Project Charter The E-Enterprise Integrated Identity Solution Project October 26, 2015 New Mexico Environment Department 1190 St. Francis Drive Santa Fe, NM 87502
Contents 1. Project Description... 3 2. Project Purpose... 3 3. Business Case... 3 4. Business Requirements... 3 5. Assumptions... 5 6. Constraints... 5 7. Risks... 5 8. Project Deliverables... 5 9. Project Milestones... 9 10. Project Manager... 9 11. Project Roles and Responsibilities... 9 12. Project Approach... 10 13. Authorization... 10 Page 2 of 10 October 26, 2015
1. Project Description The project will assess a set of existing single sign-on (SSO) systems in use at the New Mexico Environment Department (NMED), Wyoming Department of Environmental Quality (WDEQ), and Tennessee Department of Environment and Conservation (TDEC) in order to determine the impact of implementing a proposed federated identity solution. This will include (1) a review of existing state systems and EPA shared services, (2) the design of a proposed future architecture of federated identity for Exchange Network partners, (3) the implementation of a proof of concept, and (4) an analysis of impacts and requirements for a roadmap to transition to the future architecture. 2. Project Purpose The purpose of this project is to evaluate production SSOs at NMED, WDEQ, and TDEC in terms of identity and access management, apply E-Enterprise Architecture principles and methodologies, research future state solutions, and perform a gap analysis on these three systems in order to determine the impact of implementing a proposed federated identity solution. 3. Business Case Regulated entities currently must access multiple websites to report on and access environmental information in order to meet permitting requirements and to actively participate in environmental management. This requirement is redundant and inefficient, wasting the time of participants and impeding their compliance. A key barrier to smooth, seamless interaction between disparate systems is the need to be authenticated and be granted managed access to each system independently. Some partner systems have existing authentication and access management systems, commonly referred to as Single Sign-On (SSO) systems, already in place. A solution to the problem of securely connecting partner systems smoothly from the end user perspective would be to provide the end user with the ability to use existing credentials for submission of reporting criteria across all systems dedicated to the reception of their required data submissions. 4. Business Requirements Tying partner SSO systems together could provide the backbone to a Federated Identity framework that could be built upon for secure transport of documents and data, ereporting requirements, workflow processes, user portal configuration preferences, notifications, user registration information and many other transactions that cross system boundaries. Below is a schematic of how OpenID and disparate SSO systems could be used to accomplish this objective. Page 3 of 10 October 26, 2015
A critical component also already in place is the EPA Network Authentication and Authorization Services (NAAS) which facilitates SSO in the Exchange Network through a set of shared security services for authentication and access to all the Exchange Network nodes. Existing EPA resources, including Shared CROMERR Services, will be assessed to see if they can provide required functionality for distributed identity management and authentication services at the application level. Page 4 of 10 October 26, 2015
5. Assumptions There are three assumptions. They are as follows: 1. A federated identity solution is practical and feasible; 2. All objectives can be accomplished within 16 months; 3. The budget is sufficient to accomplish the objectives. 6. Constraints The constraints are that (1) the project must complete by May 31, 2017; (2) the project must complete on or below the budget; and (3) the developed solution must employ network, hardware, service, and applications systems already in place. 7. Risks If individual state solutions are non-complaint with CROMERR and other federal data and authentication and security standards, a federated solution may not be cost-effective and/or usable. Also, if partner states are unable or unwilling to fully disclose their SSO technical specifications and requirements, a complete, valid assessment will not be possible. An extensible, REST-based solution is optimal, but some states have not yet adopted the technology. These risks make a federated solution more complex and less efficient. 8. Project Deliverables The following table lists the key project deliverables: Deliverable Activity Target Date Outcome 1) EPA discovery and solutions assessment engagement for Federated Identity Management February 15, 1.1 Assess and document NAAS and Virtual CROMERR services. This task will require contractual staff hired by the host state to work with EPA s information technology staff in the form of interviews and review of system documentation to perform the necessary assessment of these services. This is the discovery portion of the EPA engagement and will require travel to the EPA worksite and collaboration with EPA s information technology staff. 1.2 Perform gap analysis between existing services and recommended tobe services. The recommended to-be services for NAAS and Virtual CROMERR will be identified as a result of work performed for Goal 5. March 31, Documentation of current as-is system from the perspective of application programming interfaces, technical requirements, functionality, and end-user interactions. Documentation that describes the additional or modified services needed for NAAS and Virtual CROMERR to meet the proposed future state documented in Goal 5. Verification of the technical feasibility of the proposed solution in the form of use cases and proof of concept code. Page 5 of 10 October 26, 2015
1.3 Identify and test high risk items from the gap analysis. This task will require to work with EPA s information technology staff to run use case analysis and perhaps develop proof of concept code to test portions of the proposed solution. This is the solutions portion of the EPA engagement and will require travel to the EPA worksite and collaboration with EPA s information technology staff. August 15, 2) Host state (New Mexico Environment Department) discovery and solutions assessment engagement for Federated Identity Management 2.1 Assess and document NMED Secure Extranet Portal (SEP) and associated single-sign on services for access to environmental information systems. This task will require contractual staff hired by the host state to work with NMED s information technology staff in the form of interviews and review of system documentation to perform the necessary assessment of these services. This is the discovery portion of the host state engagement and will require collaboration with NMED s information technology staff. February 16, Documentation of current as-is system from the perspective of application programming interfaces, technical requirements, functionality, and end-user interactions. Documentation that describes the additional or modified services needed for SEP to meet the proposed future state documented in Goal 5. Verification of the technical feasibility of the proposed solution in the form of use cases and proof of concept code. 2.2 Perform gap analysis between existing services and recommended tobe services. The recommended to-be services for SEP will be identified as a result of work performed for Goal 5. March 21, 2.3 Identify and test high risk items from the gap analysis. This task will require to work with NMED s information technology staff to run use case analysis and perhaps develop proof of concept code to test portions of the proposed solution. This is the solutions portion of the host state engagement. October 15, 3) Partner State Tennessee discovery and solutions assessment engagement for Federated 3.1 Assess and document Partner State Tennessee s single-sign on services for access to environmental information systems. This task will require to work with Tennessee s information technology staff in the form of August 20, Documentation of current as-is system from the perspective of application programming interfaces, technical requirements, functionality, and end-user interactions. Documentation that describes the additional or modified services Page 6 of 10 October 26, 2015
Identity Management interviews and review of system documentation to perform the necessary assessment of these services. This is the discovery portion of Tennessee s engagement and will require travel to Tennessee s worksite and collaboration with Tennessee s information technology staff. 3.2 Perform gap analysis between existing services and recommended tobe services. The recommended to-be services for Tennessee s Single Sign On System will be identified as a result of work performed for Goal 5. 3.3 Identify and test high risk items from the gap analysis. This task will require to work with State A s information technology staff to run use case analysis and perhaps develop proof of concept code to test portions of the proposed solution. This is the solutions portion of Tennessee s engagement and will require travel to Tennessee s worksite and collaboration with Tennessee s information technology staff. October 10, November 1, needed for Tennessee s Single Sign On system to meet the proposed future state documented in Goal 5. Verification of the technical feasibility of the proposed solution in the form of use cases and proof of concept code. 4) Partner State Wyoming discovery and solutions assessment engagement for Federated Identity Management 4.1 Assess and document Partner State Wyoming s single-sign on services for access to environmental information systems. This task will require to work with Wyoming s information technology staff in the form of interviews and review of system documentation to perform the necessary assessment of these services. This is the discovery portion of Wyoming s engagement and will require travel to Wyoming s worksite and collaboration with Wyoming s information technology staff. September 19, Documentation of current as-is system from the perspective of application programming interfaces, technical requirements, functionality, and end-user interactions. Documentation that describes the additional or modified services needed for Wyoming s Single Sign On system to meet the proposed future state documented in Goal 5. Verification of the technical feasibility of the proposed solution in the form of use cases and proof of concept code. 4.2 Perform gap analysis between existing services and recommended tobe services. The recommended to-be services for Wyoming s Single Sign On System will be identified as a result of work performed for Goal 5. October 16, Page 7 of 10 October 26, 2015
4.3 Identify and test high risk items from the gap analysis. This task will require to work with Wyoming s information technology staff to run use case analysis and perhaps develop proof of concept code to test portions of the proposed solution. This is the solutions portion of Wyoming s engagement and will require travel to Wyoming s worksite and collaboration with Wyoming s information technology staff. December 15, 5) Research, solutions assessment, recommendatio ns and presentations 5.1 Research current guidance and requirements from E-Enterprise Technical Architecture 5.2 Research industry solutions and gather input from experts in e- commerce 5.3 Propose interoperable Federated Identity Management Framework and iterate through the design with EPA and partner states to verify the feasibility of the solution. This will require collaborative work with partner states and EPA to finalize the design. December 13, January 25, 2017 February 21, 2017 Whitepapers comparing industry solutions, design documentation and technical specifications describing the proposed solution the future state Federated Identity Management Framework for interoperability, risk assessment of proposed new services recommended for EPA systems and partner systems, technical specifications and other E-Enterprise artifacts that will be submitted to the E-Enterprise Architecture Repository, and materials for presentation to the E-Enterprise Leadership Council and the Exchange Network Conference. 5.4 High risk components to the solution will be identified and proof of concept use cases will be developed. See tasks 1-3, 2-3, 3-3 and 4-3 above. See above tasks 5.5 Submit artifacts of the recommended solution to the E- Enterprise Architecture Repository. 5.6 Present findings, process, recommendations and outcome to Exchange Network Conference and the Enterprise Leadership Council. The host state, the two partner states and EPA will contribute to and participate in the presentations. April 1, 2017 May 15, 2017 Page 8 of 10 October 26, 2015
9. Project Milestones Milestone Date Milestone Name Milestone Description August 15, Deliverable 1 Completed EPA discovery and solutions assessment engagement for Federated Identity Management done October 15, Deliverable 2 Completed Host state (New Mexico Environment Department) discovery and solutions assessment engagement for November 1, December 15, Deliverable 3 Completed Deliverable 4 Completed Federated Identity Management completed Partner State Tennessee discovery and solutions assessment engagement for Federated Identity Management concluded Partner State Wyoming discovery and solutions assessment engagement for Federated Identity Management concluded April 1, 2017 Deliverable 5 Completed Research, solutions assessment and recommendations completed May 15, 2017 EN2017 National Meeting Present findings and recommendations at national conference 10. Project Manager The project manager is Bogi Malecki. Mr. Malecki is an NMED staff member with over 26 years of IT experience, including 20 years of IT project management. He has successfully led and completed over 100 IT projects and is PMI/PMBOK trained and credentialed. 11. Project Roles and Responsibilities Name Role Responsibilities Mark Morell Systems Integrator Bring together component subsystems into a whole and ensuring those subsystems function fully. Sam Jenkins Solutions Architect Interpret and translate the requirements into an information technology architecture for the solution. Create design artifacts that will be used by developers to implement the solution. Select the best technology for the presented problems. Tom McMichael Systems Analyst Specify the business, functional and technical requirements. Review alternative technologies and technological approaches and recommend possible solutions. Evaluate proposed procedures and processes to develop solutions. Help develop project documentation. Karen Craner Technical Writer Organize, clarify and document all technical requirements and specifications. Page 9 of 10 October 26, 2015
12. Project Approach The project approach will be to execute four project engagements with outlined goals and tasks. Three of the engagements will be Exchange Network state partner engagements including the host state. The engagements will perform extensive architecture and design analysis and discovery on existing state system Single Sign On Systems, document the current functionality, capability and technology in use, perform a gap analysis on the existing system, and present recommendations for modifications to achieve the proposed future state. One of the engagements will be with EPA to perform analysis and discovery on the existing Single Sign on in use for the Exchange network partners, NAAS, and to assess the service offering of the Virtual CROMERR system to then develop a proposed future state that incorporates the requirements from the partner states. Gap analysis on the EPA system and recommendations will be documented and presented. Some prototype work is expected in order to verify and further define some of the proposed recommendations. The project methodology and outcomes will be presented at the FY17 Exchange Network Conference and to the E-Enterprise Leadership Council. 13. Authorization Provide the names of those business sponsors that must sign the Project Charter. Once the project Charter is signed by the project sponsors, the project is authorized to start. Approved by the Project Sponsor: Mary Montoya Date: CIO, New Mexico Environment Department Page 10 of 10 October 26, 2015