DoD agency keeps file swaps safe

The Defense Information Systems Agency has taken over an online resource that allows Defense Department personnel to swap files too large to be sent by email.

Now in the wheelhouse of DISA, the file transfer capability has been rebranded DoD SAFE, or secure access file exchange. The DoD SAFE capability is part of DISA's Defense Collaboration Services suite of applications.

The file transfer capability was initially established about 18 years ago by the Army Aviation and Missile Research, Development and Engineering Center, or AMRDEC. SAFE initially stood for "safe access file exchange." It allowed users to transfer files as large as 2 gigabytes to other users.

"We specifically kept the name SAFE because we wanted people to associate it with the AMRDEC product and this was the follow-on to AMRDEC SAFE," said Mark Youmans, DISA enterprise-wide services development division chief. He said taking on the responsibility for SAFE made sense in the context of what the service does.

File transfers were "never AMRDEC's core function," Youmans said, adding that such work is the core function for DISA Enterprise Services. "So, the DoD (chief information officer) directed DISA to deploy SAFE earlier this calendar year."

Other changes to SAFE include an increase in the allowable file size to 8 gigabytes, the ability for users to continue to access files on the SAFE site for up to seven days, the ability to download a file multiple times and the ability to transfer up to 25 files at a time.

Additionally, security on the system has been enhanced. Now, files are encrypted "at rest" on the system, Youmans said. He explained this means users can transfer files with personally identifiable information or personal health information, and that the files are encrypted from sender to receiver.

"As the file sits out there on SAFE, it is not accessible to anybody, including system administrators," Youmans said.

Another security aspect of DoD SAFE is that it now requires that a common access card holder be involved.

"A DoD employee has to be in the loop," said Karl Kurz, chief engineer for the enterprise-wide services development division.

Kurz said this means that a Common Access Card holder has to be the person who transfers the file, or, if a file transfer is going to go from a non-CAC holder to a CAC holder, the CAC holder has to request the transfer. The non-CAC holder will then get instructions on how to proceed.

"This service requires what we refer to as 'CAC in the middle,'" Kurz said.

According to a DISA message released in July, DoD SAFE is not intended to allow for transfer of files to classified domains.

From the user's perspective, said Youmans, the experience of using DoD SAFE will continue to be largely the same as when the system was operated by AMRDEC.

Kurz said that while the two systems will operate the same, they are completely different on the back end. He said DISA learned that Army Research Laboratory was using open-source software to perform a similar file-transfer function as what was needed for DoD SAFE. DISA partnered with ARL to reuse that software in a different capacity.

Changes to that software included making it compliant to operate in the DISA environment, enabling it to securely transfer information and to scale it to the number of users expected on DoD SAFE.

According to Kurz, when the SAFE capability rested with AMRDEC, more than 11,000 "packages" were transferred each day — around 4.1 million a year. Additionally, some 600,000 unique users made use of the system in fiscal year 2018.

The AMRDEC SAFE website was disabled as of Aug. 15. The new DoD SAFE application is online at the new URL: https://safe.apps.mil.