eAuthentication Integration Status

1

• eAuthentication Integration Status
• eGovernment Program

2
Agenda

• Agency Application Integration Process
• Status of Agency Integrated Applications
• Variable Cost Components
• Service Level Agreements
• Next Steps for Integrated Reporting
• Next Steps for eAuthentication

3
Agency Application Integration Process

• To facilitate the integration between the
  eAuthentication system and agency applications
  that require protection, the eAuthentication
  team has created an Agency Application
  Integration process.
• An SLA must be completed between the USDA
  eAuthentication service and the agency in order
  to initiate the integration process, if one is
  not already in place.
• Integration requires changes on both the
  eAuthentication system and the agency
  application.
• Agencies are responsible for designating an
  Integration contact to coordinate application
  changes, integration work and testing within
  their application
• Integration is facilitated by an eAuthentication
  integration contact.
• The timeline and integration costs for
  application integration varies according to the
  complexity of each application.

App Go-Live
Pre-Design
Funding
4
Agency Application Integration Process
Integration Steps The integration process
consists of 7 steps Initial Contact Contact
the eGovernment office and establish SLA between
USDA eAuthentication and the agency, if one is
not in place. Pre-Design meeting Meet with the
eAuthentication Integration team to understand
the eAuthentication system and share your
applications requirements. Design meetings
Meet with the eAuthentication Integration team to
determine the physical design needed to integrate
eAuthentication and your application. Create
detailed plans of changes and assign
responsibility and timelines for each
step. Funding The eAuthentication Project
Manager and the Agency CIO will determine
eAuthentication variable funding amounts based on
the costing worksheet. Build Meetings Work
with the eAuthentication Integration team to
implement the design to the eAuthentication
system and your application, in development,
pre-production and production, with appropriate
levels of testing. Certification Meetings Work
with the eAuthentication Integration team to plan
Local Registration Authority (LRA) processes to
identity-proof your new Level 2 users, if
appropriate. Develop and deploy training to the
LRAs. Go-Live Obtain sign-off from
eAuthentication Project Manager and Application
Owner for production deployment.
5
Agency Application Integration High Level
Deliverables
App Go-Live
Pre-Design
Funding

• Review eAuthentication Guidebook
• Determine interactions to be hosted in new
  application
• Complete Impact Profile Assessment for each
  interaction to be hosted in eAuthenticated
  application
• Set up Pre-Design meeting with eAuthentication
  team

• Complete Application Integration Form
• Designate application contacts and owners for
  integration
• Set up Design meeting with eAuthentication team
• Initiate setup of development environment to
  integrate with eAuthentication

• Create application components to utilize
  eAuthentication information and inform users
• Work with eAuthentication team to integrate and
  test development, test and production environments

• Create any LRA processes or procedures needed
• Work with eAuthentication team to get these
  processes approved
• Work with eAuthentication team to deliver
  training to new LRAs

• Establish SLA

6
Agency Application Integration Process

• Agency Responsibilities
• Meet all technical requirements of the
  eAuthentication system as described in the Agency
  Integration Guidebook.
• Define all authentication and access control
  requirements.
• Make all necessary changes to the application, if
  appropriate.
• Provide test information and participate in
  application testing.
• eAuthentication Responsibilities
• Meet all authentication and access control
  requirements defined by the agency.
• Assist in design work for changes to the
  application.
• Make all necessary changes to the eAuthentication
  system.
• Provide test information and participate in
  application testing.
• Contact Information
• To schedule an integration Pre-Design meeting
  with the Integration team, please email
  egov_at_usda.gov or call 202-720-6144. Please
  provide the following information
• Your name and contact information
• Your agency name

7
Status of Agency Integrated Applications
Since the roll-out of the new eAuthentication
service, the following agencies have begun
integration with eAuthentication
8
Variable Cost Components

• Variable Cost Factors
• Complexity of Application Authentication
• Application/Web Server type
• Network Proximity to eAuthentication
• Level of authentication protection Assurance
  Level and
• Number of Access Control (Roles)
• Number of URLs to be protected
• Most Simple eAuth Integrations ? 10,800
• Most Complex eAuth Integrations ? 74,400
• Cost determined in Design phase of Integration
  Lifecycle

9
Agency Variable Cost
10
EXAMPLE Application Access Control (Roles) I
Agency Application Owner determines audience
all users
(2)
(1)
Enforcer allows access to application to
authenticated users

• Authenticated (users identity is verified)

(3)
User
Scenario I All users are allowed to access the
protected Agency Application no Application
Controls (roles) are required.
11
EXAMPLE - Application Access Control (Roles) II
Agency Application Owner determines audience
user subset
(2)
(1)

• Authenticated (users identity is verified)

Enforcer prevents access to application to
authenticated users without the proper access
(3)
User
X
Access Checked (users roles are verified)
Scenario II Only specific users are allowed to
access the protected Agency Application an
Application Access Control (role) is required but
has not been given to this particular user.
12
EXAMPLE - Application Access Control (Roles) III
Agency Application Owner determines audience
user subset
(2)
(1)

• Authenticated (users identity is verified)

Enforcer allows access to application to
authenticated users with the proper access
(4)
(3)
User
Access Checked (users roles are verified)
Scenario III Only specific users are allowed to
access the protected Agency Application an
Application Permission (role) is required and the
Agency Application Administrator has given the
role to this particular user.
13
Service Level Agreements

• The USDA eAuthenication service has created the
  Service Level Agreement (SLA) to outline
  commitments for both the USDA eAuthentication
  service and the agencies. The following process
  will be used to establish an SLA with each
  agency
• Create draft SLA agreement for agency review
  Available COB today on the eAuthentication
  website.
• Agencies review the draft SLA and provide
  issues/comments to USDA eAuthentication team
  Please send comments to egov_at_usda.gov by 2/13.
• Owen Unangst will set up meetings with agency
  authentication representatives and the Decision
  Maker/CIO to finalize each agencys SLA.
• In addition, when an agency decides to integrate
  an application with the USDA eAuthentication
  service, the SLA will need to be established as
  the first step in the integration process.

14
Service Level Agreements

• The USDA eAuthentication service SLA addresses
  the following areas
• Defines technical commitments
• Defines personnel commitments
• For both Agency and eAuthentication Teams
• Signed by the Agency CIO and the eAuthentication
  Project Manager
• Specifies
• Documentation Requirements from eAuthentication
  and the Agency
• Systems Availability
• Outages (Planned and Unplanned)
• Specific Services
• Help Desk Services
• Contact Information
• Financial Arrangements
• Specific Procedures and
• Records Management.

15
Next Steps for Integrated Reporting

• New Final OMB Guidance has been released to
  assist Agencies on how to determine levels of
  assurance needed for authentication. Based on
  the new guidance, the Integrated Reporting Tool
  needs to be modified
• We are pursuing the following changes to the
  application over the next few weeks
• Simplify the Interaction assurance level
  determination logic to the six questions outlined
  by OMB
• Enable the ability to include information on
  applications rather than just OMB interactions
• Correct issues with limiting access and
  protecting information
• Also, once the new OMB assurance logic is changed
  in the tool, some agency interactions will move
  assurance levels. Agencies will need to review
  these interactions and validate that they support
  the need for the new higher or lower assurance
  level.

16
Next Steps for Integrated Reporting

• Based on the changes within the tool, a resynch
  of agency data is needed to ensure that reporting
  to OMB and the department is correct along with
  planning future eAuthentication integrations
• eGovernment team
• Create a packet of current Agency information,
  showing a hierarchy with numbers that are
  specific to the individual agencies.
• Explain the final OMB Guidelines on Assurance
  Level, and identify changed interactions
• Explain the modifications to the Integrated
  Reporting Tool
• Detail what data needs to be updated for each
  agency
• Agency GPEA team
• Complete Missing Information (300 interactions
  were never completed).
• Confirm agency position on changed assurance
  levels for interaction
• Review interactions that require a Level 3 or 4
  assurance with new OMB guidance and validate that
  the higher level of assurance is still necessary
• Specify if your interactions are using an
  authentication mechanism other than the USDA
  eAuthentication service (PINs/Passwords/etc)

17
What is your status?
Total of Interactions
Practicable Interactions
Non-Practicable Interactions
Not GPEA Compliant
Assurance Level 3 or 4
GPEA Compliant
No eAuth Needed
Scheduled for 2004 Compliance
USDA eAuth Solution
No Current Compliance Plan
Other eAuth Solution
18
Next Steps for eAuthentication

• USDA eAuthentication 2004 Goals
• Provide single sign on capabilities across USDA
• Reduce credentials for customers that use
  multiple applications integrated with the USDA
  eAuthentication service
• Expand the USDA eAuthentication service to
  support level 3 and level 4 interactions and
  applications
• Enable the USDA eAuthentication service to
  integrate employee applications by supporting
  employee users
• Provide expanded customer usability by
  redesigning and redeploying the level 1 and level
  2 registration pages
• Enable the ability to use a single credential
  across federal agencies

19
Questions and Answers