Title: Department of the Interior, Enterprise Architecture Repository DEAR
1Department of the Interior, Enterprise
Architecture Program
DEAR CA Wizard/Report Training
2Quick To follow along the training presentations
- Go to DEAR Home page
- http//www.doi.gov/ocio/architecture/dear
- Scroll down and click on DEAR Training
- Training is provided in a lab on the DOI Network
- Download/Save/Open the appropriate Training
Presentation
3DEAR Initial FAQ
- What is DEAR?
- Why use DEAR?
- Scenario
- When do I use DEAR?
- How is DEAR used and for what?
- What is the value of DEAR?
- Who will use DEAR?
- What is in DEAR?
4Before reviewing the DEAR System, recall the
similar principles of Architecture, CPIC, and
Information Assurance
- Enterprise Architecture is based on methods, work
products and access to integrated information. - MBT, CPIC, CA
- Managing EA Information is governed by teams
directed by external and internal Policy - OMB, OCIO Directives
- As planners for the enterprise, EA acts as a
governor or gatekeeper for the organization, each
responsible its respective areas. - IT Governance Teams,
- Enterprise Architecture is designed to ensure an
appropriate level of due diligence is performed
as a part of IT planning, investments and
procurements. - Inventory 4-step Guidance, CPIC 5 phases, CA 5
Phases - EA focuses on what the desired deliverables state
needs to be, CPIC focuses on delivering the
state, and Information Assurance evaluates the
current state - Thus, Architecture, CPIC, and Information
Assurance need to be synergistic
5What Is DEAR?
- IEA developed a system to hold the DOIs
Enterprise Architecture Information in a
Repository DEAR - DEAR is a repository of integrated enterprise
architecture data. - DEAR is an enterprise modeling tool that
emphasizes data integration and reuse of
enterprise objects. - DEAR is A reporting site that greatly expands
access to integrated enterprise architecture data.
6DEAR provides integrated inventory management
described in a common language for standard
reporting and charting
- Inventory Reporting has been developed to report
to different audiences and different levels
7DEAR Information is reviewed and accessible over
the DOI Network via a protected web-site
8DEAR is a Certified and Accredited Application
- DEAR has been certified via the DOI CA process
- CA began in 2003, and has been reviewed per the
CA Process - DEAR last CAd in 2007
- DEAR is hosted at NBC and a Service
Level-Agreement is regularly reviewed and
maintained with NBC - DEAR is based on
- SQL Server 2000 (migration to 2005 planned)
- Windows
- Generated Web Paged
- Telelogic COTS Package
- DEAR is planning on integrating with Single
Sign-on and migrating to doi.net - Processes for Maintaining and Operating DEAR are
maintained by a full-time administration Staff
9What information is re-usable for CA in DEAR?
- System Detail part of Accreditation Boundaries
- For Documents in CA Packages including Privacy
Impact Assessment for external and internal
reporting - Editing and Managing Accreditation Boundary
Detail and Systems associated - New approach coming early spring
- Editing in DEAR
- Retiring Module in Command Center
- Rollout plan including Training, Policy, and
coordination plan with your Bureau Chief
Architect - NIST Information Type Pre-Population
- Based on System Detail Mapping to BRM rolled up
to Accreditation Boundary
10Integrating all Inventories example CA
Boundary and System Inventory
Complete
- CA and EA have partnered to manage the
Accreditation Boundary Inventory, Attributes and
mapping to DOI System Inventory in DEAR - This includes
- CA Boundary Status
- CA Boundary Dates
- Contacts
- CA Boundary Privacy Attributes
- This information is reported quarterly to FISMA
11Integrating all Inventories example Ex. 300s
and System Inventory
Complete
- The Current Investments Ex. 300 and Ex. 300-1
and its status/description attributes are loaded
into DEAR annually - By relating the Investments to the System
Inventory, information related to Systems can be
re-used for Ex. 300s specifically Reference
Model information - eCPIC data is only loaded after the final OMB
submission is approved. Meaning for months out of
year, DEAR and eCPIC are out of synch.
12Architect or CA Scenarios for editing in DEAR
are performed using Wizards
- Architects use the System Wizard to support
- Managing the DOI System Inventory
- Attributes, detail the System Architecture
- Load Privacy Attributes provided by Privacy
Officers (when multiple systems part of a
boundary) - Mapping Investments, Systems and detail to all
DOI Reference Models - Using Checkboxes and dropdowns
- Security Users will use the CA System Wizard to
support - Managing the Accreditation Boundary Inventory
- Adding, editing Attributes (as mentioned)
- Mapping to DOI System Inventory
- Load Privacy Attributes provided by Privacy
Officers - Using Checkboxes and dropdowns
13Inventory Reporting has many stakeholders of
varying interests
Audiences
CPIC
Capital Planners need to create an Exhibit
300/300-1 inclusive of all systems that are part
of the business case
Ex. 300/300-1
CA
IT Security Managers are recommended to Certify
and Accredit systems within a defined boundary
and create a CA package based on that group
CA Boundary
Enterprise Architects need to be able to
construct a blueprint with a sequencing plan and
set of steps for each specific system within a
certain business focus area
Business users of the system are typically
interested in understanding the functions and
information that they use as part of the system
i.e. reporting, transactions, applications
Solution Architects and Engineers are interested
in understanding how the different components
they use or build will be deployed in the overall
system
Architects looking for more information on
reusable assets services provided, technology
base, scope implemented Used In conjunction with
a Component Registry core.gov
EA
System A-130
System A-130
BIZ
Sub-System
Sub-System
Component Instances
Eng.
Component Instances
- Different Objectives, Process, Mandates, and
reporting needs requires different views of the
Inventory - Thus, Different audiences need to see inventory
at different levels
Arch
Components
Components
14Lets take an example FBMS (Major App.)
Audiences
1
There is 1 Ex. 300 for FBMS
Ex. 300/300-1
1
There is 1 CA Boundary yielding 1 package of
documents for FBMS
CA Boundary
FBMS in itself by A-130 is defined as 1 system
When discussing FBMS to its stakeholders, it is
discussed as 7 or so groups of functional and
service value that it will provide
To provide this functionality, over 60 components
will be deployed
FBMS is using Commercial Off the Shelf software
to provide much of its services i.e. SAP,
Compusearch, etc., but not all software
modules/components are being instantiated or have
been purchased
1
System A-130
7
Sub-System
Sub-System
Component Instances
60
Component Instances
- Inventory Management requires understanding the
audiences needs to view the same inventory at
different levels
gt60
Components
Components
15Lets take an example Enterprise Web (USGS)
Audiences
2
2 - Web is part of Public WEB and the others are
part of EWEB
Ex. 300/300-1
1
There is 1 CA Boundary yielding 1 package of
documents
CA Boundary
3 Web, Public Web, Bureau Web
Looking at Web specifically it has 16 subsystems
Currently, each sub-system is 1 major component,
but more likely due to not being detailed out yet
or legacy sub-systems
3
System A-130
16
Sub-System
Sub-System
Component Instances
16
Component Instances
- What happens in the case where a boundary has
minor applications as systems within the
Boundary? - Minor System off the WAN ?
16
Components
Components
16Inventory Management Controls
- Policy dictates that Bureau CIOs must maintain
accurate and complete inventories - Inventory additions can be made via DEAR System
Wizard tool guiding Mandatory Fields and assuring
business rules are met - Inventory removals are currently a manual request
process approved by CIOs - This is to assure that records of inventory
removals are kept for each inventory record
within DEAR - Sample Remove Request Reasons Captured
- System has been retired and is no longer funded
- System was mis-entered, and should be a
sub-system of System ID X - System was mis-entered, and is a duplicate of
System ID X - Project was cancelled, and System never/no longer
funded - Boundary removals must be approved by OCIO
Cyber-security Division in order to assure
correct CA reporting and status.
17OK - Lets Begin accessing DEAR
- Logging into DEAR
- Go to Login Page
- Login to DEAR (not reporting site)
- Logging In
- Use Login Tutorial, especially for first time
- Opening your encyclopedia
- Logging into DEAR Reporting Site
- Go to Login Page
- Login to DEAR Reporting site
- Go to your organization
-
18Part 1 of 2 Report - Objectives Today
- Tutorial on reports
- Boundary Reports
- Boundary to System
- Boundary FLAGGED reports
- Boundary to System to BRM NIST Input
- Variations
- Boundary Privacy Attributes
- Panel Reports System Validation View (aka old
Asset Valuaion Guide (AVG) Appendix)
19Boundary Review Attribution
- Open your Organization Nightly Portfolio Reports
- Open Security Linkage Reports
- Open a Boundary Details
- Open in Excel
- Any Updates
- What contacts are blank?
- What status are unknown or blank?
- Mark in Bold and color code
- Save for later
- Will load in Wizard
20Boundary to System
- Open your Organization Nightly Portfolio Reports
- Open Security Linkage Reports
- Open a Boundary to System Report
- Open in Excel
- Add a Comments column
- Any removals, Matches
- What if a system is not in this list? Why?
- When loading Bureau systems were not put in
unmatched list - Double-check against Current System Inventory
Report
21Boundary FLAGGED reports
- Open your Organization Nightly Portfolio Reports
- Open Security Linkage Reports
- Open all Boundary FLAGGED Reports
- What boundary requires CA package document
updates o what documents? - Note There is a good chance the CA Package
document was updated for this boundary, but DEAR
was not updated. Recall, this is the information
that is reported externally, so it is important
to update.
22DOI Reference Models and Information Assurance
- What does this really mean to the CA and other
I.A. processes? - Opportunities to mine one place for the
architectural components of the CA Packages - Use to guide NIST 800-60 Categorization of
boundaries - Shift CA tasks from data collection to mining
analysis - Keep Boundaries and related Systems in one list
- Keep As-is state of systems in DEAR what
technologies used, processing nodes, information
used, interfaces, diagrams, all in one place
23Boundary to System to BRM NIST Input
- Open your Organization Nightly Portfolio Reports
- Open Security Linkage Reports
- Open a to NIST BRM Report
- Open in Excel
- Look at a boundary especially is multiple member
systems - See what the high watermark is for all three
areas (C, I, A) - What do you notice against the actual NIST?
- If something is stating in these reports as
higher ranking than what is set, go to the detail
reports and review the special factors
24Because the Architects maintain mappings of
System to BRM, this information can be rolled up
to the Accred. Boundary with its associated NIST
Conf., Int., and Avail Recommended Level
25Boundary Privacy Attributes
- Open Enterprise Nightly Portfolio Reports
- Open Privacy Reports
- Look at Boundary Privacy Summary Reports
- Will show Privacy Summary fields for all
boundaries - Go back, Expand CA Boundary Privacy Reports
- Get a Summary of PIA Required just those that
Require full PIA - Pick a boundary
- Go back, Now look at PIA Required Details
- Find that boundary and review those Privacy
Details - Which boundaries has information about employees?
How did you find out (Chart? Sort? Matrix?
Excel?) - Try a new way Which have SSN information but
not info on employees?
26Panel Reports System Validation View (aka old
Asset Valuaion Guide (AVG) Appendix)
- Go to DEAR Reports home page
- Click on DEAR Panels
- Navigate on left to definitions
- Navigate to ORGANIZATION
- Select and Organization and expand
- Click on an Organization
- Scroll to System section
- Select a System
- Change quick link view to System Validation
- Scroll to see what boundary a part of
- Or what BRM or DRM functions it supports
- You could also do this by going direct to SYSTEM_
and searching alphabetically
27Edit - Objectives Today
- Tutorial on Data Entry Wizard
- Loading
- Main Screen
- Edit Attributes
- Add Boundary
- Edit Privacy Attributes
- Link to Systems
- What systems to link?
28Loading Wizard Screen
29Main Screen
- List of Boundaries
- Expand List of Systems
- Expand System Inventory Highlights
- Buttons
- Add
- Edit Boundary
- Edit Boundary to System
30Add/Edit Boundary
- Information from CyberOffice includes
- CA System Name, ID, Bureau, Acronym
- CA and NIST Categorization
- FISMA Attributes
- SSO and CA Contact Information
- Key CA Phase Dates and last update
- Link to System Inventory
31Privacy Attribution Updates
- Privacy Officers will provide the Privacy
Attribution to the DEAR Security User (typically
the Bureau IT Security manager). - If PIA is required, this will happen annually
- If not required, only the Preliminary PIA
completion date is required (for every system) - Privacy Officer is responsible for verifying the
information once entered on the DEAR Reporting
Site.
32When are Privacy Attributes required to be loaded
and where
- All boundaries require Privacy Attribution
- If no PIA Required, only the first few fields
showing on the screen are required (Preliminary
PIA Date completed, and first 4 questions - If PIA Required, complete all fields based on
Full PIA as required - If Boundaries have multiple member systems, the
same information must be populated at the system
level - The Privacy Officer must provide the information
to the Bureau IT Security Manager for Boundaries
and to the Architect for Systems - A privacy Office may gain access to edit
boundaries directly if coordinated with the
Bureau IT Security Managers
33Edit Privacy
- Set Preliminary PIA Completion Date
- Set Reasons
- Calculation
- If Required
- Set Completion Date
- Annually
- Retrieved by Name attributes
- Records Notice Info
- Online Form Info
- OMB Required Fields
34Link Boundary to Systems
- Blue Systems that are checked are CAs within
this boundary - Blue and Unchecked are CAd under a different
boundary - Red have not been determined to be CAd under
any boundary - Find Button
- Checking and Un-checking
35You are now prepared to
- Collecting Boundary to System data for loading
into DEAR - load Boundaries, Attributes including Privacy
and Boundary to System Relationship into DEAR - use Reports to
- QA data inputted
- Track Boundary Status
- As Input to NIST 800-60 Categorization
requirements - Please provide feedback on reports and enhance
requests to CyberOffice especially on Security
Dashboard and new wizard functionality
36To implement the Enterprise Transition Plan, the
inventory needs to be complete and managed in
coordinated state
- DEAR Inventory Management controls, policy,
processes, and mechanisms are established and in
action - Policy on Inventory Management Controls is being
updated to require CA and DEAR inventory
alignment - Inventory Management is uniform across all
bureaus/offices within the Department