U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program
U.S. Department of Agriculture eGovernment Program 2 I. Agency Application Integration Process II. Status of Agency Integrated Applications III. Variable Cost Components IV. Service Level Agreements V. Next Steps for Integrated Reporting VI. Next Steps for eAuthentication Agenda
U.S. Department of Agriculture eGovernment Program 3 Agency Application Integration Process Pre-Design Initial Contact Design BuildCert App Go-Live Funding To facilitate the integration between the eAuthentication system and agency applications that require protection, the eAuthentication team has created an Agency Application Integration process. An SLA must be completed between the USDA eAuthentication service and the agency in order to initiate the integration process, if one is not already in place. Integration requires changes on both the eAuthentication system and the agency application. Agencies are responsible for designating an Integration contact to coordinate application changes, integration work and testing within their application Integration is facilitated by an eAuthentication integration contact. The timeline and integration costs for application integration varies according to the complexity of each application.
U.S. Department of Agriculture eGovernment Program 4 Agency Application Integration Process Integration Steps: The integration process consists of 7 steps: Initial Contact: Contact the eGovernment office and establish SLA between USDA eAuthentication and the agency, if one is not in place. Pre-Design meeting: Meet with the eAuthentication Integration team to understand the eAuthentication system and share your application’s requirements. Design meetings: Meet with the eAuthentication Integration team to determine the physical design needed to integrate eAuthentication and your application. Create detailed plans of changes and assign responsibility and timelines for each step. Funding: The eAuthentication Project Manager and the Agency CIO will determine eAuthentication variable funding amounts based on the costing worksheet. Build Meetings: Work with the eAuthentication Integration team to implement the design to the eAuthentication system and your application, in development, pre-production and production, with appropriate levels of testing. Certification Meetings: Work with the eAuthentication Integration team to plan Local Registration Authority (LRA) processes to identity-proof your new Level 2 users, if appropriate. Develop and deploy training to the LRAs. Go-Live: Obtain sign-off from eAuthentication Project Manager and Application Owner for production deployment.
U.S. Department of Agriculture eGovernment Program 5 Agency Application Integration High Level Deliverables Pre-Design Initial Contact Design BuildCert App Go-Live Funding Review eAuthentication Guidebook Determine interactions to be hosted in new application Complete Impact Profile Assessment for each interaction to be hosted in eAuthenticated application Set up Pre- Design meeting with eAuthentication team Complete Application Integration Form Designate application contacts and owners for integration Set up Design meeting with eAuthentication team Initiate setup of development environment to integrate with eAuthentication Create application components to utilize eAuthenticati on information and inform users Work with eAuthenticati on team to integrate and test development, test and production environments Create any LRA processes or procedures needed Work with eAuthentica tion team to get these processes approved Work with eAuthentica tion team to deliver training to new LRAs Establish SLA
U.S. Department of Agriculture eGovernment Program 6 Agency Application Integration Process Agency Responsibilities : Meet all technical requirements of the eAuthentication system as described in the Agency Integration Guidebook. Define all authentication and access control requirements. Make all necessary changes to the application, if appropriate. Provide test information and participate in application testing. eAuthentication Responsibilities : Meet all authentication and access control requirements defined by the agency. Assist in design work for changes to the application. Make all necessary changes to the eAuthentication system. Provide test information and participate in application testing. Contact Information : To schedule an integration Pre-Design meeting with the Integration team, please or call Please provide the following information: Your name and contact information Your agency name The application name
U.S. Department of Agriculture eGovernment Program 7 Status of Agency Integrated Applications Since the roll-out of the new eAuthentication service, the following agencies have begun integration with eAuthentication: Agency # of Applications in Pre-Design # of Applications in Design # of Applications in Funding # of Applications in Build # of Applications in Certification # of Applications Completed AMS1 APHIS11 ERS1 FAS4 FNS41 FS11 FSA1239 GSA Pilots111 NASS1 NITC1 NRCS8351 OCIO14 RD432 Total
U.S. Department of Agriculture eGovernment Program 8 Variable Cost Components Variable Cost Factors: Complexity of Application Authentication Application/Web Server type; Network Proximity to eAuthentication; Level of authentication protection – “Assurance Level”; and Number of Access Control (Roles) Number of URLs to be protected Most Simple eAuth Integrations $10,800 Most Complex eAuth Integrations $74,400 Cost determined in “Design” phase of Integration Lifecycle
U.S. Department of Agriculture eGovernment Program 9 Agency Variable Cost
U.S. Department of Agriculture eGovernment Program 10 EXAMPLE – Application Access Control (Roles) I Agency Application Owner determines audience = all users User Authenticated (user’s identity is verified) (1) (2) (3) Enforcer allows access to application to authenticated users Scenario I : All users are allowed to access the protected Agency Application; no Application Controls (roles) are required. EnforcerEnforcer Agency Application
U.S. Department of Agriculture eGovernment Program 11 Agency Application Owner determines audience = user subset EXAMPLE - Application Access Control (Roles) II User Authenticated (user’s identity is verified) (1) (2) (3) Enforcer prevents access to application to authenticated users without the proper access Scenario II : Only specific users are allowed to access the protected Agency Application; an Application Access Control (role) is required but has not been given to this particular user. Access Checked (user’s roles are verified) X EnforcerEnforcer Agency Application
U.S. Department of Agriculture eGovernment Program 12 EXAMPLE - Application Access Control (Roles) III Agency Application Owner determines audience = user subset User Authenticated (user’s identity is verified) (1) (2) (3) Enforcer allows access to application to authenticated users with the proper access Scenario III : Only specific users are allowed to access the protected Agency Application; an Application Permission (role) is required and the Agency Application Administrator has given the role to this particular user. Access Checked (user’s roles are verified) (4) EnforcerEnforcer Agency Application
U.S. Department of Agriculture eGovernment Program 13 Service Level Agreements The USDA eAuthenication service has created the Service Level Agreement (SLA) to outline commitments for both the USDA eAuthentication service and the agencies. The following process will be used to establish an SLA with each agency: Create draft SLA agreement for agency review – Available COB today on the eAuthentication website. Agencies review the draft SLA and provide issues/comments to USDA eAuthentication team – Please send comments to by Owen Unangst will set up meetings with agency authentication representatives and the Decision Maker/CIO to finalize each agency’s SLA. In addition, when an agency decides to integrate an application with the USDA eAuthentication service, the SLA will need to be established as the first step in the integration process.
U.S. Department of Agriculture eGovernment Program 14 Service Level Agreements The USDA eAuthentication service SLA addresses the following areas: Defines technical commitments Defines personnel commitments For both Agency and eAuthentication Teams Signed by the Agency CIO and the eAuthentication Project Manager Specifies: Documentation Requirements from eAuthentication and the Agency; Systems Availability; Outages (Planned and Unplanned); Specific Services; Help Desk Services; Contact Information; Financial Arrangements; Specific Procedures; and Records Management.
U.S. Department of Agriculture eGovernment Program 15 Next Steps for Integrated Reporting New Final OMB Guidance has been released to assist Agencies on how to determine levels of assurance needed for authentication. Based on the new guidance, the Integrated Reporting Tool needs to be modified… We are pursuing the following changes to the application over the next few weeks: Simplify the Interaction assurance level determination logic to the six questions outlined by OMB Enable the ability to include information on applications rather than just OMB interactions Correct issues with limiting access and protecting information Also, once the new OMB assurance logic is changed in the tool, some agency interactions will move assurance levels. Agencies will need to review these interactions and validate that they support the need for the new higher or lower assurance level.
U.S. Department of Agriculture eGovernment Program 16 Next Steps for Integrated Reporting Based on the changes within the tool, a resynch of agency data is needed to ensure that reporting to OMB and the department is correct along with planning future eAuthentication integrations… eGovernment team Create a packet of current Agency information, showing a hierarchy with numbers that are specific to the individual agencies. Explain the final OMB Guidelines on Assurance Level, and identify changed interactions Explain the modifications to the Integrated Reporting Tool Detail what data needs to be updated for each agency Agency GPEA team Complete Missing Information (~300 interactions were never completed). Confirm agency position on changed assurance levels for interaction Review interactions that require a Level 3 or 4 assurance with new OMB guidance and validate that the higher level of assurance is still necessary Specify if your interactions are using an authentication mechanism other than the USDA eAuthentication service (PINs/Passwords/etc)
U.S. Department of Agriculture eGovernment Program 17 What is your status? Total # of Interactions Other eAuth Solution USDA –eAuth Solution No eAuth Needed Assurance Level 3 or 4 Not GPEA Compliant GPEA Compliant Non-Practicable Interactions Practicable Interactions No Current Compliance Plan Scheduled for 2004 Compliance
U.S. Department of Agriculture eGovernment Program 18 Next Steps for eAuthentication USDA eAuthentication 2004 Goals Provide single sign on capabilities across USDA Reduce credentials for customers that use multiple applications integrated with the USDA eAuthentication service Expand the USDA eAuthentication service to support level 3 and level 4 interactions and applications Enable the USDA eAuthentication service to integrate employee applications by supporting employee users Provide expanded customer usability by redesigning and redeploying the level 1 and level 2 registration pages Enable the ability to use a single credential across federal agencies
U.S. Department of Agriculture eGovernment Program 19 Questions and Answers