Draft recommendations from the APCO Broadband Committee's subcommittee on Governance of the Nationwide Public Safety Wireless Broadband Network presented at the APCO Annual Conference on August 21, 2013
Device CertificationProcess for network compatibility testingUse PSCR or PTCRB for testingPolicy to ensure testing is vendor neutral or standardized Self Verification policiesProcess for identification of device data security policies and then compliance validationCJIS – FIPS140-2Others?Device SecurityPolicy for Device Management System for Over the Air updates/lock/wipeOpen Mobile Alliance (OMA) device management specificationsPolicy for Application protection/revocationPolicy for fixed device selection or BYODSIM ProcurementID and IMSI Numbering management – FirstNet - EBACPolicies for SIM distribution- FirstNet authorized vendor(s)SIM ManagementSIM Administration Center– Pre-Provisioned and Dynamically ProvisionedProcess vendor and user requestsBilling/RevenueManagement (BRM) system – Policy defining division of efforts. FirstNet, States, Local?
The application store: should there be a single store, developed and managed centrally by FirstNet or a public-private partnership under FirstNet’s overall control? This option has many advantages, especially if FirstNet allows tailorable views by state and local user agencies. For example, a local city fire department might want certain of its own applications viewable and downloadable by its users, but probably would want the local view of the store not to include law enforcement, transportation and most utility (electric, water, etc.) apps. This implies a major effort by FirstNet to develop software and mechanisms for the store which can be easily tailored and administered by the local agencies to customize the “views” for that agencies users. This sort of a “local management” model for the apps store mirrors the need for local management of priority on cell sites, applications, devices and users.An alternative is to have multiple apps stores developed and administered by states and larger local jurisdictions. This model gives more control to state and local agencies, but presents a number of logistical and security difficulties, not to mention adding a financial burden for these agencies.Another important FirstNet function is grading and recommending apps. The City of Phoenix, for example, might develop a phenomenal emergency medical services application. FirstNet might want to recommend the use of such an app by all EMS agencies nationwide. Indeed, the applications store functionality probably should have a user comment and grading capability similar to commercial apps stores.Application specifications and requirements must be managed and governed centrally to insure all apps which are developed have adequate security, can appear on various screen sizes for different devices, will properly interface with device features (cameras, volume controls, etc.). Similarly, certification of applications must be centralized, because a single poorly behaving application (e.g. one which chews up bandwidth or has security flaws), presents a problem for all users on the network. FirstNet will need to develop or contract with a certification agency because no commercial network has the specifications and requirements inherent in a public safety network (e.g. security, identity management, CJIS and HIPPA, etc.)Deployment of applications presents many governance issues. First, there is a huge body of existing apps which are being used by local and state agencies which will need some redevelopment and certainly certification for use on FirstNet before being added to the apps store. In many cases such work will be performed by a vendor – in other cases the city/tribe/state app owner will need to do it. Next, FirstNet governance will need to make a decision about which apps need to be universally deployed to all devices and users. The FCC’s Orders authorizing 700 MHz waivers specified five such apps, but FirstNet will need to make its own decisions. These might include a nationwide VPN, cellular voice, Internet access, SMS or text messaging, enhanced SMS (e.g. allowing attachment of video / audio files) etc. A further question is whether States should have a similar authority to require certain apps be deployed statewide, to allow mutual aid and intercommunication by all using agencies within a state. This runs into a number of local control and home rule issues. On the other hand, cities, counties, tribes and individual agencies (e.g. a city police department) will certainly have some apps which they will mandate be deployed to every device and user within the government or the agency.Finally there is the issue of upgrades. As bugs, new features, security flaws etc. are exposed, apps will need to be upgraded. Some such flaws or changes will be so serious that they must be deployed immediately. Ideally each agency app owner makes such decisions about upgrades, but the upgrades will need to go through re-certification because they may behave badly inside the device, adversely affecting other apps which already reside in it.