Defence companies and DoD/MOD are increasingly aware that they are "hitting the wall running" with SOA and certification/accreditation (e.g. Common Criteria).
The main problem is simple: SOA is about agility, and dynamically responding to change by allowing fast reconfiguration of the infrastructure "Lego blocks". Accreditation is about accrediting the assurance of a static system using some elaborative analysis process.
Unless the two are brought together, there will simply be no useful SOA in defence. Model Driven Security (MDS) can help achieve this.
IBM has recently (6/2007) published a Working Paper on the subject. It is not very dense, essentially they are saying that the challenges are due to complexity. The relevant information includes:
1) they then say "the new direction parallels the way Model Driven Architecture (MDA) and Model driven Development (MDD) have restructured the ... challenges and have provided architects ... better leverage over SOA complexity".
2) cultural and the accreditation community needs to be trained
3) support incremental change in accreditation practices
4) SOA should be deployed without agility (why would you buy SOA then at all?)
5) traditional accreditation approaches need to be adapted to match SOA better
6) security mechanisms are there and aren't really the problem
The first point echoes what ObjectSecurity has said since 2005: Model Driven Security is a highly useful concept to provide accreditable, agile SOAs with low-maintenance security policy management.
Please contact us if you would like to know more about agile SOA security and accreditation.