Standards are the key to making cross-agency homeland security programs work; but creating them is anything but routine
- By Wilson P. Dizard III
- Jun 15, 2007
'From a security standpoint, adopting standard technology as part of the acquisition process makes the component agencies meet our security rules across the department.' ' DHS CIO Scott Charbo
GCN file photo
'Standards have become a management tool. Standards are how you drive many disparate technologies and systems to do the same thing and the way you get people to be more efficient.' ' Jim Lewis, Center for Strategic and International Studies
Technology managers framing the evolution of homeland security systems agree that common technical standards increasingly set their agenda. Standards are essential if systems are to contend with natural disasters or man-made threats without regard for agency boundaries, law enforcement jurisdictions and information silos.
But even as the drive for common homeland security standards accelerates, technologists interviewed for this special report note that developing those standards remains a challenge and cite factors that limit or negate the benefits.
Uniform technology patterns offer the promise for agencies to shift information seamlessly among systems and slash costs.
But federal managers and their industry counterparts warn of risks such as clashing, immature or missing standards and the inability of standards to keep pace with technology development. Gaps in the standards array and lags in the process can hinder information exchange and balloon the cost of maintaining systems, they say.
Nevertheless, DHS is pushing standards forward by joining cross-agency projects and fostering homegrown technology development that likely will set the pattern for what other agencies adopt, said Chief Information Officer Scott Charbo. The Homeland Security Department is strongly committed to adopting technology standards across its agencies, he said in an interview this month.
'There are a lot of standards efforts that go on,' he said. 'Lots of standard development efforts don't go anywhere. Typically, there is a market leader that evolves, and somehow that fosters a standard.
'Or sometimes there's an acquisition [that spurs a standard]' added Charbo, who is also the department's undersecretary for management. He cited DHS' long-term effort to push industry to develop a smaller, faster fingerprint capture device for use at border crossing stations as an example of a project driving the adoption of a common technology framework.
When technology is moving slowly, you can push the state of the art forward by doing an acquisition around the requirement, he said.
In most cases, DHS looks for information technology that fits technical standards already adopted by major standards organizations such as the International Civil
Aviation Organization, the International Standards Organization or the National
Institute of Standards and Technology, Charbo said.
[IMGCAP(1)]ICAO develops and maintains a standard for biometric identification documents used by border control agencies. ISO engages with national standards organizations worldwide, and NIST is developing cross-agency homeland security projects such as advanced methods for evaluating facial recognition and other biometric technologies.
Adopting accepted industry standards for widely used commercial products offers DHS critical advantages, Charbo said. 'From a security standpoint, adopting standard technology as part of the acquisition process makes the component agencies meet our security rules across the department.'
DHS' central First Source contract that component agencies can use to buy routine, commodity equipment such as PCs, laptops, servers, printers and scanners specifies standard equipment that conforms to security and other requirements of the department's enterprise architecture, Charbo said.
'If we can drive more acquisitions through First Source, we can drive our costs down,' he added.
But when cross-agency homeland security technology hits the bleeding edge of information sharing, DHS sometimes finds itself in the role of developing a standard that other agencies likely will follow in areas that existing federal standards don't reach and private consensus standards will never touch (see sidebar at left).
[IMGCAP(2)]Homeland security missions spread across many departments, and standards increasingly are becoming the management tool of choice to coordinate technologies, said Jim Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
'When I got here, I said we would never have a meeting on standards,' said Lewis, a technology veteran. 'That's changed because standards have become a management tool. Standards are how you drive many disparate technologies and systems to do the same thing and the way you get people to be more efficient.'
Lewis cautioned that setting a cross-agency technology standard policy is a necessary tool for achieving such goals as seamless information sharing, but it is not sufficient by itself.
'The purpose of adopting these standards is that 'rather than telling the agencies what to do ' you put out a standard for them to meet,' Lewis continued. 'It's a different way of thinking about standards. The traditional approach was to give it to NIST and let them figure it out.
'What this administration and the next are going to have to do is to make better use of standards,' Lewis said. 'It's not necessarily standards in the formal sense, such as those of ISO or NIST, but there has to be strong guidance on how agencies will fit into a larger mission.'
Lewis noted that one method of advancing cross-agency homeland security programs is to forgo centralizing procurement but rather come up with a standard and allow agencies to buy any product as long as it complies with the technology norm.
Homeland security technology vendors often struggle in arenas where cross-agency standards are weak or nonexistent.
Hugh Barrett, vice president of product development at Telos subsidiary Xacta, faces the problem as his company develops software to help agencies automate their compliance with certification and accreditation requirements for information security.
Barrett cited the advantages of technology standards in service-oriented architectures. 'A standard for SOA would make it a lot easier to do integration [of Xacta software] with other products,' Barrett said.
'It doesn't seem like any of the vendors have adopted an SOA standard,' he said. As a result, Xacta is forced to integrate its products into other systems at the database level rather than higher up in the overall system.
'Integrating at the database level presents a problem, because when the vendor decides to modify the schema [for data tagging], we have to modify our product to reflect the schema change,' Barrett said.
Xacta integrates its products with other systems that scan agency applications for security vulnerabilities and with enterprise management software. 'There is no standard application interface [for the systems],' Barrett said. 'As a result, we have to integrate all over again for each new upgrade. That happens frequently.'
He added, 'The beauty of adopting technology standards is that with everybody playing by the same sheet of music, we can change, they can change and the contract stays the same.'
Barrett cautioned that the standards process faces an inherent disadvantage because technology development moves much faster than the standards development and adoption process. When standards don't exist, vendors develop their own technology frameworks.