CONTRACT REPORTS: Faster Testing and Certification: How the FDCE "Sandbox" Gains Speed While Improving Quality

Testing for DoD acquisition programs today usually includes developmental testing (DT), followed by an operational assessment (OA), a Milestone C decision to allow just enough assets to be fielded to test some more, another round of DT to make sure the system is ready for operational testing (OT), and then the main event – the Initial Operational Test and Evaluation (IOT&E).  And, it’s likely that IT systems will also have interoperability and information assurance tests.  This sequence can take from several months to years.

It does not have to be this way.  It is possible to create an environment in which development, testing, and certification occur with real users in an environment that reduces risk, reduces cost, improves the quality of testing and certification, eliminates duplication, and improves data sharing – all while speeding delivery of capabilities and services to the warfighter.  And, that’s what it’s all about.  This is not fiction.  It works.  We see this occurring in the commercial sector today with eBay and others.  Google uses small teams to build small capabilities and services quickly with nearly concurrent beta testing.  It’s all about time to market: speed.

Our approach is the Federated Development and Certification Environment (FDCE), or “sandbox”.  DISA developed the FDCE from what we have learned from the private sector.  The user (warfighter, business process owner, and intelligence analyst), the developers and engineers, the testers, and the security certifiers work in parallel in the FDCE, sometimes virtually, to deploy small modules of capabilities and services quickly.  This enables us to:

* Operate in an agile development environment to field systems more rapidly.
* Evolve small capability and service modules incrementally and independently at their own pace, not the pace of a large, monolithic program or system.
* Reduce development risk because the user, developer, tester, and certifier are working together in parallel.
* Reduce costs, and
* Take advantage of net-centric computing like web services platforms and the potential to ‘mash’ services together to create capabilities never envisioned.


The FDCE provides a collaborative environment with software tools that encourage shared-source and open-source software development.  This facilitates the use and dependability of open-source software, applies open-source development methodologies to support the collaborative development of DoD-community source software, and makes available a more cost-effective and functional set of development tools.  It encourages software reuse, sharing, and collaborative problem solving.  The concept makes sense from both speed and cost perspectives.

Testing and Certification. 
The FDCE streamlines the variety of assessments and certifications required by allowing the testers and certifiers to work in parallel with other stakeholders to present accreditable capabilities and services to approval authorities.  Testing and certification rigor is applied to a capability or service as it is developed so that additional certification is not necessary.


The FDCE has common certification processes built on uniform methods of describing system requirements and evaluation criteria.  Common standards, codes, and controls enable trust of any certifier’s assessment.  This is the first step: common understanding and acceptability of certification results.  From this, accreditors can make their own independent decisions without duplicative and redundant testing.  They then can decide to accept responsibility for and be held accountable for the security of the capability or service and authorize it to connect to and operate on the network.

The FDCE is Working.
The FDCE is being used today in the Net-Enabled Command Capability (NECC) program.  Capability modules (CM) are developed, integrated, and tested using the FDCE’s on-line collaboration capabilities.  At completion, CMs have been certified in accordance with required DoD directives
and policies, but much faster than before.  In the NECC program, technical standards compliance, certification activities, and configuration control of CMs are tracked and maintained in the FDCE as well.

Five CMs have gone through the NECC FDCE

* Red Force Data – web services for current, historical, and projected red (enemy) force locations
* Blue Force Data – web services for current, historical, and projected blue (friendly) force locations
* Weather Data – web services for atmospheric, oceanographic, and exo-atmospheric data
* Association Management – web services to create, define and manage associations
* User-Defined Operational Picture – a browser capability to define, share, and view selected operational data


The FDCE is Growing and Maturing.
We are now in the process of exporting the FDCE across the DoD for more general use.  We envision a time in the not too distant future when capabilities and services are introduced to the “sandbox” from the private sector to accelerate the adoption of an expanded range of enterprise services.  These may come from our traditional suppliers or through others  who can offer unique capabilities, such as an advanced logistical tracking service currently used by a commercial transportation company.  They may include features from a social networking company, or video-over-IP from a company providing that service to consumers.  We want to facilitate, enable, and speed sharing of information produced in one development environment with others – without the burden of the “not invented here” syndrome.  As the FDCE matures, we will speed delivery, facilitate reuse, and reduce the cost of Defense Department IT.