State of CDC’s Systems Portfolio State of CDC’s Systems Portfolio State of CDC’s Systems Portfolio State of CDC’s Systems Portfolio and New Imperativesand New Imperatives

Jim Seligman

Chief Information Officer

CDC Information Systems

• Historical & Current Systems Profile

– Investment Trends

– Portfolio Composition– Portfolio Composition

• New Imperatives and Influences

– HSPD-12 Smart Card enablement

– Portfolio Review & OMB Tech Stat

– Shared Software and Data Services

$0

$50

$100

$150

$200

$ M

illio

ns

CDC IT Expenditures

IT Intramural IT ExtramuralIT Intramural IT Extramural

CDC FY 2012 IT Investment Composition

Investment Level Total Value Average Cost

Major (6) $137.6M $22.9M

Tactical (12) $64.9 M $5.4MTactical (12) $64.9 M $5.4M

Supporting (109) $101.7M $0.9M

Extramural (7) $161.2M $23.0M

Total FY 2012 (134) $465.4M $3.5M

CDC FY 2012 Investment Jurisdiction

$250

$300

$350

Intramural

$304 MExtramural

$161M

$0

$50

$100

$150

$200

66%

34%

Number of Systems Trending

500

600

700

140

160

180

200

Portfolio Size

New or Retired Systems

Systems Portfolio

0

100

200

300

400

0

20

40

60

80

100

120

FY 2005 FY 2006 FY 2007 FY 2008 FY 2009 FY 2010

Portfolio Size

New or Retired Systems

Fiscal Year

New Systems Retired Systems Portfolio

6

IT Systems by Organization

Center/Office # Systems

FY 2012

Planned

Budget ($M)

Cost per System

($M)

CGH 7 $0.8 $0.1

NIOSH 8 $0.9 $0.1

OD 153 $45.4 $0.3 OD 153 $45.4 $0.3

OID 174 $71.1 $0.4

ONDIEH 135 $23.3 $0.2

OPHPR 26 $13.0 $0.5

OSELS 55 $65.9 $1.2

OSTLTS 2 $0.1 $0.1

Total 560 $220.5 $0.4 Inclusion/Exclusion Criteria

Include intramural spending only

Exclude IT infrastructure

Exclude "Not Updated," "Planning," or "Planned Retirement" systems

CDC Systems by Mission Criticality

191 Low Criticality

8

132

299

High Criticality Systems

Medium Criticality

FY 2012 Systems by Lifecycle Phase

$218

47%$247

47%$247

53%Development &

Modernization

Operations &

Maintenance

$ in Millions

Federal IT Dashboard - HHS

Federal IT Dashboard - CDC

New ImperativesNew Imperatives

Identity & Access Management Program

• OMB Requirements and Deadlines

• CDC Milestones

Application Assessment• Application Assessment

• Application Smart Card Enablement

Draft - For Discussion Purposes Only 13

OMB Requirements and Deadlines

OMB Feb 3, 2011 Directive

• Fund HSPD-12 credential issuance using existing resources

• FY 10 - all new systems must be enabled to accept HSPD-12 credentials for authenticating Federal employees and contractorsauthenticating Federal employees and contractors

• FY 11 - agencies must use system technology refreshment funding (DME or O&M) to upgrade existing systems to use HSPD-12 credentials

– CDC policy to be issued in March 2011

• FY 12 - agencies shall not spend DME or O&M technology refreshment funding on systems unless they use HSPD-12 credentials to authenticate Federal employees and contractors

14

FY 11 Timeline for Logical Access Controls

Documentation

Complete ITSO

Middleware /

Card Reader Pilot

and

Documentation

Smart Card

access via CITGO

available

WS-3

Develop IWA PKI

Enablement

Application

Guides (.NET,

JAVA)

WS-5

Complete Testing

Smart Card

Access for

Webmail

Test and

Standardize

Blackberry and

Bluetooth

Equipment

WS-4

WS-3

Smart Card

Maintenance

WS-15

WS-3

E-Auth Go Live

Phase 2 (Level 2

WS-14

Start SDN

Migration

WS-14

E-Auth Go Live

Phase 1 (Level 1)

WS-14

Start PKI

Enablement Pilot

WS-5

Logical Access Plan Milestone

Establish Unified

Helpdesk Plan

OCT 2010 – DEC 2010

Q1

JAN 2011 – MAR 2011

Q2

JUL 2011 – SEP 2011

Q4

APR 2011 – JUN 2011

Q3

Distribute

Desktop Readers

& Middleware to

GOE Users

WS-3WS-15

Maintenance

Deployment Plan

Phase 2 (Level 2

& 3)

Start PKI

Enablement Pilot

2

WS-5

15

Enablement Pilot

1

Application Assessment Survey

• CDC Application Assessment for Smart

Card Enablement Survey

• Total Number of Responses: 424 (~75%

responded)

Draft - For Discussion Purposes Only 16

Application Assessment Survey

26

Integrated Windows Authentication

Draft - For Discussion Purposes Only 17

218180

Yes

No

Unsure

Application Assessment Survey

25 41

Application Type

Standard Commercial

Package

Draft - For Discussion Purposes Only 18

25 41

356

Package

Highly Customized

Commercial Package

Custom Developed

Application

Application Assessment Survey

15

6

6 3

Application Language

Draft - For Discussion Purposes Only 19

126

13

15.Net

Java

Access/SQL

SAS

PowerBuilder

Foxpro

Application Assessment Survey

80

100

120

140

102

7569

128

Total User Population

Draft - For Discussion Purposes Only 20

0

20

40

60

80

1 to 10 10 to 100 100 to

1000

1000 to

5000

Greater

than 5000

7569

24

HSPD-12 Logical Access Approach

• HHS Enterprise Applications (e.g. CapHR, EWITS, LMS)– Plan to use Sun Identity and Access Manager-based solution

• CDC Capabilities currently using Integrated Windows Authentication (IWA)

– Built-in, requires no additional investment

– Leverages existing investment and infrastructure

– Ties in with CDC Active Directory that is already PKI enabled for Smart Card authentication

• Authentication upgrades will require focused investment over time

– Microsoft .NET applications can easily upgrade to Integrated Windows Authentication

– JAVA/J2EE provides available, mature, bolt-on modules

– Develop a set of generic authentication modules shared across systems

Draft - For Discussion Purposes Only 21

PKI-Enabling Technology CategoriesCategory A – IWA-type applications or with built-in PKI support

Category B – Applications that will use Sun Identity Suite

Category C – Applications that will use PKI-enablement libraries

Category D – Applications/Systems where access is limited by “PKI-enabled Vault” i.e. need a credential to login to the server

Category E – Applications where the vendor provides upgrades to PKI-enable

Category F – Applications that will be replaced (Not PKI-enabled in favor of new application)

Category G – Applications that will not be upgraded (requires justification)

Draft - For Discussion Purposes Only 22

Logical Access Next Steps

• Integrated Windows Authentication Guides developed for .Net and Java applications, posted on IRGC SharePoint site

• HSPD-12 PMO meeting with major CDC application groups

• Develop additional guidance documents to leverage • Develop additional guidance documents to leverage Integrated Windows Authentication

• Develop tests to verify HSPD-12 compliance

• Establish user groups to identify impacts and requirements

• Conduct pilots and develop prototypes

Draft - For Discussion Purposes Only 23

CDC Systems Review• Number of systems?

• Spending on systems?

• Redundancy/duplication?

• System development success: on-time, on-scope, on-budget?

• System performance success measures– meeting original intent– achieving performance measures– scale of usage and content– customer satisfaction

Shared Software and Data Services

• Developing a registry of shared software and data services

– Service name

– Service description

– Contact

– Lifecycle stage

– Information location (URL)

– Authentication required

– Standards supported

• Compliment to Enterprise Systems Catalog & EA Reference Guide

• Resource for developers - shared code, objects, APIs, data resources

Some Candidate Shared Services at CDC

• WONDER – 11 Databases of Population, Vital Statistics, and Morbidity

– XML-based API

• Security Services (SDN and IAM.Net Services)• Security Services (SDN and IAM.Net Services)– Identification, Access, and Credentialing Services

• PHIN Services– PHIN-MS (Messaging), PHINDIR (Directory), PHIN-VADS

(Vocabulary)

• GIS Mapping/Geospatial Services

• People Repository (other HR Services)

Questions?Questions?