Unraveling the B2B Process
advertisement
Unraveling the B2B Process LTC Linda Guthrie, Laboratory Manager, WAMC LTC/Ms Robin Wein, B2B Project Manager, WAMC Mr Jeff Shockley, Roche Diagnostics OBJECTIVES Understand the key functional benefits and impact to laboratory operations that the laboratory will realize with a networked laboratory vendor Deliver an instructive presentation on the B2B and CON certification that WAMC pursued and achieved with Roche Diagnostics as their laboratory partner Provide recommendations on developing a B2B and achieving network certification ABSTRACT Since the events of 9/11, the computer security requirements for DOD facilities has intensified and has had an impact on laboratories and their networked instrumentation/devices. The Business to Business Gateway is how laboratories obtain remote connectivity with commercial vendors. TIMPO, DISA, MTF, Vendor all play a role, but well-planned coordination is essential in streamlining this process. MHS B2B Gateway The MHS Business to Business (B2B) Gateway provides MHS commercial partners secure access to DoD locations for non-web based traffic. It provides an assured computing path for the enterprise. The B2B Gateway was initially set up to support the Managed Care Support Contractors (MCSC) and is now available for use by designated providers and commercial partners connecting to the services. ◦ Currently 40+ commercial partners connect to several DoD locations, including DMDC, DFAS, and the MTFs, via the B2B Gateway. ◦ Over 3000 users and numerous system connections provide eligibility verification and claims for Active Duty, dependents, and retirees and remote maintenance for various healthcare programs and systems. Key Stakeholders TMA Falls Church ◦ Joint Medical Information Systems Program Office (JMIS) Defense Health Information Management System Defense Health Services Systems (DHSS) Tri-Service Infrastructure Management Program Office (TIMPO) ◦ Information Assurance (IA) Program Office Military Medical Departments/MTF Defense Information System Agency (DISA) Commercial Partners – i.e. Roche, MAS Government Sponsors Be knowledgeable on the B2B process Do not initiate a B2B without having a contract with the vendor ◦ Vendor evaluation – always verify the claims that a vendor states they have or can do. More often than not, vendor sales personnel do not understand the B2B process and “think” that someone in their company has a DIACAP or a CON or a B2B initiated. This claim usually cannot be substantiated ◦ Verify with TIMPO if the vendor is on their VPN Connectivity list or if an initial B2B has been initiated or established. Promises, Promises, Promises Our company can remotely take control of your instrument in the laboratory to perform: ◦ ◦ ◦ ◦ ◦ ◦ Troubleshooting Potentially make repairs Calibrations Diagnostic procedures Fix corrupt files Monitor QC and Calibration Vendor Promises Without an established B2B these promised functions cannot take place in a DOD Lab! The laboratory may be able to place equipment in the department, but the network connectivity is not possible until many lengthy requirements are met ◦ ◦ ◦ ◦ ◦ ◦ Certificate of Net Worthiness (CON); or DIACAP Vendor background checks; IA Training Diagrams VPN device Completed, tested, and approved B2B Roles and Responsibilities Commercial Business Partner Provide network information Procure and install B2B Gateway compatible VPN/encryption device Procure Tier I or Tier II Internet Service Provider for connectivity Provide qualified on-site touch labor technical support ◦ Help resolve telecommunications and support routine maintenance activities Obtain DOD Information Assurance Certification and Accreditation Process /DOD Information Assurance Certification and Accreditation Process (DIACAP) accreditation, or CON -as required http://www.tricare.osd.mil/tmis_new/IA.htm#ditscap Roles and Responsibilities Commercial Business Partners Complete Data Use Agreement, if required Ensure personnel have appropriate security qualifications Ensure personnel complete annual Information Assurance Training Report all problems the MHS Help Desk Provide 24 X 7 on call technical points of contact ◦ Assist in problem resolution Provide configuration management of B2B Gateway Questionnaire/ VPN Implementation Plan Roles and Responsibilities DoD Locations Provide Ports, Protocol, and Services information necessary to support the B2B Gateway connection Submit change request to local Change Control Board Configure the local area network to support the B2B Gateway connection Insure that the appropriate technical support personnel are available to participate in endto-end connectivity test Insure that the appropriate technical support personnel are available to participate in Problem Management Many moving pieces in B2B Gateway VPN Device TIMPO Government Sponsor Certificate of Net worthiness - CON Go/No-Go conference call DD 2875 Statement of Work (SOW) As-Is Diagram Firewalls SAIC Background check –ADP Level 2 DISA DIACAP Contract number Front End Connectivity Testing IA annual Training Management Configuration Board Last Mile Diagram IP Addresses B2B Kick-off Meeting End to End testing SF 85P B2B Requirements-overview Wellwritten Contract SOW Vendor Personnel Security IT DiagramsCON/DIACAP IP Addresses; VPN device Approved B2B document DISA and TIMPO B2B Gateway Overview Provides authorized MHS Business Partners secure access to DoD Network ◦ Connects MHS information systems on Defense Information System Network (DISN) infrastructure and MHS Business Partners on commercial infrastructure in support of DoD healthcare mission ◦ Complies with DISN policy ◦ Provides support for non-Web based applications ◦ Supports secure e-commerce for client/server and system-tosystem interfaces Enterprise solution ◦ Not intended to provide a Secure Remote Access solution for individuals B2B Gateway Management MHS Business Partner DISA Montgomery/ TIMPO VPN Team .Mil Location DISA Columbus ` Procurement of VPN and Internet Service Provider. Manages their LAN 4/7/2015 Manages VPNs at MHS Business Partner location, DISA DECC Montgomery and Columbus Manages MHS VPN domain. VPNs between DISA Columbus and the .Mil location v 1.0 Manages their LAN 15 B2B Gateway Functions • Provide an assured computing path for the enterprise • Meet authentication, integrity, and confidentiality requirements for DoD healthcare environment • Provide high availability and redundancy with duplicate components and diverse sites • Share components and circuits with Web DMZ • Support documented requirements for MHS Business Partner connections and services B2B Gateway Security Features • Controlled access to the NIPRNet • Encryption Triple Data Encryption Standard (3DES) Internet Protocol Security (IPSec) VPN Contractor site to gateway Gateway to DoD destination • Traffic/transaction inspection • Address translation simplifies DoD traffic filtering • User authentication to the Gateway Individual user ID and password • Audit capability B2B Gateway – Initial Steps Government Sponsor ◦ KNOW YOUR VENDOR! ◦ Expectations up front Commitment and drive to complete the B2B process Purchase of VPN device Time to coordinate with Hospital Project Manager Ability to provide confidential proprietary information May take 6 months to one year Contract must be established first ◦ Include IT Security requirements in Statement of Work (SOW) Connectivity SOW III. SOW for IT Connectivity Solution: A. Telecommunication: 1. All contractor systems that will communicate with DoD systems will interconnect through the established MHS B2B gateway. For all Web applications, contractors will connect to a DISA-established Web DMZ. 2. In accordance with contract requirements, MCS contractors will connect to the B2B gateway via a contractor procured Internet Service Provider (ISP) connection. Contractors will assume all responsibility for establishing and maintaining their connectivity to the B2B gateway. This will include acquiring and maintaining the circuit to the B2B gateway and acquiring a Virtual Private Network (VPN) deice compatible with the MHS VPN device. 3. Contractors will comply with DoD guidance regarding allowable ports, protocols and risk mitigation strategies. 4. All cost for VPN hardware and software will be incurred by the contractor. B2B Gateway – Initial Steps B2B kick-off meeting conference call ◦ TIMPO – Christopher McDonald ◦ MTF –lab, IT, SAIC ◦ Vendor awarded contract Provide current B2B blank document (v6) to vendor prior to conference call TIMPO will answer any questions from the group and steer all in the right direction TIMPO Point of Contact Christopher McDonald KSJ & Associates, Contractor Program Management Support Tri-Service Infrastructure Management Program Office (TIMPO) 5205 Leesburg Pike, Suite 1301 Falls Church,VA 22041 703-399-2276 Fax: x2260 Christopher.McDonald.ctr@tma.osd.mil B2B Gateway Coordinating/WAMC Initial Vendor requirements ◦ Certificate of Networthiness (CON) Submitted to WAMC Project manager Submitted to WAMC Management Configuration Board for local approval ◦ Initiate Background checks (2 months+) Establish POC in Security Office Vendor employees work directly with Security Office Complete DD85P Once WAMC Security officer is satisfied with 85P completion, finger prints, etc, it is submitted to OPM B2B Gateway Coordinating -WAMC DD Form 2875 – SAAR ◦ System Authorization Access Request ◦ Vendor employee completes after 85P submitted to Security Office ◦ Information Assurance Training must be completed (annually thereafter) Ft Gordon website Certificate of Training submitted ◦ Government sponsor and Project manager provide justification and approval signatures B2B Gateway Coordinating -WAMC DD Form 2875 – SAAR ◦ Submitted to Security officer for review and signature ◦ Delivered to local IASO for review, signature, and filing B2B Gateway Coordinating Vendor IT staff completes B2B ◦ Some items of the CON may be duplicated in the B2B document ◦ System performance requirements ◦ VPN Implementation form ◦ Connectivity requirements sheet (App E) ◦ “As Is” Diagram ◦ Last Mile Diagram VPN device procured B2B Gateway Coordinating Vendor submits completed B2B document to WAMC Project manager ◦ Reviewed to ensure all areas are filled in (i.e. no major blank areas) ◦ Project manager works on B2B POC information Local IP addresses from IMD engineer Project dates for testing Submit to TIMPO – Chris McDonald – for initial approval B2B Gateway Coordinating WAMC Project manager attends local CMB to attain local IMD approvals ◦ Provides overview for the IMD group ◦ Answers IMD questions pertaining to the B2B ◦ IP addresses provided following this approval process B2B Gateway Coordinating Go-No-Go Conference with TIMPO ◦ Vendor, MTF, TIMPO, DISA ◦ Purpose is to verify that all configuration changes needed to support successful connectivity test are complete ◦ Final approval from DISA/TIMPO provided ◦ Front end and End to End (E2E) testing dates projected B2B Gateway Coordinating Vendor mails VPN device to DISA Montgomery ◦ Device is configured by DISA engineers ◦ Device returned to Vendor for VPN to be racked and stacked. ◦ Front end testing can now take place between DISA and the vendor ◦ E2E testing usually follows two days later and this testing brings the MTF/destination site into the testing B2B Gateway Coordinating Vendor may have to have service engineers on site to assist with the testing Once testing is complete, vendor equipment may be brought on line with full connectivity and networked capabilities B2B – Adding another DOD site Appendix E ◦ IP addresses changed to the new site ◦ The .mil POC information updated ◦ Government sponsor name updated RALS/MAS B2B established in April 09 ◦ Sites added: Camp Lejeune William Beaumont AMC NH Guam Jeff Shockley – March 22, 2010 B2B Gateway Implementation A Vendor’s Perspective B2B Gateway Implementation High-Level Components of the Project • Contract Modification • Networthiness / DIACAP Documentation • Background Checks • B2B Gateway Documentation • B2B Gateway Connectivity / End-to-End Testing B2B Gateway Implementation Resource Requirements • Strong Gov’t Sponsor Commitment • Strong Vendor Commitment • Project Management • Application Engineers • Network Administration • Security Management • Legal • Human Resources • Instrumentation SMEs • Call Center / Service B2B Gateway Implementation Contract Modification • Fairly Straightforward • Contractor responsible for their VPN Hardware • Background Checks for all accessing systems B2B Gateway Implementation Networthiness / DIACAP • Sub-requirement for B2B Gateway • Requirement may be different per site or branch • CON vs DIACAP • Preliminary Security Scans • Proposed Mitigations • SME Analysis (ports, protocols, restrictions) B2B Gateway Implementation Background Checks • Phased / Batch Approach • Consent Release Form (opt-in) • US Citizens vs. non-US Citizens • Hands-on / Hands-off Balance • Expense Reimbursement • Annual Security Awareness Training B2B Gateway Implementation B2B Gateway Documentation • Huge Amount of Information Overlap with CON / DIACAP • Network Infrastructure Understanding • network boundaries • firewalls • Ports and IP Address Restrictions • As-Is Diagram • Timing / Schedule Expectations B2B Gateway Implementation Going Forward – Setting the Foundation • Contract modification (each site) • CON / DIACAP (each site) • B2B Gateway Documentation (modification) • Background Checks (no changes) Thank you for your attention. Roche Diagnostics Ltd. 6343 Rotkreuz Switzerland COBAS and LIFE NEEDS ANSWERS are trademarks of Roche This presentation is our intellectual property. Without our written consent, it shall neither be copied in any manner, nor used for manufacturing, nor communicated to third parties.
