How USDA used HSPD-12 to eliminate stovepipes
AT HAND: Chris Niedermayer says USDA used exisitng tools.
It's 145 years since Abraham Lincoln created the United States Agriculture Department. But, while Lincoln showed a preference for stovepipe hats, USDA wants to eliminate stovepiped IT systems. And the agency is finding that the Homeland Security Presidential Directive 12 (HSPD-12) actually helps in this regard.
'When a person comes on, we don't have to provision them with their e-mails, then with their Web services, then with their building access,' said Owen Unangst, USDA's HSPD-12 project manager. 'We wanted to take an enterprise approach rather than having HSPD-12 be just one more stovepipe.'
In implementing the HSPD-12 requirements, the agency is centralizing its identity management systems, using its HR system as a starting point for determining employee status.
'We wanted to leverage our normal business processes and the HR system is the authoritative source of information,' said USDA associate CIO Chris Niedermayer. 'It saves time from having to replicate or duplicate the data, and store, manage and protect it a second time. It just made sense.'People(Soft) Come First
For USDA, HSPD-12 compliance entails more than providing identification for its 97,000 employees. The agency also has around 50,000 contractors who work for the agency, plus there are 15,000 to 20,000 state and local government employees who need access. Then there are nearly a million volunteers who, for example, assist at campgrounds over the summer.
For its own employees, the agency has been using PeopleSoft's HR software since the 1990s. Operating under the name EmpowHR, the system operates under the agency's New Orleans-based National Finance Center.
'We are using EmpowHR as an authoritative starting point for employment status'active, suspended or terminated'or nuances such as transferred,' said Unangst.
For HSPD-12, however, the system had to be expanded to include all of the non-employees associated with the agency that needed to be tracked.
USDA has set up a separate instance of EmpowHR to incorporate these additional classes of people. It does this by combining two types of records. One record identifies the contract or affiliation, and the other contains the individual's personal data.
For example, USDA has contracted with Science Applications International Corp. in San Diego for HSPD-12 technology architecture support. A record would be created covering that contract, and then separate personnel records for each of the SAIC staff who were working on that contract and needed access to USDA's premises or IT systems.
Those two sets of records would then be linked showing that an individual was working on a particular contract and assign privileges accordingly. That person would then lose access if either the contract was canceled or they were removed from the project team.
The HR system, however, does not act as the ID management system. It provides a basis for the rest of the security applications. Currently, EmpowHR feeds the ID management system every two weeks, but that will be changing to a 30-minute refresh schedule. 'The system needs to be updated more frequently - even in real time - and feed on a real-time basis into our ID management system,' said Niedermayer. 'The technical piece is not a problem, but we need to create a business process where critical changes in status get put into the system immediately and not part of the personnel payroll cycle every two weeks. We should be able to turn off access to everyone immediately if we need to.'Building on what's there
The HRMS is one small part of the overall HSPD-12 implementation.
'The whole system revolves around existing tools,' said Niedermayer.
EmpowHR feeds the data into the USDA's Enterprise Identity Management System, which runs Microsoft's Identity Information Service (formerly called Passport).
MIIS then provides the identity information to the agency's eAuthentication system - which provides single sign-on for 230 Web-based applications - exchanges data with the Active Directory structures in USDA's 28 subagencies, and links to the enterprise applications, the building access systems and the HSPD-12 Service Provider.
'You need extremely good architecting of technical systems because of the integration of HR with ID management, with messaging and e-mail, with eAuthentication, with the 28 USDA subagencies and all of their other systems, directories and authentication/authorization schemes,' said Unangst. 'It takes a lot of project planning to bring that together.'
Fully deploying the system and ID cards to all users is scheduled to take place by October 2011. The initial systems have been tested and are ready to go on line.
'We have architected the solution and brought it up in a test environment,' said Niedermayer. 'Now we are going into active and disaster recovery with failover capability.'
The agency is using cards that support three different technologies initially.
Though they are a few dollars more than ones which support a single technology, it gives the agency several years to do a technology refresh rather than having to put everything on the same standard immediately. USDA plans on deploying its first 20,000 to 40,000 HSPD-12 cards to employees in the national capital region by the end of the fiscal year, and the rest of the employees will follow.
Beyond that, USDA has a risk-based decision tree to determine which of the contractors, affiliates and volunteers will get cards.
'Not all of the non-employees are subject to the HSPD-12 cards,' said Unangst. n
GCN assistant managing editor Jason Miller contributed to this story.