GTRI Supports Information Sharing for Government Agencies
Today, a far-reaching information sharing environment (ISE) is gaining momentum and allowing U.S. justice agencies – law, law enforcement, criminal and counter-drug intelligence, courts, corrections, and others – to exchange information with one another securely and seamlessly over the Internet.
Other security- and safety-related agencies – including homeland security and disaster response entities – participate in this ISE also. The result has been unprecedented opportunities for inter-agency cooperation. Today, this ISE is employed by all 50 states.
“Government justice agencies have faced challenging problems in exchanging their data online,” said John Wandelt, a principal research scientist who directs the Information Exchange and Architecture Division of the Georgia Tech Research Institute (GTRI). “It’s taken about two decades, and the involvement of many different groups, to get to where we are today. And there is still much to do. We generally move at the speed of agreement, and reaching consensus at this scale can move slowly.”
The challenges have been two-fold, Wandelt explained. One problem has involved major technical issues: By the time World Wide Web technology made the Internet widely accessible in the early 1990s, U.S. justice groups were already committed to many diverse software systems that had trouble communicating. The other problem centered on trust issues: Justice information is extremely sensitive, and any approach to data exchange must be unquestionably secure on every level.
A Global Strategy
By the mid-1990s, a federal advisory committee called the Global Justice Information Sharing Initiative (or “Global” www.it.ojp.gov/global), a “group of groups” representing more than 30 independent bodies, was meeting to discuss ways to address the issues.
Perhaps the most important strategy developed by Global involved building a broad-based consensus for addressing both the technical and the trust challenges. Soon, committees were busy developing data, policy, and technology standards, as well as best practices, based on members’ requirements.
Another key Global strategy involved finding ways to make the new standards work in the real world. Jointly with the U.S. Department of Homeland Security, Global commissioned GTRI to develop a National Information Exchange Model (NIEM), a flexible information exchange framework aimed at the multi-domain challenge of linking many agencies at all levels of government.
“Standards are at the heart of any information sharing solution, especially one that serves as many groups and technologies as the justice information system does,” said Wandelt, who leads GTRI’s NIEM team. “And good standards are community-driven – they’re developed by community members working together on behalf of all the stakeholders.”
The NIEM framework is based on an important industry standard – Extensible Markup Language (XML) – that’s been in use for years. But NIEM adds extra capabilities to XML, providing novel information exchange characteristics that increase interoperability and understandability, allowing translation among justice and homeland security agencies’ many disparate software systems and databases.
Today, any government agency that wants to share data or expand its system capabilities can do so by going to www.niem.gov to access a wide range of NIEM-based information sharing building blocks. These tools facilitate development of exchange standards that are tailored to a specific group, yet can conform to and interoperate with other systems created using the NIEM framework and specifications.
Starting from Scratch
Initial efforts aimed at developing justice information sharing technology go back more than two decades. In 1992, for instance, four southwestern border states approached GTRI about sharing counter-drug intelligence information with one another.
At that time, neither XML nor World Wide Web technology was yet available, and the potential technical problems were daunting, recalled Wandelt, who attended the early meetings.
Worse, there were no policies, procedures, technical standards, or best practices in place to guide how law enforcement systems should share this sensitive information.
“GTRI was trying to provide not just the technology piece for the Southwestern initiative, but also ways to bring people to the table and get cooperation among the parties,” Wandelt said.
Despite the challenges, by 1995, a GTRI team led by Wandelt and senior research engineer Kirk Pennywitt had built the first version of the Southwest Border States Anti-Drug Information System, linking key drug enforcement entities in the four states.
NIEM: Taking the Data
The powerful Extensible Markup Language made its debut in the mid-1990s. In combination with the Internet and rapidly expanding Web technologies, XML began to change the justice information sharing landscape.
XML offers a set of rules for encoding documents in ways that make them readable to both humans and computers. It is a broadly applicable, one-size-fits-all structure, Wandelt said. It contains no specific semantics – words and their meanings – to let it serve as a translation layer between the many different legacy systems that government agencies had independently developed over the years.
In 2002, at the recommendation of Global, the U.S. Department of Justice sponsored a team of GTRI engineers led by Wandelt to develop an XML-based information exchange vocabulary and data model based on justice data sharing requirements.
Known as the Global Justice XML Data Model, it was specifically designed for sharing information across the justice community, and it became highly successful. Driven by the events of 9/11, other government agencies began searching for a similar solution.
It was in 2005 that the U.S. Department of Homeland Security approached the Justice Department/Global, and struck an agreement to jointly sponsor the development of NIEM, the new technology that was an outgrowth of and leveraged the Global Justice XML Data Model.
But NIEM was different. The new NIEM architecture allowed for scaling and expansion to different kinds of agencies and lines of business, as well as justice. Furthermore, it made it easy to set up specialized governance bodies that could work together to maintain respective specialized parts of the model.
“NIEM’s objective was to extend the Global Justice model so that federal, state, and municipal justice, security, emergency management, or other kinds of agencies would have a consistently structured and semantically precise way of communicating with one another electronically,” explained Wandelt.
To create NIEM, the GTRI team worked closely with and facilitated detailed reviews with many subject matter experts.
At the same time, they painstakingly built an extended semantic vocabulary into the existing Global Justice XML framework and expanded it to accommodate information representations in multiple business lines.
Finding Universal Terms
Those additions enabled NIEM to tackle a complex real-world problem – the fact that the hundreds of justice, homeland security, and other programs in the U.S. use many different terms for the same thing.
For example, one agency might use the term “police officer,” another might favor “law enforcement officer,” and another might say “deputy.” NIEM can address many different synonyms and yet identify them with a single universal term that all the systems understand.
Another NIEM strength: It offers software tools that agencies can use to build customized information exchanges. The NIEM website provides a reference to a GTRI-built tool that lets users specify their exact information exchange requirements and build their own NIEM-based standard.
“Developers can literally type in their own requirements – give me one of these and one of those,” Wandelt said. “So you’re able to build your own information exchange without starting from scratch, and it will work with the other information exchanges that use the NIEM framework and specifications.”
And as members of the agency community come up with new information requirements to represent, the groups that oversee NIEM can add them to upgraded versions of the model, extending its capabilities. NIEM is also self-documenting, meaning that its XML representation is easier to understand because it uses extensive descriptive phrases that basically label and define each component in the model.
“You could represent a piece of information in 10 possible ways, but NIEM tells you to represent it this way,” Wandelt said. “Many different stakeholders worked together with the GTRI team to identify the best way to represent each piece of information in NIEM.”
NIEF: Building Secure Access
The developers also faced another concern: how to keep the new information sharing system safe from unauthorized users. The key problem was how to offer ready but secure data access to people from many decentralized agencies.
The winning concept – federated identity – established a totally separate user-identity provider. Beginning in 2005, and working closely with the Global Security Working Group, GTRI formally defined the standard specifications for this approach, referred to as Global Federated Identity and Privilege Management (GFIPM). By 2008, GTRI had implemented an operational pilot for GFIPM, known as the National Identity Exchange Federation (NIEF).
“NIEF provides for a trust framework that supports federated identity, and credential and access management; it serves as a trusted third party that performs the necessary due diligence and conformance testing to support trusted interoperable exchange of identity and authorization information among agencies,” explained Wandelt, who serves today as NIEF’s executive director.
The GTRI GFIPM team built the NIEF trust framework using Security Assertion Markup Language (SAML), an XML-based open-standard tool for exchanging authentication and authorization data. GTRI and the pilot partners established a NIEF Center at Georgia Tech, where it continues to support justice and other government agencies.
To facilitate interoperability between NIEF and other government trust frameworks – such as Federal Identity, Credential and Access Management (FICAM) and GFIPM – GTRI also developed Trustmarks technology.
Trustmarks was initiated as a NIST National Strategy Trusted Identities in Cyberspace (NSTIC) pilot project for Scaling Interoperable Trust in a Trustmark Marketplace. The goal was to address the fundamental “inter-federation problem” that was beginning to emerge across the country.
Before establishment of the FICAM program, identities were locked in application silos. Now, digital identities are increasingly locked in independent trust framework or federation silos.
The objective of the GTRI-developed Trustmark framework is to break down these silos and to bridge wide-scale trust. Today, the Trustmark framework is fully deployed in NIEF.
Trustmarks uses XML to make the documents that list the specifications for each framework machine-readable. That capability facilitates pinpointing and resolving the differences between these complex frameworks.
Recently, the U.S. General Services Administration (GSA), which oversees the FICAM program, approved NIEF as a trust framework provider for FICAM, establishing NIEF as a FICAM TFS. This means that NIEF, which has been primarily focused on serving justice, security, and public safety groups, can now act as a qualified trust framework provider for any government agency.
“Thanks to past and present efforts by Global members and others, we’ve established a robust, secure, trusted information sharing environment that allows all agencies needing to share information to communicate readily with one another,” Wandelt said.
Research projects mentioned in this article are supported by sponsors that include the Bureau of Justice Assistance (BJA), the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Program Manager for the Information Sharing Environment (PM-ISE). Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the principal investigators and do not necessarily reflect the views of BJA, DHS, NIST, or PM-ISE.