04/18/23 1

The Rise and Fall of The Rise and Fall of DMS/FORTEZZA:DMS/FORTEZZA:Lessons Learned in U.S. Defense Lessons Learned in U.S. Defense MessagingMessaging

The small but smart supplier of superior messaging software.

Kathy NucklesCEO/Presidentkn@commpower.comwww.commpower.com

04/18/23 2

Introduction/BackgroundContext of PresentationSecurity AdversariesDMS Timeline: 14+ years in the makingDMS Future (per Mandate)

Next Generation Security Focused Building Blocks• Common Data Medium: XML• Common Security Labeling & Access Control: SPIF• Common Access Card (CAC)• CommercialitySecurity Summary

04/18/23 3

Established in 1984; California Corporation [Small Business]

Specialize in Military/Weather Product Development and System Integration

Products: 6 Military Gateway Products; 1 Text-to-Speech Product; 2 Security Label Toolsets

Systems: Turn-Key “COMMCENs” for the U.S. Air Force and Defense Logistics Agency, U.S. Federal Aviation Administration, U.S. National Weather Service

Key Team Member of the U.S. Defense Message System (DMS) Program Since Inception (1995)

Visit www.commpower.com

04/18/23 4

Typical organization of a theater of operations as envisaged by War Department Doctrine, 1940 http://en.wikipedia.org/wiki/File:Theater_of_operations.gif

As a key product supplier and team member to the U.S. Defense Message System (DMS) program for 14+ years, CommPower has amassed a wealth of communications and security experience. This presentation is based on that experience.

Please note that the views and opinions presented are CommPower’s and don’t necessarily reflect the views of the U.S. Government.

04/18/23 5

The goods are available Why don’t they want them?

Cost: Considered an overhead burden; Must not be a big ticket item

Ease of Use: If it is not intuitive, users will mount an attack

Availability of Alternatives: If there is a workaround, users will find it

Enforcement: Without enforcement, security will be bypassed

04/18/23 6

04/18/23 7

2010

• Outlook & Domino Clients (Thick)

• FORTEZZA at the desktop

• Message is encrypted upon client submission

• SPIF based security labels; Overly complicated client interface for security label generation

RAAUTJAZ

RUWQAAAA

0001

015

1500

—UUUU- .

. .

ZNR UUUUU

. . .

UNCLAS

SUBJ:

OPERAT

IONS

IN .

. .

• Teletype format

• Human readable

• COMMCEN operations

• Closed backbone infrastructure

• Organic Security model

• Continued Outlook (thick) client with usability improvements.

• Introduction of Proxy model with CAC enabled web clients and server resident FORTEZZA services (AMHS).

• FORTEZZA access control is limited to transport; AMHS informational access controls are local and proprietary

• Discontinued Outlook (thick) client

• AMHS proxy model is prolific

• “Reduced” (or shared) organizational certificates becomes attractive

• AMHS backside stovepipes start appearing with proprietary security labeling methods

• Mandate to retire “DMS” and adopt commercial capabilities

• Command E-mail concept begins to form; no solid definition to date

• Panic retreat back to legacy

Stove-

Pipes

1995 2000 2008

Security model fragments

Security begins to retreat

Front Line Security

Unknown

04/18/23 8

• DMS retires in 2012• Adopt Commercial

Technology NOW• DMS Replacement

will NOT be provided• . . . but, let’s not

lose site of basic security requirements.

MROC (??)**Multi-command Required Operational Capability

04/18/23 9

From the confusion there IS opportunity . . .

04/18/23 10

Don’t expect Industry to deliver a single, consolidated capability on its own; Give them critical building blocks to take and run with . . .

<!ELEMENT cpe-Payload (cpe-CONTENT-TYPE, cpe-IDENTIFIER, cpe-ORIGINATOR, cpe-RECIPIENT+, cpe-SIGNERS-DN*, cpe-CONTENT-SIZE?, cpe-CONTAINS-BINARY-ATTACHMENTS?, cpe-ALT-DELIVERY-ALLOWED?, cpe-LATEST-DELIVERY-TIME?, cpe-SECURITY-LABEL, cpe-EXTENSIONS?, cpe-CONTENT)>

Basic Payload Construct CommPower proposes XML

Commercially prolificEasily processedCarries all data typesEasily extended and

customizedBackward compatibility is

supported

04/18/23 11

Security Labels: Valid and consistent security labeling is an integral part of military communications, yet not an integral part of commercial communications. This, therefore, cannot be left to chance.

Security Label Toolset CommPower proposes an XML based SPIF definition and a freely distributed toolset.

Same XML merits as for the message format apply

Vendors could integrate the toolset without having to understand the intricacies.

Security Label

Simple button to invoke Security Label Creation. Vendor would use the provided toolkit to create a custom user interface “look and feel”

04/18/23 12

Security Token: The Common Access Card is based on commercial technology and is widely deployed and accepted. Keep running with it!!!

Common Access Card

Infrastructure in place and operational

Based on accepted and practiced commercial technologies

Multi-Platform support

04/18/23 13

Next Generation Military Information Exchange: New and innovative products based on the three commercially

aligned building blocks

Next Generation Military Information Exchange: New and innovative products based on the three commercially

aligned building blocks

DMS Community

DMS Community

CP-EXP

DM

S M

TA

Mail

Relay

AMHS Client

AMH

S

AMHS Client

AMHS Client

CP-EXP

ClientOther incl.

CP-XJP

SPIF Security Label

Client

Client

CP-EXP

SPIF Security Label

SPIF Security Label

SPIF Security Label

Allies

Future DMS Replacement

Future DMS Replacement

14

RESTRICTED

Consistent information throughout

OfficeChat

Collaboration

Outlook

04/18/23

04/18/23 15

Government Responsibilities: It’s not enough to simply demand COTS; Action is Required

•Maintain the building blocks•Evolve the building blocks•ENFORCE USE OF THE BUILDING BLOCKS

“Setting an example is not the main means of influencing another, it is the only means.” ~Albert Einstein

04/18/23 16

Sound Security Building Blocks Woven into the

“fabric” of operations

Can be carried toward the front line as required . . . Yet still

remain embraced by Industry

Commerciality

Military/Defense

04/18/23 17

Boldon James: Boldon James, a wholly-owned QinetiQ subsidiary since October 2007, has over 20 years’ experience specialising in secure messaging solutions tailored to meet the formal information exchange requirements of the worldwide defence and secure government sectors. Its Version 3 Secure Information Exchange architecture now provides a suite of Microsoft commercial off-the-shelf (COTS) functional extensions across the Unified Communications collaboration and conferencing suite, resulting in solutions with a low total cost of ownership (TCO) and significantly reduced deployment risk. Boldon James are a Microsoft Gold Partner and the Microsoft Global Go To Market Partner for Messaging in Defence and Public Safety sectors.

Cadmidium: Cadmidium Services Ltd is a technical consultancy specialising in communications system procurement, support services and product development. Cadmidium services have a diverse range of expertise backed up by decades of experience. Cadmidium currently have staff engaged with clients on a number of projects across land, sea and air environments.

Clearswift: Since 1982, Clearswift have provided internet content filtering solutions to more than 17,000 organizations around the world. We design our technologies and services around how people interact, developing adaptable solutions that define business communication. Clearswift solutions, available through an extensive partner network of qualified security specialists, safeguard information and communications, leaving employees free to communicate and collaborate, creating an environment that nurtures growth. Clearswift solutions allow you to strike the right balance between growth, cost and risk.

CommPower: CommPower, since its inception in 1984, has been seeking excellence in the product development and integration market, with emphasis on secure, real-time message processing/switching and data communications applications for military and meteorological markets. For these sectors, CommPower offers a host of gateway/dissemination products as well as Microsoft Exchange-based offerings all of which adhere to popular and open industry standards.

eB2Bcom: eB2Bcom builds and markets the high performance View500 Discovery & Directory server that combines LDAP, X.500 and XMLeD protocols in a single system. Renowned for its searching and matching capabilities and integrated WebDUA, View500 is deployed in Australia, Asia, USA, and Europe.

Isode Ltd: Isode builds high performance messaging and directory server products, using Open Standard protocols. Isode has customers in over 30 countries with exports accounting for over 60% of sales. Isode’s products are used in sectors where security, scaleability, reliability and excellent support are core requirements.

JSC: JSC Ltd provides design, integration, support, specialist training and technical consultancy services to the defence and defence related sectors. We specialise in the delivery and support of high-end secure messaging, directories and PKI-based solutions.

Nexor: Nexor is a leading provider of information assurance solutions to defence and government agencies. We ensure that sensitive information is accessed, controlled and shared in accordance with prevailing security policies by handling the connection, transformation and protection of that information. Our specialist capability and technology has been developed over two decades and our comprehensive portfolio is readily tailored to provide a value for money contribution to information assurance programmes.

SMHS Ltd: SMHS is a small, UK-based, company providing scientific, technical and integration consultancy services for a range of core enterprise services. These services include messaging (both formal and informal); directory services, security services and web services.