Dec 9 2011

A Common Criteria Primer

This is an expanded version of a document that I wrote for Red Hat internally. I’m now sharing it with all of you because I find myself reciting this information at least once a week. I hope you enjoy it. Please keep in mind that I’m not a lawyer, DAA, or procurement officer. All the information contained in this post has been cobbled together from years of working with government procurements. It’s hopefully useful. It’s definitely not authoritative. It definitely has nothing to do with my employer.

Common Criteria is an internationally recognized process for evaluating the security features of a product. The certifications are focused on IA and IA-related software. Operating systems, directories, firewalls, etc. The high-value stuff. If you’re asking yourself “What software isn’t IA or IA-related?” hang in there. This is going to get hilarious.

In the US, Common Criteria is handled by NIAP. Other countries have their own CC authorities. Each authority certifies CC labs, which do the actual work of evaluating products. Once certified by the authority, based on the evidence from the lab and the vendor, that certification is good in every country that participates in Common Criteria.


Nov 1 2011

An Open Cloud Strategy, 3 Bullet Edition

I posted a link to David Lutterkort’s fantastic talk on the Aeolus Project at PuppetConf 2011, and Matt Asay jumped right in:

He’s right. So I blithely replied:

This blog post was thus inevitable.

1) Choice is important.

This should be “Choice is still important.” but it wouldn’t fit in the tweet.

The IT industry has spent the last ten to fifteen years moving off of closed, proprietary stacks of hardware and software towards relatively open, standardized, commodity gear. If I move away from single-vendor platforms, I’ll probably save money on the up-front cost, but I’m also saving by introducing competition. I can compete HP, Dell, and IBM against each other and I’ll probably get a better price than if I have to sole-source that hardware buy. Open platforms also give me a better chance of incorporating new innovations, since I don’t have to wait for my one-and-only vendor to catch up.


Aug 26 2011

GOSCON: Climbing the Mountain

The Government Open Source Conference, masterfully curated by Deb Bryant and the good people at the Oregon State University Open Source Lab, is one of my favorite open source events. Every year, they manage to pull together quality speakers from innovative agencies and projects in a warm, collaborative, and exciting environment.

Before the earthquake unpleasantness later in the day, I was able to was able to catch the “Cutting Costs” session. Alex Howard of O’Reilly (“The hardest working man in Gov 2.0″) moderated a panel discussion between Dr. David Wheeler of the Institute for Defense Analysis, Tiffany Smith Licciardi from the State Department’s Office of eDiplomacy, and Greg Elin, the Chief Data Officer for the FCC.

Frankly, I was expecting to hear a lot of the arguments I’ve heard before. Let’s face it: cutting costs with open source is very well-trod territory. This panel, though, surprised me. The level of sophistication and the quality of the advice this panel produced was remarkable. They weren’t beating the same tired clichés about security and licensing. Instead, we heard about the ways open source software and even the open source process were informing agency strategies, and got some very practical advice on where open source can be used, and how it can serve a larger mission.


Jun 7 2011

New York CIO Dr. Daniel Chan

Chan said he believes in open technology approaches – including re-using solutions developed by other states – whenever feasible to avoid unnecessary expenses. The strategy was cemented by the success of myBenefits.ny.gov, a 2008 portal he helped develop as CIO of the state’s Office of Temporary and Disability Assistance. In building the site, his office modeled technology from Wisconsin Access, a benefits website developed by that state.

“We took all the underlying technology and converted it into open-source technology,” Chan said.

Chan sees cloud computing as a technology for supporting re-use of proven applications, especially among state governments. “If  you look at some of these federal programs, the rules are very similar from state to state, a portion are almost identical – so why do we need to reinvent these systems so many times?” he asked.

“Because you can stand up an environment so fast, cloud will allow you to experiment with different ideas,” he said. “It’s a platform that will allow us to be more innovative.’

And I holler: Comrade! The OTDA is one of my favorite examples of how open source can transform state operations, and Dr. Chan is one of the best state CIOs working today.


May 18 2011

DOD Open Technology Development Guide Released!

The DOD’s second Open Technology Development Roadmap has been released: “Open Technology Development: Lessons Learned and Best Practices“. It’s a handbook for using and making open source in the DOD and the US Government, sponsored by the Secretary of Defense. It provides practical advice on policy, procurement, and good community governance, all under a Creative Commons license. I’ll be providing some more commentary later, but this is a huge step forward in the adoption of open source in the US Government.

Updated: Here’s the source document in ODF format: OTD2: Lessons Learned.

 


Apr 5 2011

A Truly Open VistA

The VA has released a draft RFP to create a new open source project around their electronic health record system, VistA. This is a landmark event for both the VA and the open source community. The need for cheap and robust EHR systems is clear, and the VA has one of the leading platforms.

VistA’s a challenge, though. The community is notoriously fragmented as a result of regular FOIA requests for the VistA source code. The project is based on MUMPS, which a relatively unpopular platform, so developers for VistA are in short supply. Since there’s no clear mainstream for the project, the VA VistA project competes against this fragmented community for a shallow pool of developer talent. There’s the for-profit Medsphere, which has built its own offering called OpenVistA. There’s also the WorldVistA community and http://www.hardhats.org/. FOIA requests for VistA source code are so common that VistA appears on VA’s FOIA FAQ page, but few (if any) of the contributions from any private-sector VistA communities feed back into the VA VistA project.

“VA believes that VistA’s rate of innovation and improvement has slowed substantially, and the codebase is unnecessarily isolated from private sector components, technology, and outcome-improving impact. To address this issue, VA is establishing a mechanism that will open the aperture to broader-based public and private sector contributions.”


Apr 4 2011

The Hazards of Open Data Exceptionalism

Frustrated USAspending.gov users, courtesy naersjoen. Licensed CC-BY-NC-SA.

The prospect of funding cuts for e-Gov initiatives like data.gov, USAspending.gov and friends is worrying. Everyone should join the Sunlight Foundation’s effort to Save the Data. At the same time, this is a good opportunity for reflection.

There’s no doubt that the proliferation of Open Government websites has been a great first step for transparency and accountability. Despite the flaws, most of us see the promise of something very powerful in these projects.

I can feel strongly about the value of these programs and still be mystified at the $18M cost of recovery.gov when RATB has surely already built their own internal system to do basically the same thing. This has me thinking.

Why create one set of tools for citizens, and another for internal use? It seems that services like USAspending.gov should be part of the usual operation of OMB, rather than some special e-Gov project that’s vulnerable to budget cuts. Why a distinct and conspicuous line item for USAspending.gov, when it’s a citizen-friendly face on the $24M Federal Procurement Data System? Why not spend that money instead on improving FPDS, and making it more usable for both the public and the government?


Oct 19 2010

Citizen and government collaboration: let’s work it out.

Over the last couple years, many of us involved with open source in government have had discussions about what it means for citizen coders to become involved in state, local and federal efforts. There are all kinds of legal, ethical, and logistics questions that haven’t been answered. Everyone seems to be solving them individually, but it’s not well-coordinated. This means that agencies who want to engage developers are wasting valuable time trying to figure out the “right way” to work with the public.

The domain is large and already bearing fruit; I think we’re all enthusiastic about CivicCommonsCrisisCommons, and a host of public service oriented application development contests in many major cities.

On the other side, the Federal government is putting its toe deeper in the Open Source waters, recently making agreements with SourceForge and other web-based developer services. The GSA has announced its intention to launch forge.gov, inspired by forge.mil. The VA is exploring how to open source their VistA electronic health record system. The list goes on.


Sep 14 2010

SCAP: Computer Security for the Rest of Us

A bike wheel locked to a bike rack.

When users are responsible for their own security, things go wrong. (Photo courtesy of billselak on flickr, licensed CC-BY-ND)

I’m setting up a new computer. I get through the registration screens, install my software, change my wallpaper, and everything’s working fine. I’m left, though, with a lingering, uneasy feeling: I don’t know if this machine is secure. I’m a computer guy, so I know how to set up strong passwords and firewalls, but I’m still not sure if I’ve done everything right. I turn to my vendor, who has hopefully published a hardening guide. If I’m very enthusiastic, I might even follow the NSA’s Security and Network Analysis Center Guides. If I do any of these things, I’m already being more diligent that 95% of users out there. And that’s a problem.


Aug 30 2010

The future of the government forges

The GSA is currently planning forge.gov, which is widely assumed to be based on forge.mil, the much-discussed collaboration platform from the Defense Information Systems Agency, or DISA. forge.mil is a pretty incredible idea: a single destination for testing, certification, and software development in the Defense Department.

It sounds obvious, but the idea remains revolutionary. For the first time, there would be a single repository for source code that could be shared between the hundreds of agencies, commands, and programs in DOD. Developers would be able to share their work in a familiar, web-based environment. A previous version of forge.mil was pulled for unknown reasons, but the current iteration is based on the TeamForge product from CollabNet. If you’ve used SourceForge, you get the idea. The DOD is the largest consumer, and one of the largest developers of software in the world. Much of this software is redundant, locked up by vendors and integrators, can’t work with other software, and nobody remembers how to maintain it. There’s no doubt forge.mil was long overdue.