State of Federal eGov & eBusiness

http://ec.fed.gov1 - 10/18/2007The State of Federal eGovernment and eBusiness January 23, 2001

Mary MitchellOffice of Electronic GovernmentGSA Office of Governmentwide Policyec.fed.govAOA - Lansing MI Jan 22-23, 2001

1The following is a briefing on the impact of E-government.http://ec.fed.gov2 - 10/18/2007Trends Driving Government TransformationGovernmentInternetIncreased outsourcingand privatizationGlobalizationIncreased public expectationsPerformancemeasurement andaccountabilityIT skill shortage and aging of workforce

2Citizens are demanding more and better services on-linePublic does not care how government is organized and are demanding customer centric focus - See New Jersey SURVEYOrganized around communities like Access AmericaSupport processes *life cycle or *life eventsPush to bring on private sector partners or outsource leverage innovation & capabilities share cost and risk Changing needs and dramatically increased competition for talentdifficulty in recruit retain skills - technical workers increased global competition, show progress and focus on outcome, not outputs better access, increased accountability 800 #s - call centers instead of in person Internet - information and transactions Anywhere, anytime 7x24 availability Immediate problem resolution Deflation (lower cost of operating programs, not increaseshttp://ec.fed.gov3 - 10/18/2007Implications of Current RealityOld ways of doing business wont go away anytime soonImprovements require up-front investmentMultiple benefits but often one program carries the burdenNeed to support old and new ways of doing business, at least for nowUp-front investment requires tough choices because existing operational costs exceed demand for service3Cant rely on an Internet only solution, still where users and stakeholders accept, considerable savings are possible

Demand to do more with less - when process redesigned, 10 - 1 savings are possible.

Need a common source of funding so that turf is not an issue.http://ec.fed.gov4 - 10/18/2007Key eGov FindingsMost government Web sites are informational, serving as an important dissemination channel Government Internet development is fragmented due to different origins of revenueslack of overall strategy Despite fragmentation, Web initiatives can integrate independent efforts & automate off-line transactionsMost government Web sites dont support access by persons with disabilitiesoffer language translationSources: Jupiter and Brown University studies4http://ec.fed.gov5 - 10/18/2007The eGov ChallengeApproximately 265 Million AmericansGrowing number of Americans are WiredMost Americans want to do business with the government online today!Public expects online services similar to the best commercial capabilitiesPublic does business with multiple agencies Your agency may not have a clue who they are!5Over 100 Million Americans are wireddifferences in demographics > young people > seniors are the fastest growing segment going onlinehttp://ec.fed.gov6 - 10/18/2007Business Driver: Efficiency/SavingsCisco Systems$564M savedIBM$600M savedAZ DMV savings $6 pertransactionU.S. Mintsavings $5 pertransaction

610Do not underestimate the importance of time savings, customer satisfaction and other intangibles. These are easier to measure and may are as important as cost avoidance.DoD E-s Malls was able to reduce the order filling time from 45 days to 3 days, at a saving of 50% per order.The U.S. Mint Web Catalog U.S. Mint has been accepting orders online from coin collectors since its April 1999. Goals of the Mints successful e-retail operation include improved customer service and closing the books on sales in a more efficient manner. Resulted in savings of $5 per transaction on the web site sales over mail order sales.Arizona State Department of Motor Vehicles The Arizona State DMV processes license requests for drivers licenses and license plates over the Internet This saved the agency $6 per transaction. Arizona is one of 9 states offering online vehicle registration. Anderson study included costs to citizens concluding that the traditional renewal at a DMV office costs at least 40 dollars.http://ec.fed.gov7 - 10/18/2007Bill Payment $2.22 - $3.32 $0.65 - $1.10 71% - 67%Insurance Policy $400 - $700 $200 - $350 50%SoftwareDistribution $15 $0.20 - $0.50 97% - 67%Procurement 70%Motor VehicleRegistration $7 than Contracts200 billion

Each Program Passed by specific piece of Legislation Streamlining will simplify interactions

States invited to provide input on the Federal Commons development through the Inter-agency Electronic Grants Committee State and Local Subcommittee.

S&L subcommittee is chaired by Tony Cavataio (Department of Education: tony_cavataio@ed.gov) or Karen Evans (Department of Justice: evansk@ojp.usdoj.gov).

Federal Register Notice issued Wed, Jan 17th Work to achieve commonality will reduce burden and improve effectivesnese.g., 8 agencies have Emergency relief responsibilitieshttp://ec.fed.gov17 - 10/18/2007FedSaleseMarketplacesBuying, selling, payingXMLMetadata, architecture,access, languagesPKI/Smart CardsDriving toeGovernmentLeverageTechnologyCustomer Service:Call centers, VOIP, CRMMobile DevicesSingle Face Gov't

Policy Setting & GuidanceInteroperability & StandardsAgency PilotsAlliances w/Agencies & IndustryBusiness CaseRisk AssessmentBest PracticesStreamlined ProcessesStrategy: Alliances, Interagency Groups Executive LeadershipWorkforce: Training, TeleworkOutreach: White papers, Talks, PressSecureWebDigital SignaturesCA CrossCertificationAuthent-ication

InfrastructureDriving Toward Electronic Government6.pptGetting ThereFederal MandatesPrivacy ActGPEAA-130 & PPD-63 (Security )HIPPAE-SignMetricsChange AgentseGov Products17Presenting a Single face to the citizen and businesses through - * FirstGov - the first-ever U.S. Government online information portal that will connect Americans with information and resources from all 27 million federal agency web pages.* FedBizOpps - The FedBizOpps (formerly known as the Electronic Posting System) is a web based application that provides electronic access to government business opportunities by posting synopses, solicitations, and other related documents directly to the Internet. * FedCommons -Grants community In 1998, the Office of Govtwide policy formed an Interagency Electronic Grants Committee (IAEGC) to coordinate the development of Federal Commons, to streamline the grants process and improve systems that serve the grants community. The first functions are online. * FedSales improves on-line access to federal asset sales (real property, personal property, and financial assets such as loans). A current list of Federal agencies selling property on-line is available at www.financenet.gov. FactsForYou* ARNET - The Acquisition Reform Network contains every aspect of government acquisition policies, regulations opportunities and training. Excluded Parties* Extensible Markup Language (XML), promising technology standards for allowing reuse and exchange of information assets. Separates presentation from the structure and semantics of information, easier to tie together disparate systems* Smart Cards - a multi-award contract for agencies to buy smart cards. Important step in the use of emerging technologies: Produce Guidelines and ground rules on how to develop systems to help agencies avoid mistakes; and developed a business case analysis for agencies to use on how to best employ the technology (for example, PKI technology in smart cards.)http://ec.fed.gov18 - 10/18/2007Keyword SearchFeatured SubjectsInteresting TopicsU.S. GovernmentState & LocalFirstGov PartnersYour FeedbackFirstGov.gov

18FirstGov.gov portal was developed by GSA and launched in 90 short 90 days. FirstGov has seven areas that bring together over 27 million Web pages of Federal information, providing fast and more efficient access to a half billion documents, in less that one-quarter of a second! The site organizes the information in 7 areas:1- The Main Search Index - Indexes all 27 million government web pages with powerful search technology provided to us by the Fed-Search Foundation2- Interesting Topics by categories3- Featured Subjects highlights on-line transactions and new sites4- Organizational Directory - by executive, legislative and judicial branches of the U.S. government5- State and Local Government websites6 - FirstGov Partners - Public and Private sector FirstGov Partners7- Your Feedback - directs feedback to one of 120 Federal linksDesigned to handle millions of searches a day.

http://ec.fed.gov19 - 10/18/2007

Feedback by TopicScroll down to Veterans and tell the Veterans Administration what you like, or what could be improved about the way they provide servicesFeedback by AgencySend e-mail to the Secretary of Health and Human Services or other Department officialsFeedback to FirstGovE-mail the FirstGov team to make content suggestions or comments about the websiteYour Feedback197- Your Feedback - 120 Feedback Links / Here are some examples of Feed back:A mother who home-schools her children plans to use FirstGov as her main educational resource.

An 87 year old grandfather who does not own a computer or know how to use one but was so excited about the press stories and what can be done online he went down to his local library.

GREAT site. Already very useful personally and as a professor of government I'll use the site in course development and in student assignments almost immediately The flexibility of this site, so that it includes such useful sites, is commendable. Kudos to all.

This is a great site. I can now eliminate about 10 URLs on various gov sites that I have been using. I will let several seniors, that I walk with every morning, know about this site. I know it will be very beneficial to them as it has been to me on my first visit today to this site.

I have begun using the site since Sunday night and have had very little sleep since. Everyone on the Firstgov development team should be commended for this. Excellent job in ease and the search engine is superb. Congratulate the Surgeon General and his staff on the excellent CDC site as well.

Today was the first time I used your website, and I had a wonderful experience. I had to help a customer find the CFR 240, but we were unsure of the agency or department. The third hit was a winner out of 8000. Thank you so much for your services.

Just wanted to congratulate you on a job well done. I just entered the web site today, and have found it to be very well constructed and easy to use. I am going to be able to clean out one of my ""favorites"" section on my browser and basically replace it with one item. Nicely done.

http://ec.fed.gov20 - 10/18/2007Baseline: Customer Service

Customer Service E-mailResponse TimeSource: n=81Public expects 6 hr responsetime 20http://ec.fed.gov21 - 10/18/2007Result: Seek Real-Time Solutions, Straining Resources45%Sent AnotherEmail32% Placed A TelephoneCall?Source: Jupiter/NFO April, 2000; n=1709ContactOverload!2nd, 3rd Inquires21Customers will seek real-time solutions, straining Resources.

For those customers that dont abandon a brand, we found that nearly 80% of the respondents will make a second inquiry.

While 45% sent another email, 32% made a telephone inquiry. These no calorie contacts further strain contact center resources and contribute to customer dissatisfaction.

Without response times improving, expect that customers will continue to send multiple inquiries across all contact channels.

If youre organization is having a difficult time meeting email expectations, be sure to factor these subsequent email inquires into your forecasts so that you mail get an accurate picture of the staff that will be needed to play catch-up.

There are other strategies to take and I will touch them in just a minute. http://ec.fed.gov22 - 10/18/2007Links to state and local websitesInformation for state and local employeesLocators for federal servicesState & Local

22State and Local Gateway Government Resources Agricultural Service Centers Locator American Fact Finder Community 2020 Software Demographic and Economic Profiles by State and County Economic Data by State and Metropolitan Area Employment and Training Regional and State links Export Assistance in Your Area Federal Child Care Centers Federal Depository Libraries Federal Funding for State and Local Governments FedStats - Gateway to federal statistical information Housing Counselors Indian Health Service Area Offices . Military Installations . National Park Guide Occupational Safety and Health Administration Office Locator http://ec.fed.gov23 - 10/18/2007Government Online

Online VotingOnline Voter RegistrationOnline Application for GrantsOnline Bidding forGovernment ContractsUpdate Information OnlineFile Taxes OnlineGovernment Records OnlineGovernment Forms OnlineKids' Education AreaRecruitment/Employment SectionSource: n=8123http://ec.fed.gov24 - 10/18/2007Risk Assessment

Federal agencies are required to by GPEAThree primary risks:Improper disclosureProgram fraudImage of the AgencyGoal: assess the electronic transaction risk Recommend an appropriate authentication mechanism for a given transactionExamine transaction flow and vulnerabilitiesProvide rough cost estimates24Authentication and electronic transaction risk management

Improper Disclosure- Unauthorized access to private records. Violation of the Privacy Act.Program Fraud-Direct access to SSA systems which could allow someone to alter records. Could impact payments, SSNsImage-Public perception of risk and SSAs ability to keep their information secure. http://ec.fed.gov25 - 10/18/2007Leading Risk PracticesGAO Report, InfoSec Risk Assessment: Practices of Leading OrganizationsSSA risk report found few organizations performed a Risk Assessment before implementing new authentication methodFound six leading practices for assessmentMost still using PIN/PasswordsPoor job of identifying life cycle costsOther methods, notably software-based client keys are becoming more common No widely-accepted industry cost models25We looked over a GAO report that was provided to us by SSA. Examined 3 companies and 1 government agency However, the bulk of our efforts focused on examining a proprietary databaseIn the end, we examined a total of eight cases in detail. The two cases used to validate the GAO report were a govt. agency and a large computer services company.

Two in detail

DoD-Restrict Information available to the general public via InternetLarge Investment Firm-Cost was the driving factor -Pin/Passwordhttp://ec.fed.gov26 - 10/18/2007Other ConsiderationsIdentification RiskBack-end Risk e.g., database of passwordsRisk Over TimeSingle vs. multiple transactionsInteroperability with Other ApplicationsIntra-agency, inter-agency, B2G, C2GInfrastructure and Operating CostsHelpdesk, databases, repositories...26Strength of ID ProofingHow strong is process for issuing credentials (PINs, Passwords or digital certificates)? InteroperabilityPKI lets you use re-use single authentication mechanism for multiple applications---> eliminate stovepiped systems----> save money and improve performance.Much more risky to re-use a password for multiple apps.---> Users have lots of passwords, which reduces security.

Common hacker tools can typically guess ~30% of passwords in a networkSome hackers claim 90% success20-50% of corporate helpdesk calls are password-relatedAt NY Times web site, ~1000 users/week forget their passwords24/7 helpdesk support for passwords costs ~$150/user-yearhttp://ec.fed.gov27 - 10/18/2007Pay Attention to PrivacySet enterprise-wide privacy policy Select appropriate security technologiesTrust relationship questions Does Identity need to be authenticated?Are credentials presented sufficient?Is there a trusted authentication authority?When should I accept credentials from an authority?Privacy Dos and Donts Do notify users and follow opt-in strategyDont keep any more information than neededDont keep information any longer than needed 276http://ec.fed.gov28 - 10/18/2007Common eGov Applications Needs Authentication of usersNon-repudiation of transactionsConfidentiality (privacy)Interoperability among disparate systemsAssignment of liabilityScalability/extensibility28Eliminating existing paper processes takes a good deal of planning.When wet signatures are required today, these applications are good candidates for needing to authenticate who is doing business with the government by an electronic means

To avoid disputes with individuals when financial, or other binding conditions exist, be sure that process and technology are adequate for non-repudiation.

http://ec.fed.gov29 - 10/18/2007Technology NeutralityE-SIGN and GPEA require technology neutrality with regard to creating, storing, generating, receiving, exchanging or authenticating records or signatures. Can not require use of a specific technology unless necessary to meet government objective Can not require use of a particular type of hardware/software GPEA requires risk assessment before technology investment

29http://ec.fed.gov30 - 10/18/2007What is an Electronic Signature under E-SIGN?means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.PIN or PasswordBiometric ProfileClick through acceptance via software dialog boxTyped nameDigitized image of a handwritten signatureDigital Signature or other secure authentication systemKnowledge-basedAuthentication30http://ec.fed.gov31 - 10/18/2007What about Digital Signatures?What kinds of transactions need signing?Submission of a mandated transaction (administrative, regulatory, law enforcement)Instrument creates a financial or legal obligation (e.g., applications for benefits and grants)Contract for goods or servicesInvolves inherently sensitive or private informationWhen is a secure infrastructure needed?Strong authentication provided by identity-based digital signature certificates useful in managing riskAppropriate to satisfy Fed GPEA needsUse for Agency identified risky applications31Rule of thumb: If you require a signature with a paper process, good candidate if electronicTransactions: Treat of criminal prosecution Social security/veterans/food stamp benefits, applying for loans, grants Fully binding legal contract Contains information of a personal nature (account, records about you)OMB issued implementation guidance for the use of electronic signaturesMandated electronic option: Govt Paperwork Elimination Act of 1998. Agencies have until 2003 to implement GPEA.

Authentication: Is originator who they really say they are?Achieved by binding the senders identity credentials to the message (digital signature) Data Integrity: Has message/transaction been accidentally or maliciously been altered?Achieved via cryptographic checksums (hash) of the data Confidentiality: Can message be read only by authorized entities? Encryption protects information from unauthorized disclosureNon-repudiation: Can sender or receiver dispute that message was actually sent or received?Enabled through the digital signature process Security Needs Met by Public Key Infrastructure 32197http://ec.fed.gov33 - 10/18/2007What is ACES?Access Certificates for Electronic Services is a governmentwide contract which can provide secure electronic access to the Public for privacy protected Federal services and information through the use of public key technology.

Any Web-basedGovernmentApplicationAccess FederalSystem with ACESReturn PersonalizedGovernment Benefits/InformationValidate Digital Signature Certificate

CitizenIndustry PartnerAuthenticationAccess ControlData IntegrityTechnical Non-Repudiation33http://ec.fed.gov34 - 10/18/2007Rules of Thumb

34Move incrementally against a plan Revisit/streamline business processes Rely on commercial practices, commercial solutions, and open standards Use smaller awards, multiple sources, existing contract vehiclesForm partnerships and use interagency groupsConserve your IT talentOwn just just data and processes needed Always tie $ investment to business caseGreatest impact when work across organizational boundaries, however:Need executive commitmentAdd risk organizational riskMust satisfy needs/get buy-in of all stakeholders

http://ec.fed.gov35 - 10/18/2007Some Key Federal eGov SitesGSAs Governmentwide PolicyFederal EC/eGov siteFirstGov Portal FedBizOpps Contract OpportunitiesProperty & Asset SalesAccess America:Students, SeniorsPresidents E-Commerce WGFedCommons: GrantsInteragency Grants CmteOMB Policy: Grants, Information Procurement, Financial Management Fed Public Key Infrastructure Access Certificates for Electronic Services (ACES)Smartcard Security http://www.policyworks.govhttp://ec.fed.gov/http://firstgov.gov http://www.fedbizopps.gov http://fedsales.gov/http://students.gov and http://seniors.govhttp://www.ecommerce.govhttp://www.cfda.gov/federalcommons/http://financenet.govhttp://www.whitehouse.gov/OMB/

http://gits-sec.treas.govhttp://gsa.gov/ACES http://smart.gov35http://ec.fed.gov36 - 10/18/2007

Federal eBusiness FutureExpanded use of Internet transaction will make functional boundaries transparentContinued push for business process redevelopmentContinued emphasis on adoption of open Standards and commercial best practicesFundamental changes in systems approach (loosely coupled)Interoperable Smart Cards, supporting multi-applications, will offer options for improved securityWeb-based processes will dominate once growing demand for Security is satisfied36http://ec.fed.gov37 - 10/18/2007

Presidential eGovernment Directive

THE WHITE HOUSE Office of the Press SecretaryFor Immediate ReleaseDecember 17, 1999

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Report at: www.ecommerce.gov37Agencies must :Promote access to Government information organized not by the type of service or information that people needMake available online the forms needed for the top 500 Government services used by DecemberPromote the use of electronic commerce, and privacy protection of citizen informationBalanced when Protecting Privacy Improper disclosure is a crime! Individuals must be given access to their own dataNew specific protectionsHealth Information Privacy Protection Act (HIPPA)Child Online Privacy Protection (COPPA)General Services Administration and PKI Steering committee to work together to issue a minimum of 100,000 digital signature certificates to the public by December 2000

http://ec.fed.gov38 - 10/18/2007Summary of Internet Authentication RisksThis analysis is for end-to-end authentication for a single transaction.

38Explain Table structure: risk and cost columns. SSL Vs. no SSL. Client certs (PKI) Vs. password only.Key points are:1) Want SSL with server certs.2) Client certs do not require user passwords at the application level.3) Passwords and certs have same risk level for a single transaction.4) Certs have same cost as passwords.5) You can buy more functionality (data integrity, non-repudiation) for same price by going with certs.VERY HIGH when vulnerable to adversaries with no special tools, skills, or resources.HIGH when vulnerable to adversaries with easily acquired tools and skills and with no special resources.MEDIUM when vulnerable to adversaries with sophisticated tools and skills and modest resources.LOW when vulnerable only to adversaries with highly sophisticated tools and skills, and with access to extensive resources (good/best commercial protection grade).VERY LOW when reasonably believed to be secure against adversaries with highly sophisticated tools and skills, and with access to extensive resources (classified protection grade).http://ec.fed.gov39 - 10/18/2007Common Public Key Infrastructure encourages agencies to work together Equitable cost sharing among agenciesEfficient, effective, economical due to aggregation of Federal needs An individuals digital credentials can be used by multiple Agency processesAnonymous certificate numbering for identificationProgram Vision

39http://ec.fed.gov40 - 10/18/2007Budgeting for ACES PKI Costs

Year 1TargetVolume Range

40192http://ec.fed.gov41 - 10/18/2007ACES Membership of Trust PKI ACES is a bounded or membership PKI Membership determined by bi- and multi-lateral agreements among the participants GSA/ACES contractor contracts GSA/Agency Relying Agency Agreements GSA/Vendor/Agency Registration Agreements ACES Contractor/Subscriber Agreements Agreements bind parties to ACES policies Only members under ACES agreements may participate in ACES Agreements establish legally binding PKI among participants

419http://ec.fed.gov42 - 10/18/2007Who Can Be a Member of the ACES PKI? Certificate Authorities Third-party ACES contractors

Relying Parties Any Federal agency Non-federal entities if authorized by a Federal Agency for legitimate program purposes

Subscribers Any citizen Any individual as a representative of a business, organization, or governmental entity

429http://ec.fed.gov43 - 10/18/2007Why ACES?Provides Interoperable Governmentwide PKIAddresses both policy and technical interoperabilityProvides a Full Service SolutionIdentity ProofingCertificate IssuanceOn-Line ValidationCertificate ManagementOptional Hardware TokensSupplemental PKI ServicesReduces costs by aggregating Federal needs Allows agencies to leverage each others requirementsClient preference for one certificate to do business with multiple agencies43Why Interoperability: So many choices, even with standards, there are problems due to flexibility

Want consistency with Internet Engineering Task Force (IETF) PKI X.509 (IETF PKIX) Part 4 Certificate Policy and Certification Practice Statement Specification

Privacy advocates do not want PKI to become a National ID fought against distinguished name

Validation follows credit card model - valid at time certificate presented

Risk

Application Level End-to-End Auth. MechanismHTTP only No SSLSSL with No CertificatesSSL with Server Certificate OnlySSL with Server & Client Certificates

NoneVERY HIGHVERY HIGHVERY HIGHLOW

Reusable PasswordHIGHMEDIUMLOWLOW

Use Once PasswordHIGHMEDIUMLOWLOW

SW One Time PasswordMEDIUMMEDIUMLOWLOW

HW One Time PasswordMEDIUMMEDIUMLOWLOW

BiometricsHIGHMEDIUMLOWLOW