1 Service Oriented Acquisition: Agile, Adaptive Delivery of Net Enabled Capability (NEC)Chris Gunderson Note that the use of these very well-known commercial logos (Amazon.Com and Good Housekeeping) are meant metaphorically… There’s no intent to use either of these knock off logos in an actual government program.. Presented at NECTISE: Realizing Net Enabled Capability October 14, 2008, Leeds, UK DISCLAIMER: This presentation represents the speaker’s opinions and the work of the W2COG. Speaker is not representing the US DoD.

2 #1 Wake up call: It’s time for action!#2 Business model: Competitive market of pre-certified “Net-Enable” components #3 Certification model: Assured Value of Service vice QoS #4: Opportunity: Join the growing federation of expert early adopters

3 NEC “Business” Driver At home, a Blue Force warfighter can text message his children and trade photos with them using his cell phone. At war he can use a stovepipe circuit to send s without attachments At home and at war, a terrorist can and does text his associates using Google earth. How can we apply our vastly superior resources to overcome this asymmetrical disadvantage w/rt information processing?

4 Business Driver: Reuse and continually improve shared computer network infrastructure (routable networks + SOA) to enable NEC LOGISTICS Missiles Guns Aircraft Decoys Torpedo Mines JIAMD Sensors ISR Links Comms Missiles Guns Aircraft Decoys Torpedo Mines Create Tactical Picture Assess Alternate Course(s) of Action Decide Orders SPECOPS Sensors ISR Links Comms Missiles Guns Aircraft Decoys Torpedo Mines Create Tactical Picture Assess Alternate Course(s) of Action Decide Orders STRIKE Specialized Back End Process Sensors ISR Links Comms Routable “cloud” + reusable SOA infrastructure Specialized Front End Process Create Tactical Picture Assess Alternate Course(s) of Action Decide Orders Sensors Weapons Create Situational Awareness Platforms Analysis Assess Alternate Course(s) of Action Units Orient Comms Decide Act Decide Orders Orient Decide Act Generally executed by operators Generally executed by equipment Define and Consume Value Orient Decide Act Develop Value Generally executed by operators Generally executed by equipment Deliver Value Generally executed by operators Generally executed by equipment Minimize time & cost by re-using and continuously improving valuable community infrastructure Invest to develop valuable content Invest to exploit valuable content

5 But…. After many years and $B’s spent the promise of SOA is largely unfilled across DoD…. (MoD?)

6 Observations COTS software in government systems is generally out of date at IOC and falls farther behind throughout life cycle. Government requirements process does not intercept new COTS s/w vectors or sunset archaic s/w requirements. Government rapid technology insertion methods use COTS as gap fillers that generally lack sustainment tails. IRT the above, DoD (MoD?) top-down policy mandates SOA and “best” e-Biz practice (e.g., NESI, DoDAF 2.0, Open Technology Development, NCO/W RM, Multi-Service SOA Consortium, etc.) YET…. e-Biz un-mandated “best-policy” is to leverage competition in the marketplace… No one is in charge…

7 So…. How can DoD (MoD?) leverage the SOA e-Biz value proposition within the constraints of the Acquisition Regulations?

8 Bottom Line NEC business model = e-Portal for consumable off-the-shelf (OTS) = COTS, GOTS & Open Source Software (OSS) certified net-ready components Define generic and objective net-ready assessment categories and methods (not universal specifications!) around enterprise business objectives Use a “logo” to create a federation of qualified, motivated, independent government, industry, and academic “Net-Enable” providers Base NEC Acquisition on components that can reduce risk re: cost, performance, and schedule and deliver capability faster. Require logo as “responsive” to NEC procurements Bake agile COTS process into FAR boilerplate

9 In the open market ecosystem of Moore’s law and ever-evolving technology, “wild life” is always competing The longer DoD ducks are away from the wild, the less likely they’ll be able to compete when they return… During DoD (MoD?) “Acquisition” we capture some wild ducks and get them “in a row” and sheltered from competition RFP Source Selection CA SDR PDR CDR TRR Dev Test Opl Test IOP Test C&A ATO Sustain

10 6 - 12 years 1 – 4 years Traditional ProcurementRFP Source Selection CA SDR PDR CDR TRR Dev Test Opl Test IOP Test C&A ATO Sustain Traditional Procurement Requirements are large Risks are treated monolithically and serially 1 – 4 years RFP Use Case Proposal Eval Lab Demo ATO Sustainment V&V C&A IOP Testing Net-ready Assessment Mission Thread Market Procurement Requirements are small Risks are treated iteratively and in parallel …ducks get back to the wild sooner

11 Strategy is to treat the four main acquisition risks in parallelCost & schedule Risk managed by continuous competition and frequent deliveries Interoperability Risk managed by measurable/testable net-ready criteria Performance Risk managed by Mission Threads Assurance Risk managed by certified, reusable, high assurance GOTS components missionthread.com RFP Use Case Proposal Eval Lab Demo ATO Sustainment V&V C&A IOP Testing Continuous competition for gov’t procurements by COTS vendors Certified off-the-shelf net-ready components NetCert Logo

12 Bottom Line: Extend and Expand Pure COTS Competition !NetCert Logo missionthread.com Publish simple use cases in lieu of traditional solicitation Furnish pre-approved GOTS components, e.g. accredited security services Require mission-context prototypes vice paper studies Shorten delivery cycles and contract review periods Broker among qualified providers and critical consumers* Level the playing field for vendors by reducing cost of entry* Create a literal federation of independent government, industry, and academic “net-ready” certification labs* Streamline by performing certification concurrently with development and furnish V&V & C&A to put COTS on approved products list* Provide acquisition artifacts (e.g. spec, SOW, solicitation, source selection criteria, contract incentives) re: all the above* *W2COG mission

13 NetCert Mission Model-Based Levels of Abstractionmissionthread.com NetCert Mission Model-Based Levels of Abstraction NetCert Logo Perform Tasks Achieve Objectives Readiness Mission Performance Level of Abstraction Model Effects Mission Skill Value of Service (VoS) Measure Outcomes Execution CCI*Availability = VIRT** Model Value of Info Modularity & Interoperability QoS Measure CCI* + Thresholds Composability System Availability Tools & Components Services Transport Technical Performance Level of Abstraction *Critical Conditions of Interest **Valued Information at the Right Time

14 Modularity & InteroperabilityNetCert = System of System “Assurance*” per Mission-Value-Model-Based **T&E, ***V&V, and ****C&A Measure Outcomes Execution CCIAvailability = VIRT Model Effects Mission Skill Value of Service (VoS) Model Value of Info Modularity & Interoperability QoS Measure CCI + Thresholds Composability System Availability *Managed risked through engineering & procurement predictability **Test and Evaluation ***Validation and Verification ****Certification & Accreditation

15 Link “mission model” to “service model” to “acquisition model” System of System “Assurance” per Mission-Value-Model-Based T&E, V&V, and C&A Link families of models & MOE … for systems and processes… at different levels of abstraction via mathematical transforms …e.g… Link “mission model” to “service model” to “acquisition model” Measure Outcomes Execution CCIAvailability = VIRT Model Effects Mission Skill Value of Service (VoS) Model Value of Info Modularity & Interoperability QoS Measure CCI + Thresholds Composability System Availability

16 “Key Performance Parameters” = Model Transforms Across Levels of AbstractionMTBF = Mean time between failures MTTR = Mean time to repair MLDT = Mean logistics delay time SB = Significant bits IRB = Insignificant Relevant Bits IB = Irrelevant Bits

17 “Key Performance Parameters” = Model Transforms Across Levels of AbstractionMMCT = Mean maintenance cycle time MDT = Mean development time IT = Invention time RT = Reinvention time BT = Bundling time MPDTT = Mean post development test time MPTCT = Mean post test certification time

18 consumable COTS, GOTS & OSS certified net ready componentsInnovators’ “dating service” to broker customers and providers of net-ready components Net-ready “Consumer Report” format that compares bundles of similar net-ready components e-Portal for consumable COTS, GOTS & OSS certified net ready components NetCert Logo Federation (developers’ network) of NetCert Logo-Qualified Providers e-Market offerings of certified net-ready COTS, GOTS, and OSS components missionthread.com

19 World Wide Consortium for the Grid (W2COG): Enabling Assured Value of Information ServicesNot-for-profit international, research collaborative of information processing technology, procurement, and operational experts from government and industry Not-for-profit brokering service to put expert providers in touch with consumers GIGlite* Federation for Agile, Open Technology Development: Federated design time, build-time, and run-time DT&E per NetCert logo Adaptive, collaborative, V&V beta community IPR regime exercises government purpose rights to distribute GOTS “open” architecture Library of certified net-ready reference architectures and implementations *GIG = Global Information Grid, a DoD conceptual model of a net enabled environment. “GIGlite” is a W2COG brand name

20 W2COG studies technology business issues and best practice re: government/industry collaborative development Current technology vectors Intellectual property rights regime COTS competitive incentive model Measurable and testable net-ready criteria Federated governance model Acquisition model including boiler plate artifacts

21 GIGlite Federation… open technology development across the stovepipesTo provide an infrastructure for collaboration and communication among government, academia, and industry to rapidly develop and propagate re-usable and continuously improving tools that facilitate trusted transactions of valued information at the right time, i.e. bundles of net enabled capability. Single point of contact for Gov’t, industry, & academic members Title 10 compliant, Non-FAR < ~90 day S&T & engineering spirals Open source/Open Standards IPR model Rolodex of experts Distributed major net-ready test range Single POC for Gov’t labs and sponsors Distributed, Adaptive, Collaborative, net-ready V&V and certification Convenient process for reuse of off-the-shelf components GIGlite Federation NetCert.gov Best Netcentric Practice Net-Ready Certification $ & IP e-Portal for Gov’t certified, per NetCert log, off-the-shelf bundles of net enabled capability Umbrella Cooperative Legal Agreement

22 W2COG Independent not-for-profit government-industry net-enabling research project; not a program Hands dirty in real commercial and government engineering and procurement activity; not a standards body Brokers government and industry experts for consultation, experiments, and prototypes at cost; i.e., an altruistic “capability broker”

23 Backup Detail

24 NetCert Logo JITC NetCert Logo A business model for Acquiring net-enabling capability faster, better and cheaper GIG

25 Executive Dashboard displays quarterly contract performance based on tested criteria in mission context Scores Performance Performance basis Policy , and funding adjusted quarterly $$$ Use cases Source selection & contract performance incentives based on testable criteria tied to mission context Use cases NetReady Acquisition Artifacts Quarterly delivery of improved pre-approved pure COTS & GOTS GFE Pre-deployment V&V of net-enabling capability via Modeling &Simulation and T&E.as-a-service Post deployment audit of capability “on the ground” Measurable and testable criteria tied to mission use cases and audited continuously NetCert Logo GIG

26 MTM via NetCert Logo ScheduleEstablish Use cases: 70 DAC* Establish lab under JITC/NPS: 80 DAC COTS jamboree: DAC First vendor lab demo: DAC Revise acquisition documents: 120 DAC Second vendor lab demo 180 DAC Second documents revision 195 DAC Third vendor lab demo (TRR) DAC Final documents revision 290 DAC COTS Evaluation (SS) DAC Installation ready products 360 DAC * DAC = Days After Contract

27 MTM via NetCert Logo estimated 1st year costCost to develop/maintain acquisition documents $445K Cost W2COG to establish & run marketplace first year $325K Cost to set up lab ($150K ODC) $323K Cost to establish C&A/test docs $425K Cost for jamboree $289K Cost for 90 day tests (2, 5 days ea) $750K Cost for final lab demo (TRR) $142K Cost to update and transfer lab for IOC $55K TOTAL $2.75M Roger JITC.      Bring the W2COG on line constitutes the following tasks:      -publish the use cases for vendors      -manage the reference library for the use cases and vendors      -establish the exit criteria for vendors      -manage and coordinate the vendor days (depending on how the execution is set up, there will be a minimum of five and a max of no more than 12.      -manager the vendor part of the program for the government      -coordinate the vendor offerings as COTS/GOTS      I guess we should call it establish and run the MNIS market place for the government.

28 MTM Sustainment Funded by program for first yearAfter Source Selection, First Article becomes new lab environment Program users as usual for development, integration and test Becomes part of federated lab

29 NetCert Logo Strategy Born Netcentric Learn by doingPartner with JITC re: NR-KPP Partner with NSA re: C&A Partner with W2COG re: eBiz & collaborative best practice Objectively define “open” reference architecture for security and semantic interoperability Learn by doing Use existing GIGlite infrastructure as ramp up “training wheels” Build infrastructure iteratively per feedback from “training wheels” Certify testing-as-a-service capability as first use-case Certify ~1 X net-ready test case per month thereafter Feedback & continuous improvement Regular customer visits Teach new functionality Collect new use cases Audit performance Folks from NSA and JITC are working with the W2COG on this model. The plan is to build a NetCert Logo candidates own SOA test infrastructure at the same time it uses existing best-of-breed SOA test infrastructure for training and analysis of alternatives. For example: E.g. GIGlite lab at NPS to help develop, test, and train re: MILS reference architecture E.g. SPAWAR lab at SSC New Orleans to develop, test, and train re: CIEF reference architecture E.g. SMDC (Teledyne) GIGlite node to develop, test, and train re: open source/open standard reference SOA middleware. E.g. OMG (Unisys) Software Assurance (SwA) GIGlite node to develop, test, and train re: SwA testing. E.g. Regis University GIGLite node to develop, test, and train re: SOA performance testing The objective is to create an environment and process capable of performing one typical GIG net-ready service test case each month. We’ll “eat our own dog food” in the sense that the first service we will test is the SOA test service itself. As the pieces of the SOA test infrastructure are validated in the existing test environments, they will be cloned, installed and/or tweaked at the candidate lab’s facility. Maintaining frequent and continuing contact with the operational customers as critical. Product support teams will sit with customers, go over recent improvements, collect feedback, ideas, and new use cases…. Feed the Agile development process.

30 NetCert Logo Lab RequirementsReference implementation of net-ready SOA Routable network backbone Open standard, self described, discoverable interfaces. High assurance GOTS security components (e.g. MILS) Value-based information sharing /communication /management framework (e.g. NPS VIRT**, SPAWAR CIEF***) Mission-model based measures of effectiveness (e.g. MITRE Mission Level Model) Software assurance & performance test tools and trained operators (e.g. MDA “COTS simplifier” and OMG “SwA Ecosystem”) Network (SOA) functional and performance test tools and trained operators (e.g. OPNET, HP Mercury Systinet, Pushtotest) Net-ready Acquisition artifact boiler plate (e.g. MTM Acquisition Strategy, C&A plan, NR-KPP, T-ISP, TEMP, etc.) Clear government purpose rights to software (Standard license models for GFE s/w re-use across programs) The details of the NetCert requirements are in development. W2COG will help JITC develop the NetCert Logo criteria and standards. The following are representative of likely NetCert Logo criteria: 1. Reference Service Oriented Architecture Implementation: Open standard, self described, discoverable interfaces. (Complies with current OASIS, OMG, etc, reference models.) Assured Security (Complies with Multiple Independent Level of Security MILS architectural model) Assured Data Strategy (Complies with Cross-domain Information Exchange Framework (CIEF) architectural model) 2. Approved Mission-model based measures of effectiveness (e.g. MITRE JFCOM “Mission Thread Model” methodology for SOA V&V) 3. Approved Software Assurance test tools and trained operators (e.g. OMG Software Assurance Eco-system methodology, and MDA’s “COTS Simplifier” ) 4. Approved SOA functional and performance test tools and trained operators. (Note that performance-based SOA testing is immature. We will need to encourage COTS tool vendors to develop the capability. Pushtotest, HP Mercury/Systinet, OPNET have promising capability.) 5. Approved “Architecturally Net-ready” Acquisition artifact boiler plate (e.g. T-ISP, NR-KPP, TEMP, Diagnostic DoDAF artifacts, Government Purpose Rights license model, etc) 6. Intellectual property rights regime appropriate for exercising government purpose rights to the software it pays to develop. *Multiple Independent Levels of Security **Valued Information at the Right Time ***Cross-domain Information Exchange Framework

31 “NetCert Logo” Candidate 1st Year ObjectivesReference implementation of high-assurance SOA infrastructure Discoverable, open standard, self describing interfaces High assurance GFE security services Value-based information/communication/management framework Interim Authority to Operate (ATO) SOA test lab Certified by JITC as qualified to perform net-ready s/w assessment Cadre of qualified designers, testers, and developers Suite of SOA design and test tools Demonstrated three net-ready test cases leading to one certified net-ready service Prepared to perform one net-ready test case per month going forward “NetCert Logo” is a designation by JITC that laboratory complies with a minimum set of community-agreed good practices to determine “net-readiness” as implied by DoD and NSA GIG policy. “Logo’d” labs might be government or industry, public or private, classified or unclassified, working capital or mission funded, etc.

32 Vendor Jamborees; published use cases; government furnished GOTS s/w reference implementations; government refereed network T&E lab; M&S; embedded net-ready assessment; ~Analysis of Alternatives (AoA) via 90 day s/w bundling demos in lieu of JCIDS paper artifacts MTM Inside DoD Inst EDM via 90 day Agile COTS/GOTS bundling demos, or “sprints”. These can be used as down selects or simply net-ready qualifying opportunities These are pre-approved “qualified net-ready” COTS/GOTS s/w bundles GFE COTS/GOTS software build every ~ 360 days Existing GIG policy sufficiently defines requirements for SOA information processing. Policy is enforced by objective NR-KPP criteria, using M&S and other automated test tools Program IOC ~ 10 years

33 Capability Broker (W2COG) Delivers DoD Acquisition Artifacts Consistent with MTMProcess Directive Capability Broker Deliverable JCIDS CJCSI , DODI Tailored ISP FAR/DFAR DODI 5000 series DODINST compliant artifacts, e.g. BAA, RFI, RFP, Source Selection Plan, Risk Mitigation Plan, SOA COTS Acquisition Strategy, Contract SLAs IA Compliance, e.g. DIACAP DODI 8500 series Enterprise “Type Accreditation” (Trusted SOA DIACAP certification plan) NR-KPP= (NCOW = IA+ SOA+ Data Strategy) + KIPS + DoDAF CJCSINST , NCO/W Ref Model, KIPS, NSA GIG IA policy, DoDAF v1.5 Measurable and Testable Net-Ready Parameters, diagnostic DoDAF views T&E DODI , Tailored TEMP (latest COTS GFE is tested at DT and goes to OT)

34 Evaluation Criteria: NR-KPP ChecklistMeasurable & Testable Parameters Assurance and Performance Software Assurance OK? Network Assurance OK?* Register dynamic discretionary access policy? Latencies OK? Reliability OK? Generate digital diagnostic architectural artifact. Re-useable/Composable* Discoverable? Self describing? Open standard interfaces? Cross program investment? Net-enabling IPR model? Value/Bit Exchanged COI approved mission thread? Register critical conditions of interest Meta data registered in context? Increased automation? Mission based MOE OK (i.e., compress time line, and/or improve mission outcome)? ** Generate digital diagnostic architectural artifact IA => Share & Protect Enable sharing across domains Preserve privacy Protect network SOA => Reuse & Mash Up Accelerate delivery of netcentric capability Enable netcentric interoperability Enable infrastructure recapitalization Compose C4 capability on-the-fly Data Strategy => Trusted Discovery in Context Broker information discovery Create information value chain feedback loop Net-Ready Parameters and Business Objectives *Bind to Trustworthy SOA Framework, e.g. T-ESB ** Confirm with operational audit

35

36

37