this guidance, or minimum viable product (MVP), covers governance, cybersecurity and zero trust, and API design and implementation principles. Future versions will include additional topics such as testing, development, security, and operations (DevSecOps), secure programming and error handling, performance optimization, and scalability.
This document includes use cases, lessons learned, and best practices from DoD and industry. Although other guides exist, this guide emphasizes the importance of enhancing and advancing
API TECHNICAL GUIDANCE
“a system access point ... accessible from application programs . . . to provide
well-defined functionality” (NIST SP 1800-21). APIs promote interoperability, security, and
scalability.
1
- Introduction the DoD warfighting capabilities of the near future to support the Combined JADC2 (CJADC2) vision and to secure information interoperability across the DoD. (See also Appendix C: API Security Challenges for more detail about the CJADC2 vision.) The guide describes an API framework to help programs define their technical baseline for delivering future systems that support the DoD enterprise and warfighter mission requirements. Figure 1-1 illustrates the scope of APIs covered in this guidance from a system perspective. pg Figure 1-1. API Context Diagram from a System Perspective This figure views an API as a socket connection between two systems. In general, a socket (e.g., Web, Berkley, Windows, Unix, Linux, Java) is an abstract representation for the local endpoint of a network communications path. This perspective dichotomizes API ecosystems into those designed for the DoD and commercial industry. Four types of DoD-specific warfighting systems are non-real-time (e.g., intelligence analytics, logistics); real-time (e.g., networked weapons); back-end (e.g., order of battle); and capability development (e.g., wargames, modeling and simulation); however, the commercial API ecosystems such as business systems (e.g., paychecks); social networks (e.g., SIPR chat, other ChatOps); transport systems (e.g., Link 16); or other frameworks (e.g., Global Information Grid) are also partially in scope. Each such system contains one or more open or proprietary API socket interfaces connecting with other systems. The future design scope of APIs includes the four DoD systems and, in part, the four commercial systems. In the future, with the exception of proprietary APIs, any API developed for or used by the DoD will be considered within scope. API TECHNICAL GUIDANCE Future Purchasing\Use Scope Rule: Any future framework, system, software, or application for purchase or use by the DoD should be considered within scope of this guidance. Future Design Scope Rule: The design of APIs are considered within scope of this guidance when the framework, system, software, or application using the APIs are are primarily designed or specified by the DoD and services. DoD, Joint and Service Designed Systems Commercially Designed Systems Backend Warfighting Systems (e.g. battle order of battle databases) Non Real-Time Warfighting Systems (e.g. Intelligence analytics, logistics) (e.g. Paycheck, housing) (e.g. Bank transfers, CAD) Social Network (e.g. Sipr Chat) Real-Time Warfighting Systems (e.g. Networked weapon system) Warfighting Capability Development Systems (e.g. wargames, modeling & simulation) Business Systems Transport Systems (e.g. JTTRS Link 16) (e.g. USB ) Systems (e.g. FaceBook, Zoom ) (e.g. Global Information Grid) (e.g. Data Fabric ) Frameworks Socket API 2
The scope of APIs also can be seen from a data perspective as shown in Figure 1-2.
Source: (NATO 2023)
Figure 1-2. API Context Diagram from a Data Perspective
- Introduction This figure views an API as an automated data standard between two services. In general, a data standard is any documented agreement on the representation, format, definition, structuring, tagging, transmission, manipulation, use, and management of data (EPA 2023). An automated data standard or API can reside at various levels including between autonomous decision-making and data insight/analytic services (e.g., reporting, machine learning, statistical analysis); analytics services and storage services (e.g., data warehouse, data lake); data integration and interoperability services (e.g., batch or stream processing or data visualization) and community of interest services; or data management and governance and the management plane (e.g., data quality and security). Thus, any API in use by, designed by, or specified by the DoD, Joint, or Services is considered within scope of this guidance. The following items will be reserved for a future release: • Testing • APIs and DevSecOps • Secure Programming and Error Handling • Performance Optimization and Scalability API TECHNICAL GUIDANCE
Top comments (0)