platform,
which encompasses secure workstations,
servers and computing technology, much of it
built with commercial products.
NSA would not reveal the total cost of the
project.

When the platform is fully operational, it
will manage multiple network connections
through a single secure interface, said Donald
Simard, technical director at NSA's Commercial
Solutions Center.

Using secure virtualization, the platform
will create a designated space on a workstation,
server or personal digital assistant,
Simard said. Analysts will access that space by
entering unique IDs and passwords, and then
they can view and share documents with different
security classifications. They will no
longer need to change hard drives or maintain
multiple computers to switch from one security
domain to another.

The platform will be particularly useful for
communities of interest and virtual domains
created for specific projects or missions, said
Chris Daly, a security professional at IBM's
Software Group. "What's nice about
this platform is I can form these
communities of interest on the fly,
make sure that they are secure and begin to
share information very quickly with other
members of that community," he said.

"Secure virtualization ensures that one virtual
space on my machine doesn't get contaminated
by another," Daly added. "If my application
has been hacked, I will be able to tell
instantaneously, and not just me, but the people
I communicate to will also be able to tell."

Access will be denied until the application is
secure again.

VERSATILE PLATFORM

The platform's virtualization technology will
also help federal agencies reduce costs and
meet government-mandated goals for consolidating
data centers to reduce waste and
pollution.

NSA's goal is to create a state-of-the-art
secure solution that other government agencies
can also use, such as the Defense,
Homeland Security and Justice departments.
They could use the platform for secure virtualization,
compliance checking, cross-domain
collaboration and enterprise management.

In addition, NSA officials hope to eventually
make the platform available through standard
distribution and support channels such
as Dell Inc. and Hewlett-Packard Co., Simard
said. "It will be a highly commercial model."

He said the high-assurance platform is an
example of using a strong commercial base to
build an advanced program rather than having
the government create a proprietary solution.

"We are going to build a foundation that
can be used in many different ways," Simard
said. "The procurement model will be
through regular [information technology]
sources, including Dell workstations."

General Dynamics C4 Systems developed
the first release of the platform for NSA in
June 2006 under an initial $17.3 million
lead contract, said Bill Ross, director of the
company's Information Assurance Systems
and Programs business unit. Late last year,
NSA awarded IBM a 15-month, $9.4 million
follow-on award to work with General
Dynamics on developing the second iteration
of the platform.

"NSA brought us onboard to take it to the
next level ? to collaborate with [General
Dynamics] on the work they've already done
and work with them in a collaborative way as
two primes working with each other," Daly
said.

IBM will use its expertise in secure virtualization,
computing and advanced software
technologies to improve access to cross-classification
documentation and ensure the
secure distribution of classified data among agencies. It will also be responsible for research and design, engineering development,
fabrication, and testing and security
certification.

NSA is directing the work of the two prime
contractors, which have formed integrated
management teams to implement the program
and ensure that it meets customer
needs, including providing some customization
or value-added services, Simard said.

"We will collaborate and meet together on
the requirements and on the development
and on the testing," he added.

The second release of the platform is in the
final stages of certification testing and has
passed several milestones, including the intelligence
community's top-secret-and-below
interoperability accreditation process. "It's
now in the middle of going through the secret
and below, which is a DOD accreditation,"
Simard said.

"We expect that [to be] completed the
middle of second quarter of this year," Ross
said, adding that an operational test program
will be ready by May for the Special
Operations Command at MacDill Air Force
Base, Fla., to begin testing.

CAREFUL RESEARCH

The high-assurance platform began in 1999
when NSA's research unit, the National
Information Assurance Research Laboratory,
created the NetTop program to test whether
virtualization could enable the agency to host
several secure domains on a single computer.

The high-assurance platform "essentially
became NetTop on a modern platform using
the advanced security features that the [original
equipment manufacturers] were starting
to provide," Simard said.

General Dynamics and NSA spent the past
five years conducting research and development
for the program, with the help of the
Special Operations Command, the Navy's
Space and Naval Warfare Systems Command,
the Air Force Research Laboratory and the
Defense Intelligence Agency.

The Trusted Computing Group (TCG), a
consortium of almost 200 IT vendors, is also
working with the two prime contractors and
the agency to ensure that the program meets
all regulations and intelligence community
requirements.

"We're trying to work through the TCG to
ensure we're using industry standards,"
Simard said.

IBM and General Dynamics' partners
include VMware Inc., Trusted Computer
Solutions Inc., Harris Corp. and Innovative
Security Systems/Argus Systems Group.

David Hubler (dhubler@1105govinfo.com) is an
associate editor at Washington Technology.