Reform

DOD Agency Keeps File Swaps Safe

Aug. 16, 2019 | BY C. Todd Lopez

The Defense Information Systems Agency has taken over an online resource that allows Defense Department personnel to swap files too large to be sent via email.

Now in the wheelhouse of DISA at Fort Meade, Maryland, the file transfer capability has been rebranded DOD SAFE, or secure access file exchange. The DOD SAFE capability is part of DISA's Defense Collaboration Services suite of applications.

A safe bears a magnet with the word “CLOSED.”  Checklists also adorn the safe.
Safe
A safe at Buckley Air Force Base, Colo. is used to contain sensitive or classified information.
Photo By: Air Force
VIRIN: 170131-F-ZZ999-001C

The file transfer capability was initially established about 18 years ago by the Army Aviation and Missile Research, Development and Engineering Center, or AMRDEC. SAFE initially stood for "safe access file exchange." It allowed users to transfer files as large as two gigabytes to other users.

"We specifically kept the name SAFE because we wanted people to associate it with the Amrdec product and this was the follow on to AMRDEC SAFE," said Mark Youmans, the chief of DISA's enterprisewide services development division.  He said taking on the responsibility for SAFE made sense in the context of what the service does.

File transfers were "never AMRDEC's core function," said Youmans, adding that such work is the core function for DISA Enterprise Services. "So the DOD [chief information officer] directed DISA to deploy SAFE earlier this calendar year."

The AMRDEC SAFE website was disabled as of Aug. 15. The new DOD SAFE application is online now at the new URL: https://safe.apps.mil

A screen capture shows the details and appearance of a new website.
DOD SAFE
The new DOD SAFE site allows users to transfer files that are too large to transfer via email.
Photo By: DOD Screenshot
VIRIN: 190815-D-NU123-001C

Other changes to SAFE include an increase in the allowable file size to eight gigabytes, the ability for users to continue to access files on the SAFE site for up to seven days, the ability to download a file multiple times and the ability to transfer up to 25 files at a time.

Additionally, security on the system has been enhanced. Now, files are encrypted "at rest" on the system, said Youmans. He explained this means users can transfer files with personally identifiable information or personal health information, and that the files are encrypted from sender to receiver.

"As the file that sits out there on SAFE, it is not accessible to anybody, including system administrators," Youmans said.

Another security aspect of DOD SAFE is that it now requires that a common access card holder be involved.

"A DOD employee has to be in the loop," said Karl Kurz, chief engineer for the enterprisewide services development division.

Kurz said this means that a CAC holder has to be the person who transfers the file, or, if a file transfer is going to go from a non-CAC holder to a CAC holder, the CAC holder has to request the transfer. The non-CAC holder will then get instructions on how to proceed.

"This service requires what we refer to as 'CAC in the middle,'" Kurz said.

A card slides in to a card reader.
CAC Card
A common access card, or CAC, is commonly used by security-cleared personnel to access classified systems.
Photo By: Photo illustration by C. Todd Lopez, DOD
VIRIN: 190624-D-NU123-002C

According to a DISA message released just last month, DOD SAFE is not intended to allow for transfer of files to classified domains.

From the user's perspective, said Youmans, the experience of using DOD SAFE will continue to be largely the same as when the system was operated by AMRDEC.

Kurz said that while the two systems will operate the same, they are completely different on the back end. He said DISA learned that Army Research Laboratory was using open-source software to perform a similar file-transfer function as what was needed for DOD SAFE. DISA partnered with ARL to reuse that software in a different capacity.

Changes to that software included making it compliant to operate in the DISA environment, enabling it to securely transfer information and to scale it to the number of users expected on DOD SAFE.

According to Kurz, when the SAFE capability rested with AMRDEC, more than 11,000 "packages" were transferred each day — around 4.1 million a year. Additionally, some 600,000 unique users made use of the system in fiscal year 2018.