State of CDC’s Systems Portfolio and New Imperatives

State of CDC’s Systems Portfolio and New Imperatives

Jim SeligmanChief Information Officer

CDC Information Systems• Historical & Current Systems Profile

– Investment Trends– Portfolio Composition

• New Imperatives and Influences– HSPD-12 Smart Card enablement– Portfolio Review & OMB Tech Stat– Shared Software and Data Services

FY 8

2FY

83

FY 8

4FY

85

FY 8

6FY

87

FY 8

8FY

89

FY 9

0FY

91

FY 9

2FY

93

FY 9

4FY

95

FY 9

6FY

97

FY 9

8FY

99

FY 0

0FY

01

FY 0

2FY

03

FY 0

4FY

05

FY 0

6FY

07

FY 0

8FY

09

FY 1

0FY

11

FY 1

2

$0

$50

$100

$150

$200

$250

$300

$350

CDC IT Expenditures

IT Intramural IT Extramural

$ M

illion

s

CDC FY 2012 IT Investment CompositionInvestment Level Total Value Average Cost

Major (6) $137.6M $22.9M

Tactical (12) $64.9 M $5.4M

Supporting (109) $101.7M $0.9M

Extramural (7) $161.2M $23.0M

Total FY 2012 (134) $465.4M $3.5M

CDC FY 2012 Investment Jurisdiction

Series1$0

$50

$100

$150

$200

$250

$300

$350

Intramural$304 M

Extramural$161M

66%

34%

6

Number of Systems Trending

FY 2005 FY 2006 FY 2007 FY 2008 FY 2009 FY 20100

20406080

100120140160180200

0

100

200

300

400

500

600

700Systems Portfolio

New Systems Retired Systems Portfolio

Fiscal Year

New

or

Retir

ed S

yste

ms

Port

folio

Siz

e

IT Systems by OrganizationCenter/Office # Systems

FY 2012 Planned

Budget ($M) Cost per System

($M) CGH 7 $0.8 $0.1 NIOSH 8 $0.9 $0.1 OD 153 $45.4 $0.3 OID 174 $71.1 $0.4 ONDIEH 135 $23.3 $0.2 OPHPR 26 $13.0 $0.5 OSELS 55 $65.9 $1.2 OSTLTS 2 $0.1 $0.1 Total 560 $220.5 $0.4 Inclusion/Exclusion Criteria Include intramural spending only Exclude IT infrastructure Exclude "Not Updated," "Planning," or "Planned Retirement" systems

8

CDC Systems by Mission Criticality

High Criticality Systems

Medium Criticality

Low Criticality

132

299

191

FY 2012 Systems by Lifecycle Phase

21847%247

53%Development & Modern-izationOperations & Main-tenance

$ in Millions

Federal IT Dashboard - HHS

Federal IT Dashboard - CDC

New Imperatives

Identity & Access Management Program

• OMB Requirements and Deadlines• CDC Milestones• Application Assessment• Application Smart Card Enablement

Draft - For Discussion Purposes Only 13

OMB Requirements and DeadlinesOMB Feb 3, 2011 Directive • Fund HSPD-12 credential issuance using existing resources

• FY 10 - all new systems must be enabled to accept HSPD-12 credentials for authenticating Federal employees and contractors

• FY 11 - agencies must use system technology refreshment funding (DME or O&M) to upgrade existing systems to use HSPD-12 credentials

– CDC policy to be issued in March 2011

• FY 12 - agencies shall not spend DME or O&M technology refreshment funding on systems unless they use HSPD-12 credentials to authenticate Federal employees and contractors

14

FY 11 Timeline for Logical Access Controls

Logical Access Plan Milestone

Establish Unified Helpdesk Plan

OCT 2010 – DEC 2010Q1

JAN 2011 – MAR 2011Q2

JUL 2011 – SEP 2011Q4

APR 2011 – JUN 2011Q3

Complete ITSO Middleware /

Card Reader Pilot and

Documentation

Smart Card access via CITGO

available

WS-3

Develop IWA PKI Enablement Application

Guides (.NET, JAVA)

WS-5

Distribute Desktop Readers & Middleware to

GOE Users

WS-3

Complete Testing Smart Card Access for Webmail

Test and Standardize

Blackberry and Bluetooth Equipment

WS-4

WS-3

WS-15

Smart Card Maintenance

Deployment Plan

WS-15

WS-3

E-Auth Go Live Phase 2 (Level 2

& 3)

WS-14

Start SDN Migration

WS-14

Start PKI Enablement Pilot

2

WS-5

E-Auth Go Live Phase 1 (Level 1)

WS-14

15

Start PKI Enablement Pilot

1

WS-5

Application Assessment Survey

• CDC Application Assessment for Smart Card Enablement Survey

• Total Number of Responses: 424 (~75% responded)




218180

26

Integrated Windows Authentication

Yes

No

Unsure



25 41

356

Application Type

Standard Commercial Package

Highly Customized Commercial Package

Custom Developed Application



126

1315

66 3

Application Language

.NetJavaAccess/SQLSASPowerBuilderFoxpro



0

20

40

60

80

100

120

140

1 to 10 10 to 100 100 to 1000

1000 to 5000

Greater than 5000

102

75 69

24

128

Total User Population

HSPD-12 Logical Access Approach• HHS Enterprise Applications (e.g. CapHR, EWITS, LMS)

– Plan to use Sun Identity and Access Manager-based solution

• CDC Capabilities currently using Integrated Windows Authentication (IWA)

– Built-in, requires no additional investment

– Leverages existing investment and infrastructure

– Ties in with CDC Active Directory that is already PKI enabled for Smart Card authentication

• Authentication upgrades will require focused investment over time

– Microsoft .NET applications can easily upgrade to Integrated Windows Authentication

– JAVA/J2EE provides available, mature, bolt-on modules

– Develop a set of generic authentication modules shared across systems


PKI-Enabling Technology CategoriesCategory A – IWA-type applications or with built-in PKI support

Category B – Applications that will use Sun Identity Suite

Category C – Applications that will use PKI-enablement libraries

Category D – Applications/Systems where access is limited by “PKI-enabled Vault” i.e. need a credential to login to the server

Category E – Applications where the vendor provides upgrades to PKI-enable

Category F – Applications that will be replaced (Not PKI-enabled in favor of new application)

Category G – Applications that will not be upgraded (requires justification)


Logical Access Next Steps• Integrated Windows Authentication Guides developed

for .Net and Java applications, posted on IRGC SharePoint site

• HSPD-12 PMO meeting with major CDC application groups

• Develop additional guidance documents to leverage Integrated Windows Authentication

• Develop tests to verify HSPD-12 compliance

• Establish user groups to identify impacts and requirements

• Conduct pilots and develop prototypes


CDC Systems Review• Number of systems?

• Spending on systems?

• Redundancy/duplication?

• System development success: on-time, on-scope, on-budget?

• System performance success measures– meeting original intent– achieving performance measures– scale of usage and content– customer satisfaction

Shared Software and Data Services• Developing a registry of shared software and data services

– Service name– Service description– Contact– Lifecycle stage– Information location (URL)– Authentication required– Standards supported

• Compliment to Enterprise Systems Catalog & EA Reference Guide

• Resource for developers - shared code, objects, APIs, data resources

Some Candidate Shared Services at CDC• WONDER

– 11 Databases of Population, Vital Statistics, and Morbidity– XML-based API

• Security Services (SDN and IAM.Net Services)– Identification, Access, and Credentialing Services

• PHIN Services– PHIN-MS (Messaging), PHINDIR (Directory), PHIN-VADS (Vocabulary)

• GIS Mapping/Geospatial Services• People Repository (other HR Services)

Questions?

Documents

State of CDC’s Systems Portfolio and New Imperatives