Department of the Interior, Enterprise Architecture Repository DEAR

1
Department of the Interior, Enterprise
Architecture Program
DEAR CA Wizard/Report Training
2
Quick To follow along the training presentations

• Go to DEAR Home page
• http//www.doi.gov/ocio/architecture/dear
• Scroll down and click on DEAR Training
• Training is provided in a lab on the DOI Network
• Download/Save/Open the appropriate Training
  Presentation

3
DEAR Initial FAQ

• What is DEAR?
• Why use DEAR?
• Scenario
• When do I use DEAR?
• How is DEAR used and for what?
• What is the value of DEAR?
• Who will use DEAR?
• What is in DEAR?

4
Before reviewing the DEAR System, recall the
similar principles of Architecture, CPIC, and
Information Assurance

• Enterprise Architecture is based on methods, work
  products and access to integrated information.
• MBT, CPIC, CA
• Managing EA Information is governed by teams
  directed by external and internal Policy
• OMB, OCIO Directives
• As planners for the enterprise, EA acts as a
  governor or gatekeeper for the organization, each
  responsible its respective areas.
• IT Governance Teams,
• Enterprise Architecture is designed to ensure an
  appropriate level of due diligence is performed
  as a part of IT planning, investments and
  procurements.
• Inventory 4-step Guidance, CPIC 5 phases, CA 5
  Phases
• EA focuses on what the desired deliverables state
  needs to be, CPIC focuses on delivering the
  state, and Information Assurance evaluates the
  current state
• Thus, Architecture, CPIC, and Information
  Assurance need to be synergistic

5
What Is DEAR?

• IEA developed a system to hold the DOIs
  Enterprise Architecture Information in a
  Repository DEAR
• DEAR is a repository of integrated enterprise
  architecture data.
• DEAR is an enterprise modeling tool that
  emphasizes data integration and reuse of
  enterprise objects.
• DEAR is A reporting site that greatly expands
  access to integrated enterprise architecture data.

6
DEAR provides integrated inventory management
described in a common language for standard
reporting and charting

• Inventory Reporting has been developed to report
  to different audiences and different levels

7
DEAR Information is reviewed and accessible over
the DOI Network via a protected web-site
8
DEAR is a Certified and Accredited Application

• DEAR has been certified via the DOI CA process
• CA began in 2003, and has been reviewed per the
  CA Process
• DEAR last CAd in 2007
• DEAR is hosted at NBC and a Service
  Level-Agreement is regularly reviewed and
  maintained with NBC
• DEAR is based on
• SQL Server 2000 (migration to 2005 planned)
• Windows
• Generated Web Paged
• Telelogic COTS Package
• DEAR is planning on integrating with Single
  Sign-on and migrating to doi.net
• Processes for Maintaining and Operating DEAR are
  maintained by a full-time administration Staff

9
What information is re-usable for CA in DEAR?

• System Detail part of Accreditation Boundaries
• For Documents in CA Packages including Privacy
  Impact Assessment for external and internal
  reporting
• Editing and Managing Accreditation Boundary
  Detail and Systems associated
• New approach coming early spring
• Editing in DEAR
• Retiring Module in Command Center
• Rollout plan including Training, Policy, and
  coordination plan with your Bureau Chief
  Architect
• NIST Information Type Pre-Population
• Based on System Detail Mapping to BRM rolled up
  to Accreditation Boundary

10
Integrating all Inventories example CA
Boundary and System Inventory
Complete

• CA and EA have partnered to manage the
  Accreditation Boundary Inventory, Attributes and
  mapping to DOI System Inventory in DEAR
• This includes
• CA Boundary Status
• CA Boundary Dates
• Contacts
• CA Boundary Privacy Attributes
• This information is reported quarterly to FISMA

11
Integrating all Inventories example Ex. 300s
and System Inventory
Complete

• The Current Investments Ex. 300 and Ex. 300-1
  and its status/description attributes are loaded
  into DEAR annually
• By relating the Investments to the System
  Inventory, information related to Systems can be
  re-used for Ex. 300s specifically Reference
  Model information
• eCPIC data is only loaded after the final OMB
  submission is approved. Meaning for months out of
  year, DEAR and eCPIC are out of synch.

12
Architect or CA Scenarios for editing in DEAR
are performed using Wizards

• Architects use the System Wizard to support
• Managing the DOI System Inventory
• Attributes, detail the System Architecture
• Load Privacy Attributes provided by Privacy
  Officers (when multiple systems part of a
  boundary)
• Mapping Investments, Systems and detail to all
  DOI Reference Models
• Using Checkboxes and dropdowns
• Security Users will use the CA System Wizard to
  support
• Managing the Accreditation Boundary Inventory
• Adding, editing Attributes (as mentioned)
• Mapping to DOI System Inventory
• Load Privacy Attributes provided by Privacy
  Officers
• Using Checkboxes and dropdowns

13
Inventory Reporting has many stakeholders of
varying interests
Audiences
CPIC
Capital Planners need to create an Exhibit
300/300-1 inclusive of all systems that are part
of the business case
Ex. 300/300-1
CA
IT Security Managers are recommended to Certify
and Accredit systems within a defined boundary
and create a CA package based on that group
CA Boundary
Enterprise Architects need to be able to
construct a blueprint with a sequencing plan and
set of steps for each specific system within a
certain business focus area
Business users of the system are typically
interested in understanding the functions and
information that they use as part of the system
i.e. reporting, transactions, applications
Solution Architects and Engineers are interested
in understanding how the different components
they use or build will be deployed in the overall
system
Architects looking for more information on
reusable assets services provided, technology
base, scope implemented Used In conjunction with
a Component Registry core.gov
EA
System A-130
System A-130
BIZ
Sub-System
Sub-System
Component Instances
Eng.
Component Instances

• Different Objectives, Process, Mandates, and
  reporting needs requires different views of the
  Inventory
• Thus, Different audiences need to see inventory
  at different levels

Arch
Components
Components
14
Lets take an example FBMS (Major App.)
Audiences
1
There is 1 Ex. 300 for FBMS
Ex. 300/300-1
1
There is 1 CA Boundary yielding 1 package of
documents for FBMS
CA Boundary
FBMS in itself by A-130 is defined as 1 system
When discussing FBMS to its stakeholders, it is
discussed as 7 or so groups of functional and
service value that it will provide
To provide this functionality, over 60 components
will be deployed
FBMS is using Commercial Off the Shelf software
to provide much of its services i.e. SAP,
Compusearch, etc., but not all software
modules/components are being instantiated or have
been purchased
1
System A-130
7
Sub-System
Sub-System
Component Instances
60
Component Instances

• Inventory Management requires understanding the
  audiences needs to view the same inventory at
  different levels

gt60
Components
Components
15
Lets take an example Enterprise Web (USGS)
Audiences
2
2 - Web is part of Public WEB and the others are
part of EWEB
Ex. 300/300-1
1
There is 1 CA Boundary yielding 1 package of
documents
CA Boundary
3 Web, Public Web, Bureau Web
Looking at Web specifically it has 16 subsystems
Currently, each sub-system is 1 major component,
but more likely due to not being detailed out yet
or legacy sub-systems
3
System A-130
16
Sub-System
Sub-System
Component Instances
16
Component Instances

• What happens in the case where a boundary has
  minor applications as systems within the
  Boundary?
• Minor System off the WAN ?

16
Components
Components
16
Inventory Management Controls

• Policy dictates that Bureau CIOs must maintain
  accurate and complete inventories
• Inventory additions can be made via DEAR System
  Wizard tool guiding Mandatory Fields and assuring
  business rules are met
• Inventory removals are currently a manual request
  process approved by CIOs
• This is to assure that records of inventory
  removals are kept for each inventory record
  within DEAR
• Sample Remove Request Reasons Captured
• System has been retired and is no longer funded
• System was mis-entered, and should be a
  sub-system of System ID X
• System was mis-entered, and is a duplicate of
  System ID X
• Project was cancelled, and System never/no longer
  funded
• Boundary removals must be approved by OCIO
  Cyber-security Division in order to assure
  correct CA reporting and status.

17
OK - Lets Begin accessing DEAR

• Logging into DEAR
• Go to Login Page
• Login to DEAR (not reporting site)
• Logging In
• Use Login Tutorial, especially for first time
• Opening your encyclopedia
• Logging into DEAR Reporting Site
• Go to Login Page
• Login to DEAR Reporting site
• Go to your organization

18
Part 1 of 2 Report - Objectives Today

• Tutorial on reports
• Boundary Reports
• Boundary to System
• Boundary FLAGGED reports
• Boundary to System to BRM NIST Input
• Variations
• Boundary Privacy Attributes
• Panel Reports System Validation View (aka old
  Asset Valuaion Guide (AVG) Appendix)

19
Boundary Review Attribution

• Open your Organization Nightly Portfolio Reports
• Open Security Linkage Reports
• Open a Boundary Details
• Open in Excel
• Any Updates
• What contacts are blank?
• What status are unknown or blank?
• Mark in Bold and color code
• Save for later
• Will load in Wizard

20
Boundary to System

• Open your Organization Nightly Portfolio Reports
• Open Security Linkage Reports
• Open a Boundary to System Report
• Open in Excel
• Add a Comments column
• Any removals, Matches
• What if a system is not in this list? Why?
• When loading Bureau systems were not put in
  unmatched list
• Double-check against Current System Inventory
  Report

21
Boundary FLAGGED reports

• Open your Organization Nightly Portfolio Reports
• Open Security Linkage Reports
• Open all Boundary FLAGGED Reports
• What boundary requires CA package document
  updates o what documents?
• Note There is a good chance the CA Package
  document was updated for this boundary, but DEAR
  was not updated. Recall, this is the information
  that is reported externally, so it is important
  to update.

22
DOI Reference Models and Information Assurance

• What does this really mean to the CA and other
  I.A. processes?
• Opportunities to mine one place for the
  architectural components of the CA Packages
• Use to guide NIST 800-60 Categorization of
  boundaries
• Shift CA tasks from data collection to mining
  analysis
• Keep Boundaries and related Systems in one list
• Keep As-is state of systems in DEAR what
  technologies used, processing nodes, information
  used, interfaces, diagrams, all in one place

23
Boundary to System to BRM NIST Input

• Open your Organization Nightly Portfolio Reports
• Open Security Linkage Reports
• Open a to NIST BRM Report
• Open in Excel
• Look at a boundary especially is multiple member
  systems
• See what the high watermark is for all three
  areas (C, I, A)
• What do you notice against the actual NIST?
• If something is stating in these reports as
  higher ranking than what is set, go to the detail
  reports and review the special factors

24
Because the Architects maintain mappings of
System to BRM, this information can be rolled up
to the Accred. Boundary with its associated NIST
Conf., Int., and Avail Recommended Level
25
Boundary Privacy Attributes

• Open Enterprise Nightly Portfolio Reports
• Open Privacy Reports
• Look at Boundary Privacy Summary Reports
• Will show Privacy Summary fields for all
  boundaries
• Go back, Expand CA Boundary Privacy Reports
• Get a Summary of PIA Required just those that
  Require full PIA
• Pick a boundary
• Go back, Now look at PIA Required Details
• Find that boundary and review those Privacy
  Details
• Which boundaries has information about employees?
  How did you find out (Chart? Sort? Matrix?
  Excel?)
• Try a new way Which have SSN information but
  not info on employees?

26
Panel Reports System Validation View (aka old
Asset Valuaion Guide (AVG) Appendix)

• Go to DEAR Reports home page
• Click on DEAR Panels
• Navigate on left to definitions
• Navigate to ORGANIZATION
• Select and Organization and expand
• Click on an Organization
• Scroll to System section
• Select a System
• Change quick link view to System Validation
• Scroll to see what boundary a part of
• Or what BRM or DRM functions it supports
• You could also do this by going direct to SYSTEM_
  and searching alphabetically

27
Edit - Objectives Today

• Tutorial on Data Entry Wizard
• Loading
• Main Screen
• Edit Attributes
• Add Boundary
• Edit Privacy Attributes
• Link to Systems
• What systems to link?

28
Loading Wizard Screen
29
Main Screen

• List of Boundaries
• Expand List of Systems
• Expand System Inventory Highlights
• Buttons
• Add
• Edit Boundary
• Edit Boundary to System

30
Add/Edit Boundary

• Information from CyberOffice includes
• CA System Name, ID, Bureau, Acronym
• CA and NIST Categorization
• FISMA Attributes
• SSO and CA Contact Information
• Key CA Phase Dates and last update
• Link to System Inventory

31
Privacy Attribution Updates

• Privacy Officers will provide the Privacy
  Attribution to the DEAR Security User (typically
  the Bureau IT Security manager).
• If PIA is required, this will happen annually
• If not required, only the Preliminary PIA
  completion date is required (for every system)
• Privacy Officer is responsible for verifying the
  information once entered on the DEAR Reporting
  Site.

32
When are Privacy Attributes required to be loaded
and where

• All boundaries require Privacy Attribution
• If no PIA Required, only the first few fields
  showing on the screen are required (Preliminary
  PIA Date completed, and first 4 questions
• If PIA Required, complete all fields based on
  Full PIA as required
• If Boundaries have multiple member systems, the
  same information must be populated at the system
  level
• The Privacy Officer must provide the information
  to the Bureau IT Security Manager for Boundaries
  and to the Architect for Systems
• A privacy Office may gain access to edit
  boundaries directly if coordinated with the
  Bureau IT Security Managers

33
Edit Privacy

• Set Preliminary PIA Completion Date
• Set Reasons
• Calculation
• If Required
• Set Completion Date
• Annually
• Retrieved by Name attributes
• Records Notice Info
• Online Form Info
• OMB Required Fields

34
Link Boundary to Systems

• Blue Systems that are checked are CAs within
  this boundary
• Blue and Unchecked are CAd under a different
  boundary
• Red have not been determined to be CAd under
  any boundary
• Find Button
• Checking and Un-checking

35
You are now prepared to

• Collecting Boundary to System data for loading
  into DEAR
• load Boundaries, Attributes including Privacy
  and Boundary to System Relationship into DEAR
• use Reports to
• QA data inputted
• Track Boundary Status
• As Input to NIST 800-60 Categorization
  requirements
• Please provide feedback on reports and enhance
  requests to CyberOffice especially on Security
  Dashboard and new wizard functionality

36
To implement the Enterprise Transition Plan, the
inventory needs to be complete and managed in
coordinated state

• DEAR Inventory Management controls, policy,
  processes, and mechanisms are established and in
  action
• Policy on Inventory Management Controls is being
  updated to require CA and DEAR inventory
  alignment
• Inventory Management is uniform across all
  bureaus/offices within the Department