Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy

Office of the Chief Information Officer Project Objectives  Achieve control and security objectives of HSPD 12 and FIPS 201  Meet HSPD 12 deadlines  June 27, 2005 – Implementation Plan  August 27, 2005 – Additional system recommendations for HSPD 12  October 27, 2005 – Compliance with PIV I  October 2006 – Compliance with PIV II  September 30, 2007 – Background checks for current employees & contractors  Successfully integrate into DOE environment at selected sites for logical and physical security  Engineer compliant solution  ACTD approach - limited deployment (10% of DOE population)  Full deployment (based on validated cost & technical models)  Ensure compliance with HSPD 12 and FIPS 201 privacy requirements

Office of the Chief Information Officer Project Benefits  Provides standard infrastructure access across the corporation  Provides a corporate solution for Identity Management (IdM) and credentialing  Provides a cost savings and cost avoidance over time based on results from other agencies  Consolidates physical access control systems (PACS)  Improves security in disk-less computing environment  Reduces PKI costs by moving from 40+ PKIs to an SSP PKI per OMB M  Reduces Help Desk costs  Improves compliance with Federal mandates  Enables future functionality:  E-Signature  E-Authentication  Automated digital forms  Single Sign-On (SSO) Not just an unfunded mandate – project is based on demonstrated business benefits

Office of the Chief Information Officer Coordinated Effort WorkgroupParticipants HSPD 12 System IntegrationOCIO/SSA lead, NNSA, ME, Ops, Science and field activity participation OMB Reporting IT System Integration Physical Access Control System Integration Smart card data model HSPD 12 Identity Verification and Token TopologySSA lead, OCIO, NNSA, ME, Ops, Science, GC and field activity participation Identity Verification Token Topology HSPD 12 Human Resources & Procurement ActivitiesME lead, OCIO, SSA, NNSA, Ops, Science, GC and field activity participation Personnel/HR process adjustment Procurement activities Privacy activities HSPD 12 System Certification and ApprovalIndependent Audit (OA) lead, OCIO, SSA, NNSA, ME, Ops, Science, GC, OIG and field activity participation

Office of the Chief Information Officer DOE Methodology  Acquisition Lifecycle Management complimented by a systems engineering approach  Staff Project Office with government and contractor Subject Matter Experts (SMEs) possessing technical and deployment experience with identified technologies  Use ACTD type approach based on 10% of DOE population  Adjust as required based on lessons learned  Use this approach to validate cost and technical models  Leverage other agencies lessons learned and best practices  Implementation of functionally equivalent card systems has been completed and is under way at several Federal agencies  Memorandum of Understanding (MOU) between agencies for information and infrastructure sharing as appropriate  System procurement experiences, including Analysis of Alternatives (AoA) (government and department wide) We have a running head-start and HSPD-12 milestones are achievable

Office of the Chief Information Officer Systems Engineering System engineering allows you to identify requirements and test them against the identified alternatives Meets OMB requirement for Requirements Traceability Matrix This type of approach is iterative, allowing management of each life cycle phase You can always tell where you are in the process, and what still has to be done Approach successfully completed GAO audit & Congressional review Controls costs – minimizes rework by getting right 1 st time Enterprise Architecture – identifies components and dependencies Best practice – viewed across government as most effective approach Proven repeatable for full deployment Based on validated Department requirements resulting in integrated repeatable process capable of refinement as required

Office of the Chief Information Officer Integrated Project Plan  Organizational  Resource  Scope  Requirements  Quality  Schedule  Cost  Communications  Acquisition  Risk  Configuration  Training  Security Framework for project management of the following functions: Structured & detailed approach to management of project in line with industry and Government best practices

Office of the Chief Information Officer What do we need to do?  Submit Implementation Plan 6/27/05  Provide list of other potential uses of FIPS Standard within DOE 8/27/05  Comply with FIPS 201, Part 1 10/27/05  Satisfy control objectives of the standard  Adopt and accredit a registration process  Include language implementing the standard in applicable contracts  Complete the privacy requirements  Comply with FIPS 201, Part 2 10/27/06  Technical requirements  Credential issuance  Credential authentication  Identity verification – Sep 30, 2007 identity proofing on record for all current employees and contractors  System access

Office of the Chief Information Officer Summary  Integrate solution across the Department to achieve key goals:  Meet Secretary’s objective and be recognized leader in HSPD-12 compliance and technology integration  Meet the control and security objectives of HSPD-12  Integrated solution:  Improves the security and business process  Provides Return on Investment (ROI)  Timelines are challenging and require immediate attention to meet both near term and long term goals and objectives  Leveraging other Department/Agency experiences and lessons learned will be beneficial to DOE Cannot afford to do this more than once