eAuthentication Initiative Pre-Implementation Status

1

• eAuthentication Initiative Pre-Implementation
  Status
• eGovernment Program

2
Agenda

• eAuthentication Overview
• USDA eAuthentication Solution Components
• Agency Integration Responsibilities
• eAuthentication Costs and Resources
• Questions and Answers

3
What is eAuthentication?

• Customer interactions with USDA, also called
  transactions, will be transformed to allow
  customer submission through electronic means
• For many interactions, the identity of the person
  submitting the data needs to be known, either to
  enable an electronic signature of the form or
  data, or for informational purposes
• eAuthentication encompasses the processes and
  technology that identify a person electronically
  and present that information to the application
  that is accepting the users data submission
• eAuthentication in the current phase will only
  support interactions that are presented in a web
  format over the Internet

4
eAuthentication Needs
Of the 736 interactions scheduled for GPEA
compliance for October 2003, 639 require
eAuthentication. 57 of these have been completed
in the Online Impact Assessment Tool.
35 (61) out of the 57 in-scope interactions
require Level 2 Authentication. Currently, USDA
eAuthentication supports Level 1 and Level 2
authentication.
Authentication Levels define the credibility
necessary to support a persons identification.
The higher authentication level, the more
information is needed to validate a person is who
they say they are
5
eAuthentication Schedule

• Continue eAuthentication communications in the
  form of postcards, presentations and integration
  documentation
• Present the Costing Model to Agencies for
  eAuthentication by July 25, 2003
• Distribute the Agency Guidebook by July 25, 2003
  
• Road map and details for integrating Agency
  Applications
• Begin Implementation on July 28, 2003
• WebCAAF Expansion, Directory Services, Identity
  Management, User Registration
• Initiate GSA Gateway Integration Proof-of-Concept
  in August 2003
• Provide Integration Planning assistance beginning
  August 2003
• Begin integration of applications in September
  2003
• GPEA Deadline is October 21, 2003

6
Agenda

• eAuthentication Overview
• USDA eAuthentication Solution Components
• Agency Integration Responsibilities
• eAuthentication Costs and Resources
• Questions and Answers

7
USDA eAuthentication Solution Components
The USDA eAuthentication solution encompasses
four main components
USDA eAuthentication Solution
Technical Solution
Identity and Access Management
Presidential Initiative (GSA Gateway)
Registration Process
8
USDA eAuthentication Solution Components
Technical Solution

• Enforcer web agent installed on the agencys
  web server to perform authentication.
  Communicates with central authentication system
  in Web Farm
• Web Farm secure, redundant hosting facility
  that hosts the USDA eAuthentication solution
• Firewall Stack set of network and security
  devices that protects the USDA network from the
  Internet. The Web Farm Firewall Stack is part of
  the USDA eAuthentication CA
• User Stores central USDA user store.
  Maintains information about the user that is
  common across agencies. Agency-specific user
  stores maintain more detailed information if
  needed
• Policy Server and Policy Store core
  components of the USDA authentication solution.
  Ties together enforcers and user stores through
  policies

Enforcer
www.xyz.usda.gov
Enforcer
Internet
ALTERNATIVE HOSTING FACILITY
www.abc.gov/form1
Router
Switch
FIREWALL
INTERNET
INTRANET
Router
Switch
USDA Network
WEB FARMS
9
USDA eAuthentication Solution Components
Identity and Access Management

• Password Services
• Enforcement of strong password standards and
  allow password maintenance such as password
  changes, password expiration, etc
• Self Services
• Administration of user information without
  calling the USDA help desk. This is
  non-authentication information such as the users
  phone number and username, not information about
  the users relationship with the agency or his
  permission to access certain web applications
• Delegated Administration
• Administration access to the central user store
  to establish users access to agencys
  applications
• Help Desk
• Assistance with authentication related issues
  such as password resets, directions to a
  registration center etc. The USDA Help Desk is
  not able to help with application-specific
  questions. Agencies must provide contact
  information for application-specific problems

10
USDA eAuthentication Solution Components
Registration Process

• Self Service Registration for Level 1 Assurance
• Registration for the most basic form of
  authentication, not a strong indicator of the
  users actual identity since it relies on
  information from the user, but is useful in some
  settings such as web site personalization
• Identification Proofing for Higher Levels
• Validation of identity by a Local Registration
  Authority. Currently this identity-proofing must
  be done in-person
• Service Center or other Local Registration
  Authorities
• Agency-specific Authorization Profile Creation
• Authorization of a which users may access their
  applications. Each agency may create a set of
  conditions based on the common user information
  that is collected or may create web pages to
  collect additional information.

11
USDA eAuthentication Solution Components
Presidential Initiative (GSA Gateway)

• The GSA Gateway is the Presidential Initiative
  solution for eAuthentication. USDAs integration
  approach is to create a single point of
  integration with the GSA Gateway, through the
  USDA eAuthentication solution.
• The USDA eAuthentication solution and GSA Gateway
  integration will occur once the Gateway is
  complete
• An integration proof-of-concept is planned for
  August, 2003
• Applications will integrate with the USDA
  eAuthentication solution, which will connect to
  the GSA Gateway, so each agency application will
  not have to be integrated separately with the GSA
  Gateway
• Upon completion, Agency applications will receive
  the benefits of the GSA Gateway

USDA eAuthentication
Agency Web Servers
USDA Logon Servers
Internet
GSA Gateway
ECP
ECP
ECP
12
Agenda

• eAuthentication Overview
• USDA eAuthentication Solution Components
• Agency Integration Responsibilities
• eAuthentication Costs and Resources
• Questions and Answers

13
Agency Integration Responsibilities
October
September
August
July
eForms System Test
eForms System Go-Live
Design eForms System
Build eForms System
ID 03 Funding
ID 04 Funding
Process OMB Approvals
Develop On-Line Alternatives Communications plan
Publish Communications
Confirm GPEA Functional Team
Create Technical Design for eAuth components
Request eRecords Disposition Authority
Build Technical eAuth components
Confirm GPEA Technical Team
Certify LRA process
Implement eAuth Registration Components
Design eAuth Registration Components
Train LRAs
Select Forms tool(s)
Train Agency Admins
Implement eAuth Identity Access Management
Components
Design eAuth Identity Access Management
Components
ID GPEA-Compliant Interactions
Oct 21 GPEA Deadline
Build Coordination Meetings
Production Readiness
eForms/eAuth Design Meetings
Test/Certification Meetings
Complete Authentication Impact Profile Assessment
14
Agency Integration Responsibilities
Technical Solution

• Create web application on supported web server
• Assist in installation of web enforcer
• Decide what user information your agency
  applications need to receive from the central
  user store in the form of header variables
• Give eAuthentication team information to
  integrate new enforcer into eAuthentication
  system
• Build web pages to collect any additional user
  information for authorization

Test Environments
OCIO
OCIO
OCIO
Agency
Identity Management Services Pages
Web Farm Hosting Environment
15
Agency Integration Responsibilities
Identity and Access Management

• Build a process to decide whether a user should
  be allowed to access your agencys applications
• If that process requires any user information
  that is not collected by the central registration
  procedure, build authorization registration web
  pages to collect this information (including
  company representation)
• Designate and train agency administrators to
  authorize users in the eAuthentication system
  for agency applications
• Maintain a list of customer/company
  representative relationships
• Map USDA Customer IDs to Agency Customer IDs

Password Services
User Self-Administration
Delegated Administration
OCIO
OCIO
Identity Management Services Pages
User Stores
Help Desk
Authorization Processes and Role Definition
Agency
Users
Authorization Pages
User Stores
16
Agency Integration Responsibilities
Registration Process

• Determine if Service Centers will provide Local
  Registration Authority (LRA) services for your
  user population
• If not, create identity proofing processes and
  training for your LRAs following USDA standards
• Communicate registration processes and
  requirements to your users

Level 1 Self-Registration
Email Verification
Level 2 LRA Registration
Service Center Agencies
OCIO
Authentication Registration Pages
Agency-Specific LRAs
Identity Proofing Procedure
User Stores
Agency
Level 1 Self Registration
Users
Agency-Specific LRAs
Level 2 In-Person Registration
Identity Proofing Procedure
17
Agency Integration Responsibilities
Presidential Initiative (GSA Gateway)

• Integrate with USDA eAuthentication solution
• Alert USDA eAuthentication team of any
  applications/interactions that require higher
  levels of credentials than the eAuthentication
  passwords (through the online tool)
• Work with eAuthentication team to identify
  sources of credentials from GSA Gateway providers

USDA eAuthentication
OCIO
Agency Web Servers
USDA Logon Servers
Internet
GSA Gateway
ECP
ECP
ECP
18
Agenda

• eAuthentication Overview
• USDA eAuthentication Solution Components
• Agency Integration Responsibilities
• eAuthentication Costs and Resources
• Questions and Answers

19
eAuthentication Costs

• The fixed and variable costs for the
  eAuthentication initiative are broken out as
  follows
• Cost distribution calculations/algorithms need to
  be created quickly, any suggestions on how the
  cost should be allocated?

FY 2003 Total Costs 1,550,000
FY 2004 Total Costs 5,700,000
FY 2004 Variable Costs 1,525,000
FY 2004 Fixed Costs 4,175,000
20
eAuthentication Resource Needs

• USDA eAuthentication Solution Team
• Technical Services Team
• Integration Team
• Agency Solution Team
• Integration Team
• Business process and user communities expertise
• Technical Team
• Developers representing the Agency application

21
Agenda

• eAuthentication Overview
• USDA eAuthentication Solution Components
• Agency Integration Responsibilities
• eAuthentication Costs and Resources
• Questions and Answers

22
Questions and Answers
23
For More Information
For more information on the eAuthentication
Initiative, please review the eAuthentication
Frequently Asked Questions on the eGovernment
site http//www.egov.usda.gov/resources/teamspace
/team_resources.html Please contact the
eGovernment team for username and password.