Linux in Government: Open Source Innovation within the DoD
Prior to implementing an integrated software solution for its hospitals in 1993, the military experienced bottlenecks in its computer services. Each branch of the armed services used different legacy systems and manual procedures to control the flow of medical supplies and equipment, facilities, contractors and record keeping. Then, the Department of Defense (DoD) automated the processes with a common standard platform to conduct medical logistics for every branch of service. When you manage as many hospitals and health-care facilities as the military does, standards-based solutions and coordinated automation are essential.
The Assistant Secretary of Defense for Health Affairs embraced what is referred to as the DoD information superiority initiative. Simply stated, as service members are deployed into various theaters of operations, new and better standards became essential. That's where the Defense Medical Logistics Standard Support (DMLSS) program comes into play. The DMLSS System is an automated information system used by the four major branches of the service to provide medical logistics support to military hospitals and other medical facilities.
DMLSS provides the four services with a common, standard platform for conducting medical logistics. It provides end-to-end information technology that enables the services to order and receive products and services electronically as well as to create and release invoices for payment. DMLSS also provides record keeping services, such as inventory control. The system complies with the accounting standards of the DoD, allowing the Comptroller's office to more efficiently compile its financial records. Finally, DMLSS serves as a source of record for DoD medical assets.
The Program Management Office (PMO) for DMLSS is located in Falls Church, Virginia. Continuing development and support facilities exist at Ft. Detrick, Maryland, at the Joint Medical Logistics Functional Development Center. At Ft. Detrick, programmers support open-source components in applications that require cryptography. They open-source components include Stunnel, Apache, ModSSL and OpenSSL.
Although Stunnel does not contain any cryptographic code itself, it relies on external SSL libraries, such as OpenSSL. ModSSL provides strong cryptography for the Apache 1.3 WebServer by way of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, with some help from the open-source SSL/TLS toolkit, OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured and open-source toolkit that implements the SSL v2/v3 and TLS v1 protocols, as well as a full-strength general purpose cryptography library.
The PMO supported the use of open source and saw it as an enabling technology. As DMLSS became the standard throughout the military, the department heads enjoyed the success of their program. It has won 17 awards, beginning with the 1997 Government Information Technology Leadership Award and most recently winning the E-Business Transformation Award in 2003.
Some of us may find it hard to imagine, but in January 2000 members of the National Security Agency promulgated a policy that required any military program using information assurance to have its products validated by National Institute of Standards and Technology (NIST). The open-source components of DMLSS lacked such validation, called a FIPS 140-2 validation.
That led Steve Marquess, the technical manager of DMLSS, to the job of finding replacements for the OpenSSL libraries so prominently used in DMLSS. It also led him on a journey that blended serendipity with the realities of DoD chains of command. After months of research, Steve says he "discovered two things: not much commercial software was available and what existed was very expensive. Secondly, OpenSSL had already been validated multiple times."
Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
Steve took the idea to his superiors: Debbie Bonner, Director of Operations in the PMO, and Colonel Dan Magee, the DMLSS Program Manager at the time. Both actively encouraged Steve to go forward. Steve said, "The path of least resistance [for Debbie Bonner and Col. Magee] would have been to fork over a pile of taxpayer dollars for proprietary software, but they backed this out of the box move instead. That took guts, I think, especially when we were being told by nearly everyone that it couldn't be done."