U.S. Department of Agriculture eGovernment Program December 3, 2003 eAuthentication Initiative USDA eAuthentication Service Overview eGovernment Program

U.S. Department of Agriculture

eGovernment Program

December 3, 2003

eAuthentication Initiative

USDA eAuthentication Service Overview

eGovernment Program

2

U.S. Department of Agriculture eGovernment Program

Agenda

Components of the USDA eAuthentication Service

Technology

Processes & Procedures

People

FY 04 eAuthentication Cost Breakdown

Agency Variable Cost

3


Three Components of the USDA eAuthentication Service

Technology

PeopleProcesses &

Procedures

The USDA eAuthentication service consists of three main components to support authentication services across USDA and ultimately, for other Federal, State, and local government entities.

4


Technology

The USDA eAuthentication service is built upon the Web-Based Centralized Authentication and Authorization Facility (WebCAAF), technology infrastructure.

Netegrity SiteMinder 5.5

Netegrity IdentityMinder

Microsoft ActiveDirectory

7 WebLogic application servers

53 total servers

Hosted in the Ft. Collins Webfarm Data Center

Failover hosted in the St. Louis Webfarm Data Center

5


Technology

The History of the USDA eAuthentication Service…

Freedom to e-File Act created the need

for Single Sign OnFor USDA-SCA’s

Blackbird & Unisys Perform Market Analysis

Top 3 Products Are LTDed

Accenture & TWM Facilitate the eA Business case

nLink Validated Netegrity & the architecture

Agency Team Members Select WebCAAF For USDA

GSA Selected USDA to Support the pilot Grants.gov

6


Technology

The Service Center Agencies (FSA, RD, NRCS) go through rigorous selection process before establishing WebCAAF to meet the Freedom to e-File Act in 2002.

January, 2001 Requirements

Market Survey of approx. 18 products

Evaluation of products vs. requirements

Top 3 products Live Test Demo’ed

Netegrity is ONLY product meeting all requirements

May, 2001 Contracting Officers agree on procurement strategy

nLink/Price Waterhouse hired to build out architecture

WebCAAF goes live

March, 2002

7


Technology

USDA-wide eAuthentication Team decides “next steps.”

September, 2002 eAuthentication team – 30 USDA members, Accenture & TWM

Agency eAuthentication requirements

eAuthentication business case

December, 2002 Team concludes - WebCAAF was the most cost effective solution

Some expansions needed to provide services across USDA

February, 2003 Expanded design and architecture was approved

June, 2003

System expanded

October, 2003 – Expanded WebCAAF goes live

8


Technology

GSA selected USDA’s eAuthentication service to be a part of the Federal Government’s eAuthentication Service.

GSA chooses USDA as key player For GSA Gateway

Includes WebCAAF and NFC PKI solutions

GSA’s Technical Architecture is revised – Project continues USDA is asked to be on new Architecture Working Group

GSA due to complete accreditation on WebCAAF Credential Authorization Framework (CAF) by January 2004

USDA is asked to be a credential service provider (CSP) for the Grants.gov pilot of the new SAML-based architecture

9


Technology

The USDA eAuthentication Service performs all of the tasks needed to connect to the new SAML-based architecture.

GSA Portal

Credential

Service

Provider

Agency

Application

1. User starts at portal and selects credentials and service they want to access.

2. User is directed to selected CSP to present credentials.

3. User authenticates.

4. User is directed to agency application with SAML artifact.

5. Agency application decodes the SAML artifact and determines authorization.

1 2

3

4

5

The USDA eAuthentication Service Provides support for all of these

functions

ApplicationApplicationApplication

Without the USDA eAuthentication Service, each agency application would have to perform the following:

Create applications using SAML compliant tools;

Create interfaces that read SAML from the CSPs;

Modify interfaces when GSA changes the SAML interface;

Perform all authentication & high level authorization.

10


Processes and Procedures

The USDA eAuthentication service is supported by documented processes and procedures that were evaluated before it was given the Authority to Operate (ATO) by USDA CyberSecurity after an audit completed by Backbone…

ATO

Security Plan

Trusted Facility Manual

Certification &

Accreditation Documents

Management Controls

Operational Controls

Technical Controls

C&A Complete w/ Authority toOperate (October)

ProcessfollowsNIST-STD

Operations Security Roles System

Procedures

11


Processes & Procedures

The Security Plan outlines three types of controls; Management, Operational, Technical, to protect the USDA eAuthentication Service and the agency applications.

Management Controls Risk Assessment

Rules of Behavior

Change Management

Operational Controls Personnel Security

Physical Environment Protection

Security Awareness Training

Technical Controls Identification/Authentication

Authorization/Access Controls

Audit Trails

12


People

24 team members are dedicated to supporting the USDA eAuthentication Service across the following teams…

InfrastructureProduction

Development

Pre-Production

Development Help Desk

IntegratedApplication

SupportProjectPlanning

& Strategy

UserGroups

LRA’s

Apps

Customers

Web Farm Hosting

• Change Mgmt• Planning• Architectures• Budget• Communications

• Design Integration• App Integration• Production Migration• Cost Management

• Passwords• Trends• Problem Reports

• Design• Development• Test

• Requirements• Policies

H/W, SM, IM, AD, Web Logic Outage Management

Agencies

13


FY 04 eAuthentication Cost Breakdown

The FY 04 overall fixed costs of $5,031,345 is broken across the teams in the following manner:

InfrastructureProduction

Development

Pre-Production

Development Help Desk

ProjectPlanning

& Strategy

UserGroups

LRA’s

Apps

Customers

Web Farm Hosting

$334,980

$1,700,274 Infrastructure$690,000 Software$40,000 Hardware

$1,319,578 Operations

Agencies$946,513

IntegratedApplication

Support

14


FY 04 eAuthentication Cost BreakdownIntegrated Application Support

Integrated Application Support

TS Team Leads C 2 people - manage all interactions between agency application owners and eAuthentication system including integration services, Service Level Agreements, etc.

$260,000 $435,130 $175,130 Combs Fawley

Application Integrators C 4 persons - assists agencies with integrated application support

$540,000 $355,863 -$184,137 TilligadasWitkin

Process/Test Coordinator C 2 persons - coordinates all test processes and assists with integrated applications

$360,000 $155,520 -$204,480 Spinks

Integrated Application Support Total

$1,160,000 $946,513 -$213,487

Cost Category Item Staff Description 2004 300 Estimate

2004 Planned

Difference Resources

15


FY 04 eAuthentication Cost BreakdownInfrastructure

InfrastructureRelease 1 Implementation C 16 people for 3 months for build and

expansion of the technical architecture, creation of registration process.

$523,076 $523,076 $0 Implementation team in 1Q 2004 for expansion

Infrastructure Architect C 1 person - manages all global logical and physical design issues including USDA and eAuthentication Gateway interactions

$280,000 $342,605 $62,605 Griffin

Infrastructure Analyst/Designer

C 1 person - assists with all logical and physical design issues

$180,000 $186,903 $6,903 Perry

System Changes C Team necessary for upgrades to system for necessary changes, agency suggestions, necessary functionality, etc.

$500,000 $397,354 -$102,646 SpeissWachowski

R&D - GSA Gateway C Costs associated with studies, research and development necessary for NFC and the GSA eAuthentication Gateway

$300,000 $145,152 -$154,848 Obrion

Risk Mgmt Conduct Risk Assessments, Vulnerability Studies, System Tests & Evaluations, etc (C & A every 3 yrs.)

$100,000 $0 -$100,000

Trainer C 1 person - coordinates and provides technical training to the eAuthentication team and agency application developers on the technical issues of eAuthentication

$75,000 $105,184 $30,184 McKinney 2 quarters

Infrastructure Total $1,958,076 $1,700,274 -$257,802

Cost Category Item Description 2004 300 Estimate

2004 Planned

Staff Difference Resources

16


FY 04 eAuthentication Cost BreakdownHardware & Software

HardwareHardware Increase demand will need additional policy

servers, directory servers, verisign certificates, etc

$60,000 $40,000 -$20,000

Hardware Total $60,000 $40,000 -$20,000

SoftwareSiteMinder License. Netegrity User Licenses and Support Services $300,000 $300,000 $0

Identity Mgmt License. Identity Management Licenses and Support Services - for 250K licenses

$380,000 $380,000 $0

LDAP LDAP Licenses and Support Services $10,000 $10,000 $0PKI & Assoc. Infrastructure. Cost of credentials and integration $50,000 $0 -$50,000

Other Software Upgrades for performances, security, and management of resources

$100,000 $0 -$100,000

Misc. Increase demand will need additional software licenses

$205,000 $0 -$205,000

Software Total $1,045,000 $690,000 -$355,000

Description 2004 300 Estimate

2004 300 Estimate

Cost Category Item Staff Description 2004 Planned

Cost Category Item Staff 2004 Planned



17


FY 04 eAuthentication Cost BreakdownOperations

OperationsWeb Farm Hosting Fees Infrastructure (Internet, hardware, network

access, fire wall switches), configuration management and general system admin. For Ft. Collins and St. Louis.

$120,000 $120,000 $0

Operations Team Lead C 1 person - manages all aspects of operations and maintenance

$200,000 $192,000 -$8,000 Rempe

Netegrity/LDAP Sys Admin. C 4 persons - manages all aspects of Netegrity tools including SiteMinder, Password Services, Identity Management, LDAP User and Policy Stores

$720,000 $805,978 $85,978 TBD1 TBD2 Mark Bostley & TBD3Sal Militello & TBD4

Help Desk C 2 persons - provides help desk support to users, application owners & others. # of persons increases as demand grows.

$280,000 $201,600 -$78,400 ReynoldsShelly

Operations Total $1,320,000 $1,319,578 -$422

Cost Category Item Staff Description 2004 300 Estimate

2004 Planned


18


FY 04 eAuthentication Cost BreakdownSecurity

SecuritySecurity Assessments Updated Security Plans, support dedicated

security officer$100,000 $0 -$100,000 Casper/TBD

Security Total $100,000 $0 -$100,000

Staff DescriptionCost Category Item 2004 300 Estimate

2004 Planned


19


FY 04 eAuthentication Cost BreakdownProject Management

Project Management

Project Management and Oversight

Planning, architecture, budget, communications

$666,667 $334,980 -$331,687 UnangstTurvilleLindstrom

Executive Support C 1 person - assists with all activities on the eAuthentication team

$80,000 $0 -$80,000

Project Management Total

$746,667 $334,980 -$411,687

2004 300 Estimate

Cost Category Item Staff Description 2004 Planned


20


FY 04 eAuthentication Cost BreakdownOverall Costs

Integrated Application Support Total $1,160,000 $946,513 $213,487Infrastructure Total $1,958,076 $1,700,274 $257,802Hardware Total $60,000 $40,000 $20,000Software Total $1,045,000 $690,000 $355,000Operations Total $1,320,000 $1,319,578 $422Security Total $100,000 $0 $100,000Project Management Total $746,667 $334,980 $411,687Overall Total $6,389,743 $5,031,345 $1,358,398

Cost Category 2004 300 Estimate 2004 Planned Cost Difference

21


Agency Variable Costs will range from $10,000 - $65,000. The following areas will drive the integration costs between eAuthentication and an Agency Application:

Hosting Site – influences network/firewall/IDS/ACL complexity

Enforcer Agent – IIS and Apache are simple; others are not

# of Policy/URL’s – influences complexity of building/testing/implementing

Access Control & Admin. – influences the complexity of building/maintaining

Access Control Redirect Response – customized for users, but takes more time

LRAs – Existing “trained” LRA’s or New “yet to be trained” LRA’s?

Process:

1. eAuthentication Technical Services team determines Costs in “Design” Phase of eAuthentication Integration Lifecycle

2. OCIO presents Integration Costs to Agency Decision Maker

3. Agency transfers funds to OCIO

Agency Variable Cost

22


Agency Variable CostConstruct Alternatives Description Days Cost

Webfarm Certificates, firewalls, subnets, ports 2 $2,400Non Webfarm Certificates, firewalls, subnets, ports 5 $6,000

IIS/Apache/iPlanetAgency Web Services Architecture 3 architectures, development, pre-production, production 6 $7,200

Other Supported Web ServiceAgency Web Services Architecture 3 architectures, development, pre-production, production 9 $10,800

Non-Supported Web ServiceAgency Web Services Architecture 3 architectures, development, pre-production, production 20 $24,000

1 - 5 URLs 3 architectures, development, pre-production, production 1 $1,2006 - 10 URLs 3 architectures, development, pre-production, production 2 $2,400Greater than 10 URLs 3 architectures, development, pre-production, production 5 $6,000

None No Access Control Needed 0 $0Easy 1 - 5 Access Roles for all three environments 5 $6,000Medium 6 - 15 Access Roles for all three environments 10 $12,000Hard 15 or higher Access Roles for all three environments 15 $18,000

No new roles 0 $0Flat administration hierarchy Programming, Policy, Training - Set list of administrators 2 $2,400Delegated administration hierarchy Programming, Policy, Training - Creation of delegation structure 4 $4,800

None Needed None Needed due to no Access Control for application 0 $0Agency Supplied Error Handling, Customer Information Next Steps Screen 1 $1,200eAuthentication Team Built Error Handling, Customer Information Next Steps Screen 3 $3,600

Existing Process Service Center Representatives Service Center Representatives 0 $0Agency Representatives - Training & Set Up Single Centralized Training Required 1 $1,200Agency Representatives - Training & Set Up Multiple Distributed Training Required 5 $6,000

Agency Created LRA Process Agency Representatives - Training & Set Up Single Centralized Training Required 5 $6,000Agency Representatives - Training & Set Up Multiple Distributed Training Required 10 $12,000

Input of Agency Integration Form to complete this CostingHourly rate of $150 per hour for Government and Contracting Resources

Access Control Redirect Response

Local Registration Authorities

Access Control (Role) Administration

Hosting Site

Enforcer Agent

Policy/URL Complexity

Access Control (Roles)

23


Questions and Answers