U.S. Department of Agriculture
eGovernment Program
December 3, 2003
eAuthentication Initiative
USDA eAuthentication Service Overview
eGovernment Program
2
U.S. Department of Agriculture eGovernment Program
Agenda
Components of the USDA eAuthentication Service
Technology
Processes & Procedures
People
FY 04 eAuthentication Cost Breakdown
Agency Variable Cost
3
U.S. Department of Agriculture eGovernment Program
Three Components of the USDA eAuthentication Service
Technology
PeopleProcesses &
Procedures
The USDA eAuthentication service consists of three main components to support authentication services across USDA and ultimately, for other Federal, State, and local government entities.
4
U.S. Department of Agriculture eGovernment Program
Technology
The USDA eAuthentication service is built upon the Web-Based Centralized Authentication and Authorization Facility (WebCAAF), technology infrastructure.
Netegrity SiteMinder 5.5
Netegrity IdentityMinder
Microsoft ActiveDirectory
7 WebLogic application servers
53 total servers
Hosted in the Ft. Collins Webfarm Data Center
Failover hosted in the St. Louis Webfarm Data Center
5
U.S. Department of Agriculture eGovernment Program
Technology
The History of the USDA eAuthentication Service…
Freedom to e-File Act created the need
for Single Sign OnFor USDA-SCA’s
Blackbird & Unisys Perform Market Analysis
Top 3 Products Are LTDed
Accenture & TWM Facilitate the eA Business case
nLink Validated Netegrity & the architecture
Agency Team Members Select WebCAAF For USDA
GSA Selected USDA to Support the pilot Grants.gov
6
U.S. Department of Agriculture eGovernment Program
Technology
The Service Center Agencies (FSA, RD, NRCS) go through rigorous selection process before establishing WebCAAF to meet the Freedom to e-File Act in 2002.
January, 2001 Requirements
Market Survey of approx. 18 products
Evaluation of products vs. requirements
Top 3 products Live Test Demo’ed
Netegrity is ONLY product meeting all requirements
May, 2001 Contracting Officers agree on procurement strategy
nLink/Price Waterhouse hired to build out architecture
WebCAAF goes live
March, 2002
7
U.S. Department of Agriculture eGovernment Program
Technology
USDA-wide eAuthentication Team decides “next steps.”
September, 2002 eAuthentication team – 30 USDA members, Accenture & TWM
Agency eAuthentication requirements
eAuthentication business case
December, 2002 Team concludes - WebCAAF was the most cost effective solution
Some expansions needed to provide services across USDA
February, 2003 Expanded design and architecture was approved
June, 2003
System expanded
October, 2003 – Expanded WebCAAF goes live
8
U.S. Department of Agriculture eGovernment Program
Technology
GSA selected USDA’s eAuthentication service to be a part of the Federal Government’s eAuthentication Service.
GSA chooses USDA as key player For GSA Gateway
Includes WebCAAF and NFC PKI solutions
GSA’s Technical Architecture is revised – Project continues USDA is asked to be on new Architecture Working Group
GSA due to complete accreditation on WebCAAF Credential Authorization Framework (CAF) by January 2004
USDA is asked to be a credential service provider (CSP) for the Grants.gov pilot of the new SAML-based architecture
9
U.S. Department of Agriculture eGovernment Program
Technology
The USDA eAuthentication Service performs all of the tasks needed to connect to the new SAML-based architecture.
GSA Portal
Credential
Service
Provider
Agency
Application
1. User starts at portal and selects credentials and service they want to access.
2. User is directed to selected CSP to present credentials.
3. User authenticates.
4. User is directed to agency application with SAML artifact.
5. Agency application decodes the SAML artifact and determines authorization.
1 2
3
4
5
The USDA eAuthentication Service Provides support for all of these
functions
ApplicationApplicationApplication
Without the USDA eAuthentication Service, each agency application would have to perform the following:
Create applications using SAML compliant tools;
Create interfaces that read SAML from the CSPs;
Modify interfaces when GSA changes the SAML interface;
Perform all authentication & high level authorization.
10
U.S. Department of Agriculture eGovernment Program
Processes and Procedures
The USDA eAuthentication service is supported by documented processes and procedures that were evaluated before it was given the Authority to Operate (ATO) by USDA CyberSecurity after an audit completed by Backbone…
ATO
Security Plan
Trusted Facility Manual
Certification &
Accreditation Documents
Management Controls
Operational Controls
Technical Controls
C&A Complete w/ Authority toOperate (October)
ProcessfollowsNIST-STD
Operations Security Roles System
Procedures
11
U.S. Department of Agriculture eGovernment Program
Processes & Procedures
The Security Plan outlines three types of controls; Management, Operational, Technical, to protect the USDA eAuthentication Service and the agency applications.
Management Controls Risk Assessment
Rules of Behavior
Change Management
Operational Controls Personnel Security
Physical Environment Protection
Security Awareness Training
Technical Controls Identification/Authentication
Authorization/Access Controls
Audit Trails
12
U.S. Department of Agriculture eGovernment Program
People
24 team members are dedicated to supporting the USDA eAuthentication Service across the following teams…
InfrastructureProduction
Development
Pre-Production
Development Help Desk
IntegratedApplication
SupportProjectPlanning
& Strategy
UserGroups
LRA’s
Apps
Customers
Web Farm Hosting
• Change Mgmt• Planning• Architectures• Budget• Communications
• Design Integration• App Integration• Production Migration• Cost Management
• Passwords• Trends• Problem Reports
• Design• Development• Test
• Requirements• Policies
H/W, SM, IM, AD, Web Logic Outage Management
Agencies
13
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost Breakdown
The FY 04 overall fixed costs of $5,031,345 is broken across the teams in the following manner:
InfrastructureProduction
Development
Pre-Production
Development Help Desk
ProjectPlanning
& Strategy
UserGroups
LRA’s
Apps
Customers
Web Farm Hosting
$334,980
$1,700,274 Infrastructure$690,000 Software$40,000 Hardware
$1,319,578 Operations
Agencies$946,513
IntegratedApplication
Support
14
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownIntegrated Application Support
Integrated Application Support
TS Team Leads C 2 people - manage all interactions between agency application owners and eAuthentication system including integration services, Service Level Agreements, etc.
$260,000 $435,130 $175,130 Combs Fawley
Application Integrators C 4 persons - assists agencies with integrated application support
$540,000 $355,863 -$184,137 TilligadasWitkin
Process/Test Coordinator C 2 persons - coordinates all test processes and assists with integrated applications
$360,000 $155,520 -$204,480 Spinks
Integrated Application Support Total
$1,160,000 $946,513 -$213,487
Cost Category Item Staff Description 2004 300 Estimate
2004 Planned
Difference Resources
15
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownInfrastructure
InfrastructureRelease 1 Implementation C 16 people for 3 months for build and
expansion of the technical architecture, creation of registration process.
$523,076 $523,076 $0 Implementation team in 1Q 2004 for expansion
Infrastructure Architect C 1 person - manages all global logical and physical design issues including USDA and eAuthentication Gateway interactions
$280,000 $342,605 $62,605 Griffin
Infrastructure Analyst/Designer
C 1 person - assists with all logical and physical design issues
$180,000 $186,903 $6,903 Perry
System Changes C Team necessary for upgrades to system for necessary changes, agency suggestions, necessary functionality, etc.
$500,000 $397,354 -$102,646 SpeissWachowski
R&D - GSA Gateway C Costs associated with studies, research and development necessary for NFC and the GSA eAuthentication Gateway
$300,000 $145,152 -$154,848 Obrion
Risk Mgmt Conduct Risk Assessments, Vulnerability Studies, System Tests & Evaluations, etc (C & A every 3 yrs.)
$100,000 $0 -$100,000
Trainer C 1 person - coordinates and provides technical training to the eAuthentication team and agency application developers on the technical issues of eAuthentication
$75,000 $105,184 $30,184 McKinney 2 quarters
Infrastructure Total $1,958,076 $1,700,274 -$257,802
Cost Category Item Description 2004 300 Estimate
2004 Planned
Staff Difference Resources
16
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownHardware & Software
HardwareHardware Increase demand will need additional policy
servers, directory servers, verisign certificates, etc
$60,000 $40,000 -$20,000
Hardware Total $60,000 $40,000 -$20,000
SoftwareSiteMinder License. Netegrity User Licenses and Support Services $300,000 $300,000 $0
Identity Mgmt License. Identity Management Licenses and Support Services - for 250K licenses
$380,000 $380,000 $0
LDAP LDAP Licenses and Support Services $10,000 $10,000 $0PKI & Assoc. Infrastructure. Cost of credentials and integration $50,000 $0 -$50,000
Other Software Upgrades for performances, security, and management of resources
$100,000 $0 -$100,000
Misc. Increase demand will need additional software licenses
$205,000 $0 -$205,000
Software Total $1,045,000 $690,000 -$355,000
Description 2004 300 Estimate
2004 300 Estimate
Cost Category Item Staff Description 2004 Planned
Cost Category Item Staff 2004 Planned
Difference Resources
Difference Resources
17
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownOperations
OperationsWeb Farm Hosting Fees Infrastructure (Internet, hardware, network
access, fire wall switches), configuration management and general system admin. For Ft. Collins and St. Louis.
$120,000 $120,000 $0
Operations Team Lead C 1 person - manages all aspects of operations and maintenance
$200,000 $192,000 -$8,000 Rempe
Netegrity/LDAP Sys Admin. C 4 persons - manages all aspects of Netegrity tools including SiteMinder, Password Services, Identity Management, LDAP User and Policy Stores
$720,000 $805,978 $85,978 TBD1 TBD2 Mark Bostley & TBD3Sal Militello & TBD4
Help Desk C 2 persons - provides help desk support to users, application owners & others. # of persons increases as demand grows.
$280,000 $201,600 -$78,400 ReynoldsShelly
Operations Total $1,320,000 $1,319,578 -$422
Cost Category Item Staff Description 2004 300 Estimate
2004 Planned
Difference Resources
18
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownSecurity
SecuritySecurity Assessments Updated Security Plans, support dedicated
security officer$100,000 $0 -$100,000 Casper/TBD
Security Total $100,000 $0 -$100,000
Staff DescriptionCost Category Item 2004 300 Estimate
2004 Planned
Difference Resources
19
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownProject Management
Project Management
Project Management and Oversight
Planning, architecture, budget, communications
$666,667 $334,980 -$331,687 UnangstTurvilleLindstrom
Executive Support C 1 person - assists with all activities on the eAuthentication team
$80,000 $0 -$80,000
Project Management Total
$746,667 $334,980 -$411,687
2004 300 Estimate
Cost Category Item Staff Description 2004 Planned
Difference Resources
20
U.S. Department of Agriculture eGovernment Program
FY 04 eAuthentication Cost BreakdownOverall Costs
Integrated Application Support Total $1,160,000 $946,513 $213,487Infrastructure Total $1,958,076 $1,700,274 $257,802Hardware Total $60,000 $40,000 $20,000Software Total $1,045,000 $690,000 $355,000Operations Total $1,320,000 $1,319,578 $422Security Total $100,000 $0 $100,000Project Management Total $746,667 $334,980 $411,687Overall Total $6,389,743 $5,031,345 $1,358,398
Cost Category 2004 300 Estimate 2004 Planned Cost Difference
21
U.S. Department of Agriculture eGovernment Program
Agency Variable Costs will range from $10,000 - $65,000. The following areas will drive the integration costs between eAuthentication and an Agency Application:
Hosting Site – influences network/firewall/IDS/ACL complexity
Enforcer Agent – IIS and Apache are simple; others are not
# of Policy/URL’s – influences complexity of building/testing/implementing
Access Control & Admin. – influences the complexity of building/maintaining
Access Control Redirect Response – customized for users, but takes more time
LRAs – Existing “trained” LRA’s or New “yet to be trained” LRA’s?
Process:
1. eAuthentication Technical Services team determines Costs in “Design” Phase of eAuthentication Integration Lifecycle
2. OCIO presents Integration Costs to Agency Decision Maker
3. Agency transfers funds to OCIO
Agency Variable Cost
22
U.S. Department of Agriculture eGovernment Program
Agency Variable CostConstruct Alternatives Description Days Cost
Webfarm Certificates, firewalls, subnets, ports 2 $2,400Non Webfarm Certificates, firewalls, subnets, ports 5 $6,000
IIS/Apache/iPlanetAgency Web Services Architecture 3 architectures, development, pre-production, production 6 $7,200
Other Supported Web ServiceAgency Web Services Architecture 3 architectures, development, pre-production, production 9 $10,800
Non-Supported Web ServiceAgency Web Services Architecture 3 architectures, development, pre-production, production 20 $24,000
1 - 5 URLs 3 architectures, development, pre-production, production 1 $1,2006 - 10 URLs 3 architectures, development, pre-production, production 2 $2,400Greater than 10 URLs 3 architectures, development, pre-production, production 5 $6,000
None No Access Control Needed 0 $0Easy 1 - 5 Access Roles for all three environments 5 $6,000Medium 6 - 15 Access Roles for all three environments 10 $12,000Hard 15 or higher Access Roles for all three environments 15 $18,000
No new roles 0 $0Flat administration hierarchy Programming, Policy, Training - Set list of administrators 2 $2,400Delegated administration hierarchy Programming, Policy, Training - Creation of delegation structure 4 $4,800
None Needed None Needed due to no Access Control for application 0 $0Agency Supplied Error Handling, Customer Information Next Steps Screen 1 $1,200eAuthentication Team Built Error Handling, Customer Information Next Steps Screen 3 $3,600
Existing Process Service Center Representatives Service Center Representatives 0 $0Agency Representatives - Training & Set Up Single Centralized Training Required 1 $1,200Agency Representatives - Training & Set Up Multiple Distributed Training Required 5 $6,000
Agency Created LRA Process Agency Representatives - Training & Set Up Single Centralized Training Required 5 $6,000Agency Representatives - Training & Set Up Multiple Distributed Training Required 10 $12,000
Input of Agency Integration Form to complete this CostingHourly rate of $150 per hour for Government and Contracting Resources
Access Control Redirect Response
Local Registration Authorities
Access Control (Role) Administration
Hosting Site
Enforcer Agent
Policy/URL Complexity
Access Control (Roles)
23
U.S. Department of Agriculture eGovernment Program
Questions and Answers