U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program

U.S. Department of Agriculture

eGovernment Program

July 15, 2003

eAuthentication Initiative Pre-Implementation Status

eGovernment Program

2

U.S. Department of Agriculture eGovernment Program

Agenda

eAuthentication Overview

USDA eAuthentication Solution Components

Agency Integration Responsibilities

eAuthentication Costs and Resources

Questions and Answers

3


Customer interactions with USDA, also called transactions, will be transformed to allow customer submission through electronic means

For many interactions, the identity of the person submitting the data needs to be known, either to enable an electronic signature of the form or data, or for informational purposes

eAuthentication encompasses the processes and technology that identify a person electronically and present that information to the application that is accepting the user’s data submission

eAuthentication in the current phase will only support interactions that are presented in a web format over the Internet

What is eAuthentication?

4


35 (61%) out of the 57 in-scope interactions require Level 2 Authentication.

Currently, USDA eAuthentication supports Level 1 and Level 2 authentication.

In Scope Interactions

2%

61%

18%

19%

Level 1

Level 2

Level 3

Level 4

Of the 736 interactions scheduled for GPEA compliance for October 2003, 639 require eAuthentication. 57 of these have been completed in the Online Impact Assessment Tool.

eAuthentication Needs

Authentication Levels define the credibility necessary to support a person’s identification. The higher authentication level, the more information is needed to validate a person is who they say they are…

5


eAuthentication Schedule

Continue eAuthentication communications in the form of postcards, presentations and integration documentation

Present the Costing Model to Agencies for eAuthentication by July 25, 2003

Distribute the Agency Guidebook by July 25, 2003

•Road map and details for integrating Agency Applications

Begin Implementation on July 28, 2003

•WebCAAF Expansion, Directory Services, Identity Management, User Registration

Initiate GSA Gateway Integration Proof-of-Concept in August 2003

Provide Integration Planning assistance beginning August 2003

Begin integration of applications in September 2003

GPEA Deadline is October 21, 2003

6


Agenda






7



The USDA eAuthentication solution encompasses four main components…

USDA

eAuthentication

Solution

Technical SolutionTechnical Solution

Identity and

Access ManagementIdentity and

Access Management

Registration ProcessRegistration Process

Presidential Initiative

(GSA Gateway)Presidential Initiative

(GSA Gateway)

8




Internet

Router Switch

RouterSwitch

INTERNET

INTRANET

FIR

EW

AL

LID

S

AC

LN

AT

Enforcer

WEB FARMS

www.xyz.usda.gov

Enforcer

USDA Network

FIREWALL

ALTERNATIVE HOSTING

FACILITY

Policy Server

Policy Stores

User Stores

• “Enforcer” – web agent installed on the agency’s web server to perform authentication. Communicates with central authentication system in Web Farm

• “Web Farm” – secure, redundant hosting facility that hosts the USDA eAuthentication solution

• “Firewall Stack” – set of network and security devices that protects the USDA network from the Internet. The Web Farm Firewall Stack is part of the USDA eAuthentication C&A

• “User Stores” – central USDA user store. Maintains information about the user that is common across agencies. Agency-specific user stores maintain more detailed information if needed

• “Policy Server” and “Policy Store” – core components of the USDA authentication solution. Ties together enforcers and user stores through “policies”

www.abc.gov/form1

9


Password Services –

Enforcement of strong password standards and allow password maintenance such as password changes, password expiration, etc

Self Services –

Administration of user information without calling the USDA help desk. This is non-authentication information such as the user’s phone number and username, not information about the user’s relationship with the agency or his permission to access certain web applications

Delegated Administration –

Administration access to the central user store to establish users access to agency’s applications

Help Desk –

Assistance with authentication related issues such as password resets, directions to a registration center etc. The USDA Help Desk is not able to help with application-specific questions. Agencies must provide contact information for application-specific problems


Identity and


Access Management

10


Self Service Registration for Level 1 Assurance

Registration for the most basic form of authentication, not a strong indicator of the user’s actual identity since it relies on information from the user, but is useful in some settings such as web site personalization

Identification Proofing for Higher Levels

Validation of identity by a Local Registration Authority. Currently this identity-proofing must be done in-person

• Service Center or other Local Registration Authorities

Agency-specific Authorization Profile Creation

Authorization of a which users may access their applications. Each agency may create a set of conditions based on the common user information that is collected or may create web pages to collect additional information.



11


Agency Web

Servers

USDA Logon

Servers

Internet

GSA

Gateway

ECP ECP ECP

The GSA Gateway is the Presidential Initiative solution for eAuthentication. USDA’s integration approach is to create a single point of integration with the GSA Gateway, through the USDA eAuthentication solution.

The USDA eAuthentication solution and GSA Gateway integration will occur once the Gateway is complete

An integration proof-of-concept is planned for August, 2003

Applications will integrate with the USDA eAuthentication solution, which will connect to the GSA Gateway, so each agency application will not have to be integrated separately with the GSA Gateway

Upon completion, Agency applications will receive the benefits of the GSA Gateway




(GSA Gateway)

USDA

eAuthentication

12







Agenda

13


Oct 21

GPEA Deadline


August OctoberSeptemberJuly

eForms/eAuth Design

Meetings

Build Coordination

Meetings

Test/Certification Meetings

Production Readiness

ID ’03 Funding

ID ’04 Funding

ID GPEA-Compliant

Interactions

Select Forms tool(s)

Complete Authentication Impact Profile Assessment

Confirm GPEA Functional

Team

Confirm GPEA Technical

Team

Design eAuth Registration Components

Design eAuth Identity & Access

Management Components

Design eForms System

Process OMB Approvals

Create Technical Design for

eAuth components

Build Technical eAuth components

Build eForms System

Develop On-Line Alternatives Communications plan

Implement eAuth Registration Components

Implement eAuth Identity & Access

Management Components

Publish Communications

eForms System

Test

Train LRAs

Train Agency Admins

Request eRecords

Disposition Authority

Certify LRA

process

eForms System Go-Live

14


Logon Server



FIR

EW

AL

LID

S

AC

LN

AT

Web Farm Hosting Environment

Policy Server

User Stores

Policy Server

Policy Stores

User Stores

Logon Server

Login Pages

Authentication Registration

Pages

Production Environment

Identity Management

Services Pages

EnforcerEnforcer

Web Server

www.xyz.com

Authorization Pages

Logon Server

Login Pages

Authentication Registration

Pages

Identity Management

Services Pages

Policy Server

Policy Stores

User Stores

Test Environments

Create web application on supported web server

Assist in installation of web “enforcer”

Decide what user information your agency applications need to receive from the central user store in the form of header variables

Give eAuthentication team information to integrate new “enforcer” into eAuthentication system

Build web pages to collect any additional user information for authorization

15


Authorization Pages

User StoresIdentity

Management Services PagesHelp Desk

User Stores

Users

Password Services

User Self-Administration

Delegated Administration


Identity and


Access Management

Authorization Processes and Role

Definition

Build a process to decide whether a user should be allowed to access your agency’s applications

If that process requires any user information that is not collected by the central registration procedure, build “authorization registration” web pages to collect this information (including company representation)

Designate and train agency administrators to “authorize” users in the eAuthentication system for agency applications

Maintain a list of customer/company representative relationships

Map USDA Customer IDs to Agency Customer IDs

16


User StoresAuthentication

Registration Pages

UsersAgency-Specific

LRAs

Level 1 Self-Registration

Email Verification

Level 2 LRA Registration

Level 1 Self Registration

Level 2 In-Person Registration

Identity Proofing

Procedure

Agency-Specific

LRAs

Identity Proofing

Procedure



Determine if Service Centers will provide “Local Registration Authority” (LRA) services for your user population

If not, create identity proofing processes and training for your LRAs following USDA standards

Communicate registration processes and requirements to your users

17




(GSA Gateway)

Integrate with USDA eAuthentication solution

Alert USDA eAuthentication team of any applications/interactions that require higher levels of credentials than the eAuthentication passwords (through the online tool)

Work with eAuthentication team to identify sources of credentials from GSA Gateway providers


Agency Web

Servers

USDA Logon

Servers

Internet

GSA

Gateway

ECP ECP ECP

USDA

eAuthentication

18







Agenda

19


The fixed and variable costs for the eAuthentication initiative are broken out as follows…

Cost distribution calculations/algorithms need to be created quickly, any suggestions on how the cost should be allocated?

eAuthentication Costs

FY 2003 Total Costs $1,550,000

FY 2004 Total Costs $5,700,000

FY 2004 Variable Costs $1,525,000

FY 2004 Fixed Costs $4,175,000

20


eAuthentication Resource Needs

USDA eAuthentication Solution Team Technical Services Team

Integration Team

Agency Solution Team Integration Team

• Business process and user communities expertise

Technical Team • Developers representing the Agency application

21







Agenda

22



23


For More Information

For more information on the eAuthentication Initiative, please review the eAuthentication Frequently Asked Questions on the eGovernment site:

http://www.egov.usda.gov/resources/teamspace/team_resources.html

Please contact the eGovernment team for username and password.

Documents

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program