You are on page 1of 185

Pages 1 through 9 redacted for the following reasons: ---------------------------All pages withheld under exemption (b)(5) - drafts

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Office of the Secretary Washington DC 20201

Meeting Minutes CTO Council Meeting Januar 10:30 AM Dial in number: Participant: (b)(5), (b)(6) Roll Call Celine Neves, OCIO/EA Office ACF AHRQ AoA CDC CDC CDC CMS CMS FDA NIH NIH NIH OCIO OCIO PSC SAMHSA Member Jenkins, David Erny, Tim Banning, Sue Sagoo, Jaspal Boyd, Terry Baum, Earl W Margush, Doug C. Wilke, Sherry Coene, Michael Burton, Adriane Bailey, Steve Akiyama, Darrick Mitchell, Timothy Neves, Celine Rollins, Dwayne Walters, James R.

(b)(5), (b)(6)

Present Jim Tyson Fu, James Phone Phone Phone Phone Phone Phone Phone Phone Phone Phone Phone Phone

Welcome - Opening Remarks Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Jaspal Sagoo recapped the last meeting and encouraged everyone to read the documents in SharePoint. He went on to say that we are in Phase II and assignments were distributed. CDC Transition Plan, Process Documentation, Alternative Analysis Process HHS EA Service Architecture (all of back office support: data architecture, SOA) ?? Technical Architecture Not yet assigned because it is dependent on design of the service architecture.

Jas indicated that Celine and he would be reaching out to the members to solicit further participation as the tasks are rather large.

0010

Business
Status of Alternate Analysis guidance The first priority is to provide the guidance to all the OPDIVs on how to conduct the alternate analysis for cloud computing. The old OMB passback language had given enough time and latitude to conduct the analysis, but in December new passback language came out specifying Cloud first for ALL IT investments. What it means for the Department is that for every investment, whether it is minor or major, whether it is reported in the OMB-300 or not, the IT organization has to do the analysis for cloud as well as doing the analysis for hosting internally. As a result, the workgroup needs to develop the guidance. After reviewing the OMB-300 submission, where we had put standard language for what the Department was doing, OMB came back and asked the Department to specify what we are doing and identify timelines for our initiatives. As such, the CTO Council requested guidance on how to conduct the alternative analysis by the end of January. Jas and the team have started developing the guidance and are seeking assistance. The intent is to present the guidance to the CTO Council so that IT organizations have guidance on how to conduct the analysis; the draft guidance needs to be completed by the end of the week, the final guidance needs to be completed by the end of the month, and the alternative analysis needs to be completed by the mid or end of February. The guidance will go before the CIO council for ratification. The intent of giving the alternate analysis guidance to the IT organizations is so that they can disseminate it to the business owners that need it so that they can do the analysis come mid-February. This is why the timeline has been set so aggressively. Jas provided a paragraph to Mary Forbes so she can respond back to OMB and satisfy their requirements. OMB is pushing us to show them we are in earnest making attempts for all of our investments to look at Cloud first. The paragraph discusses the work the HHS CCAC group is doing; to include the timeline and when the guidance will be in place. Mary is going to be sending the information to OMB this week. Providing OMB accepts our proposal, this committee has a little bit more latitude in timeline if we have to shift back on the timeline. The first guidance tells the business owner what they have to tell their IT organization about their system; it could be a new system or an enhancement or steady state. The pass back language doesnt discriminate against investments. All investments must consider cloud alternative. Jas said they are developing a set of questions in a template form, similar to a security base line, which asks the same kinds of questions. As soon as the template is ready, it will be sent to the committee to vet. The turn-around time is going to be very short. Thats the first part. Then the analysis begins. The IT organization then determines costing within their own organization. The committee will provide guidance on the vendors. Jas is looking at FedRAMP and the Fed CCAC. They are putting together a care package for us. This

Page 2 of 4 0011

will turn into a list of questions to ask vendors, which will be forwarded to the HHS CCAC members for vetting. The HHS Governance council has not yet been established. How does a system already in steady state, production, etc, get back into the loop so that analysis is done. The obvious choice was the ELPC process. IT infrastructure is not well represented in the ELPC process; there was a critical partner role for EA but not one that specifically addressed the impact of IT initiatives to the overall IT infrastructure of an organization. So they are proposing to the EA PMO that IT infrastructure be included in the partnership review so that they can conduct the analysis in the review process. Need to ensure that the IT organization has visibility into the earliest stages of an IT initiative so that we can capture not only the business requirement but also technical and infrastructure requirements and make sure those are directed to best service provider (remembering that the current guidance from OMB is cloud first). Is there a commercial or government-wide cloud provider that can provide the services at what security level needed? If not direct the project internally. An RFI is being developed. The question was posed, where the money is going to come from to transition current systems into the cloud. When you do the analysis you need to take this into consideration. If its an existing system, part of the analysis will be what the cost will be to transition the system into the cloud. It could well be that the cost is the prohibiting factor and that is going to have to be factored in. If the cost of moving it is not cost effective, then that will be one of the factors that determine whether the system is transitioned to the cloud. All OMB is saying is that we have to consider cloud first and at least do the analysis. OMB recognizes the financial constraints that agencies are facing and are working to rectify this matter, in particular the way that funding is handled. Many organizations dont have IT funds for such initiatives. 25 point Implementation plan to reform Federal IT management Cloud first OMB is expecting us to favor cloud first and address the funding issues (the color of money). The work breakdown structure is posted in SharePoint. Discuss the formation of an HHS Cloud Computing Governance Council Its critical that we have a permanent body that deals with ongoing cloud governance for the department. It could be that this committee morphs into the governance body. We need representation from all the OPDIVs.

Page 3 of 4 0012

Since there was no dissention, the topic will be raised at the Tuesdays CTO Council meeting and will seek membership so that the charter to be developed.

Wrap up
Draft guidance will be distributed to the members for review. There will be a request for a quick turnaround. CDC will compile a list of vehicles that are being used for procurements throughout the department and the POC as to who the contract holder. That way if theres a particular vendor that the OPDIVs can use, they can leverage the contract. Next Meeting January 25, 2011 9:00 10:30

Page 4 of 4 0013

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS FDA IHS IHS Facilitator: Recorder: Nicole DElia MEMBER David Jenkins James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Michael Coene Bernie Dailleboust Mark Rives x x x x x x x x x PRESENT NIH NIH NIH

Date: 1/25/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Steve Bailey Adriane Burton Darrick Akiyama Timothy Mitchell Celine Neves Dwayne Rollins James R.Walters Kumar Radhakrishnan Brian Leitao Nick Mistry x x x x x x x x PRESENT

OCIO OCIO PSC SAMHSA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR

Jaspal Sagoo, CDC

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Introduction of New HHS EA Team Members - Earl Baum, CDC & HHS EA Team Notes Action Items: HHS Cloud Update - Jaspal Sagoo, CDC Need to get minutes out on time for review; need to approve minutes as th first order of business in future meetings starting with Feb 8 meeting Introduction Kumar and Brian: EA portion and helping out with cloud portion for the organization Have prior experience with implementing cloud; working to enable a good cloud strategy for HHS and making sure we have a good formulated strategy Nick Mistry, et al. working with Earl and Jaspal The HHS Cloud Computing Advisory Committee is developing the HHS Cloud Computing Architecture and Transition Plan, based on input from the following sources: Original OMB Pass back Language Federal CIOs 25-Point document Draft Federal Cloud Computing Strategy document OMB Cloud Computing Alternative Analysis necessary first step in developing and deploying Cloud-hosted services in a consistent manner across HHS Customer Requirements Development part of the existing EPLC process; done during initiation/concept phase; want to capture sufficient
1 of 6 Revision: 7/20/2011

ITSO <Branch>
04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

0014

CCAC Meeting Minutes

Date: 1/25/2011 Time: 9:00 10:30 AM Location: Phone

information in the concept stage gate Cloud Computing Governance provides additional input into the alternative analysis; need to nail down the actual processes and how they relate to the other processes Looking at forming Governance Council for Cloud Computing Services, Costs, and Contracts tracking, developing standardized language for RFIs, cloud service providers, maintain list of approved vendors/service providers that can be applied to initiatives Cloud Service Provider Analysis RFI care package (from GSA?) developing templates where each vendor can provide standardized rate cards/includes how to request customized quotes

To some extent looking at internal IT organizations as cloud service provider during Alternative Analysis each internal IT org at OPDIV level provide rate card information as well Proposing formalizing an IA critical partner role for major and smaller investments, starts at conceptual stage/first stage gate Need to know what it will cost for the existing internal IT organization to host the system/gather RFI information to see cost for external host Business Steward IT organization will send from EPLC or independently to the Business Steward questions that Business Steward has to answer about characteristics of the system (similar to security baseline) Questions/Responses When is the Alternative Analysis triggered? New investment trigger during initiation and concept; Steady state/upgrading existing at minimum Alternative Analysis before the 53s and 300s. Action Items: ITSO <Branch>
04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

Target Key Business Process Model Responsibility: CDC, In Progress carry-on work from reference architecture worked on last summer All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role Target Service Component Architecture Responsibility: HHS EA, Not Started HHS Federated Data Architecture HHS Federated SOA Catalog Target Technical Architecture Responsibility: Unassigned, Not Started Depends on input from the previous steps need to see what the dependencies are Transition Recommendation & Blueprint Document Responsibility: CDC, In Progress Terry Boyd Depends on input from the previous steps; in a holding pattern at the moment Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance core components need to be
2 of 6 Revision: 7/20/2011

0015

CCAC Meeting Minutes


Progress To-Date - Earl Baum, CDC & Charles Martin, CDC

Date: 1/25/2011 Time: 9:00 10:30 AM Location: Phone

fairly far along in 120 days Guidance Development Target Key Business Process Model: (This flows out of statement of work) Key Points: nailing down key processes and relationships between processes Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities On the contract side CDC, HHS contracting staff; make sure were asking for enough information from each service provider to come up with a rate card that is sufficiently useful and complete/accurate Likewise with the governance enough guidance but not too much To make this happen: Taking a federated approach each OPDIV maintains own suite of contracts and list of approved vendors; one size fits all process is the goal for feeding into analysis On the back end; adopt recommendation; looking at tying cloud deployment into standardized data architecture HHS wide Federated approach to SOA; to ensure/have a useful catalog of services as we deploy cloud Overarching set of HHS wide processes/standards; implemented at OPDIV level with OPDIV level additional conditions and procedures ensure everyone is following same general process Internal IT organizations have potential to become cloud providers for other organizations, not just your own internal programs Funding issues will ensure that strategies and processes that we develop stay within boundaries of current appropriations laws and language

Document templates sanity check, are we capturing everything you need to know? Feed information back to us Action Items: Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing EPLC process as well will send out within next wk or so (recommended for HHS wide) want consistent POC within each OPDIV Responsibility: CDC? st Due around February 1 Requirements Definition trying to get enough information w/o gathering too much to do effective analysis; scope, security level- will sensitive data be posted on system? Timeline for system; tie into EPLC documentation Responsibility: CDC? st Due around February 1 Document Templates for Alternative Analysis Responsibility: CDC?
3 of 6 Revision: 7/20/2011

ITSO <Branch>

04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

0016

CCAC Meeting Minutes

Date: 1/25/2011 Time: 9:00 10:30 AM Location: Phone


st

Due around February 1 Reaching out for contract vehicles, data call for existing contract vehicles and vendors within the OPDIVs; then will figure out how to request information from all these vendors Responsibility: Jaspal/CDC th Due prior to February 8 meeting? Hoping to receive care package RFI from GSA Prior to next meeting: End of this week/beginning of next week: Jaspal will be sending out a lot of these documents for comment, first to the CTO Council, then to Mary and John Teeter to be put on the agenda for the CIO Council. Next Meeting February 8, 2011 9:00 10:30

Wrap Up

ITSO <Branch>

04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

4 of 6

Revision: 7/20/2011

0017

Action Item Tracker:


ID 1 Action Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings starting with Feb 8th meeting Target Key Business Process Model All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role Target Service Component Architecture HHS Federated Data Architecture HHS Federated SOA Catalog Target Technical Architecture Depends on input from the previous steps Transition Recommendation & Blueprint Document Depends on input from the previous steps; in a holding pattern at the moment Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Guidance Development Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing EPLC
5 of 6

Accountable

Due Date

Status

CDC

In Progress

HHS EA

Not Started

3 4

Unassigned CDC Terry Boyd

Not Started In Progress/Holding Pattern

CDC?

CDC?
Revision: 7/20/2011

Around February 1st 0018

ITSO <Branch>

04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

8 9 10

process as well (recommended for HHS wide) identify consistent POC within each OPDIV Requirements Definition/Gathering Timeline for system; tie into EPLC documentation Document Templates for Alternative Analysis Data call for existing contract vehicles and vendors within the OPDIVs, then will figure out how to request information from all these vendors

CDC? CDC? CDC Jaspal

Around February 1st Around February 1st Prior to February 8th

ITSO <Branch>

04-CCAC Minutes Jan-25-2011 (tracker plus roll call)

6 of 6

Revision: 7/20/2011

0019

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS FDA IHS IHS Facilitator: Recorder: MEMBER David Jenkins James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Michael Coene Bernie Dailleboust Mark Rives X CDC X X X X X X X X X PRESENT NIH NIH NIH

Date: 2/8/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Steve Bailey Adriane Burton Darrick Akiyama Timothy Mitchell Celine Neves Dwayne Rollins James R.Walters Kumar Radhakrishnan Brian Leitao Nick Mistry Jay Burton Charles Martin X X X X X X X X X PRESENT

OCIO OCIO PSC SAMHSA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR

Brian Leitao, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Alternative Analysis and Supporting Processes - Jaspal Sagoo, CDC Developing the Alternative Analysis for Cloud first will be used once ratified as guidance for Analysis for each OPDIV; needed for OMB 300s Action Items: Read HHS Cloud Computing Implementation and Governance Draft v0.1 (Alternative Analysis first draft) provide input/comments/questions/errors/omissions Slides for the upcoming presentation for CIO Council 3 Must Move services to the Cloud in the next 18 months CIO Council will deliberate Need to provide guidance to HHS and OPDIVs to consider Cloud first this will be accomplished through the Alternative Analysis The NIST Definition of Cloud Computing will be covered with the CIOs Will be considering all three service models: SaaS, PaaS, IaaS The CCAC is: Developing Guidance on Alternatives Analysis for Program Managers; Developing Information Gathering Template; Developing Process Models and Rules;
1 of 6 Revision: 7/20/2011

Notes

CIO Slides - Jaspal Sagoo, CDC

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

0020

CCAC Meeting Minutes


Work Assignments - Jaspal Sagoo and Earl Baum, CDC

Date: 2/8/2011 Time: 9:00 10:30 AM Location: Phone

Updating EPLC to account for Cloud Innovation Draft Alternative Analysis document contains: roles, functions, processes and criteria RFI building in standard way of requesting customized quotes Governance Body will maintain and update list of vendors, make available to all stakeholders; maintain service provider cost and security data Internal Analysis (cost of hosting system internally) then External Analysis; based on the RFI responses you get back, make recommendation this is an iterative process (not a one-time process) Can accept/reject recommendation but then need to follow protocols Cloud Training will need to be provided for Critical Partner as well Deliverable A0 Customer Requirements Development Lead: Earl Baum Leveraging existing processes to the extent possible Adding Critical Partner / Alternative Analysis to the EPLC process Security adding to existing CNA process Trying to provide standardized language and feed into existing processes Tim Mitchell requested to join this workgroup Deliverable E0 Cloud Computing Support Governance Lead: should be Sherry Wilke or Doug Margush Leveraging existing processes to the extent possible here too Need to fine tune procurement cycle, security Deliverable B0 Services, Costs, Contracts Ginny Howard, Terry Boyd Lead: not determined Internal and external hosting providers Early draft of contract language for RFI Potential for interagency collaboration Need a lead for all of these areas Deliverable C0 Cloud Support Services Lead: Kumar Longer term Support overall Cloud and other EA HHS architecture Develop consistent HHS-wide data architecture NIH working on this as well as HHS EA team Deliverable F0 Solution Implementation Lead: not determined/CDC? Date due is after 4/1/2011 Need support from anyone and everyone Transition Plan/Blueprint that ties everything together turning this all into a roadmap End goal: turn suite of processes over to CTO and CIO Councils for them to use
2 of 6 Revision: 7/20/2011

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

0021

CCAC Meeting Minutes

Date: 2/8/2011 Time: 9:00 10:30 AM Location: Phone


As deliverables are developed, theyre being tied into this

Security Jay Burton tied closely with Governance workflow Action Items: Wrap Up Draft timeline, work assignments for each team Top level work plan/timeline; include any information needed from other workgroups Look for any gaps in information Be prepared to talk about your work plans Jaspal and Earl will provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th Contact Brian and Kumar (CC: Earl and Jaspal) to join a workgroup Next Meeting February 22, 2011 9:00 10:30 Send all information by Friday, February 18 since Monday, February st 21 is Presidents Day
th

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

3 of 6

Revision: 7/20/2011

0022

Action Item Tracker:


ID OPDIV/ Department 1 Target Key Business Process Model 2 Action Item CCAC Minutes Description Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings starting with Feb 8th meeting All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role HHS Federated Data Architecture HHS Federated SOA Catalog Depends on input from the previous steps

Priority Owner/ Level Lead

Date Date Due Date Percent Progress Notes Assigned Complete Complete 1/25/2011 In Progress

CDC

1/25/2011

In Progress

3 4

Target Service Component Architecture Target Technical Architecture Transition Recommendation & Blueprint Document

HHS EA

1/25/2011

Not Started

Unassigned CDC Terry Boyd

1/25/2011 1/25/2011

Not Started In Progress/Holding Pattern

Guidance Development 6

Depends on input from the previous steps; in a holding pattern at the moment Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards

CDC?

1/25/2011

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

4 of 6

Revision: 7/20/2011

0023

ID OPDIV/ Department

Action Item

Description

Priority Owner/ Level Lead

Date Assigned

Date Due Date Percent Progress Notes Complete Complete

8 9

10

11

12

Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities Defined IT Defined individual/group specific to IT CDC? Infrastructure POC infrastructure within each OPDIV who handles the alternative analysis; tie to existing EPLC process as well (recommended for HHS wide) identify consistent POC within each OPDIV Requirements Timeline for system; tie into EPLC CDC? Definition/Gathering documentation Document CDC? Templates for Alternative Analysis Data call for existing CDC contract vehicles Jaspal and vendors within the OPDIVs, then will figure out how to request information from all these vendors HHS Cloud Read Alternative Analysis first draft and Medium Computing provide Implementation and input/comments/questions/errors/omissions Governance Draft v0.1 Workgroup Draft timeline, work assignments for each High Workgroup Timeline and Work team; include any information needed from Leads Plan other workgroups Look for any gaps in information Be prepared to talk about your work plans
5 of 6 Revision: 7/20/2011

1/25/2011 Around 2/1/2011

1/25/2011 Around 2/1/2011 1/25/2011 Around 2/1/2011 1/25/2011 Prior to 2/8/2011

2/8/2011

2/22/2011

0%

Not Started

2/8/2011

2/22/2011

0%

Not Started

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

0024

ID OPDIV/ Department CDC 13

Action Item Feedback from CIO Council

Description Provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th

Priority Owner/ Level Lead Medium Jaspal Sagoo/Earl Baum

Date Assigned 2/8/2011

Date Due Date Percent Progress Notes Complete Complete 2/22/2011 0% Not Started

ITSO <Branch>

05-CCAC Minutes Feb-8-2011

6 of 6

Revision: 7/20/2011

0025

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS FDA IHS IHS Facilitator: Recorder: MEMBER David Jenkins James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Michael Coene Bernie Dailleboust Mark Rives X X X X X X X X X PRESENT NIH NIH NIH NIH

Date: 3/1/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Steve Bailey Adriane Burton Darrick Akiyama Debbie Bucci Timothy Mitchell Celine Neves Dwayne Rollins James R.Walters Kumar Radhakrishnan Brian Leitao Jay Burton Charles Martin Ginny Howard X X X X X X X PRESENT X

OCIO OCIO PSC SAMHSA EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Alternative Analysis and Supporting Processes / CTO and CIO Council Updates - Jaspal Sagoo, CDC The CTO and CIO Councils expressed anxiety over the governance process Alternative Analysis EPLC Integration: Various trigger points depending on the lifecycle of the system Trying to simplify and streamline this process; but there is additional work that is going to need to be done (due to OMB Cloud First mandate) Need full CPIC support Our job to make sure stakeholders understand their roles and responsibilities IT Critical Partner up to the individual programs and IT organizations A lot of this information should be gathered during the EPLC process already; not necessarily new work, just formalizing the process New Initiatives Alternative Analysis triggered: At the end of concept phase determining whether the initiative can be cloud At the end of the requirements analysis stage Prior to implementation stage sanity check, make sure
1 of 6 Revision: 7/20/2011

Notes

ITSO <Branch>

06-CCAC Minutes Mar-1-2011

0026

CCAC Meeting Minutes

Date: 3/1/2011 Time: 9:00 10:30 AM Location: Phone

Data Call - Jaspal Sagoo, CDC

sufficient information has been collected Enhancements Alternative Analysis triggered: Similar process as for new initiatives Quick touch point on previous stage gates to see what has changed With upgrades and enhancements, is cloud now feasible? Steady State Alternative Analysis triggered when OMB 300 is produced every year If updates, enhancements, or a technology refresh are planned, they still will have to do the Alternative Analysis Trying to develop vendor list with standard rate cards Looking to control sprawl; every OPDIV has contract vehicles in place Asking each OPDIV for feedback on existing contract vehicles, the COTR, and POC (both on the vendor side and on the procurement side) Then we will be able to reach out with RFIs weve agreed on Will compile working spreadsheet of vendors, services provided, and standard rate cards As soon as the Alternative Analysis document has been blessed, this list will be necessary to move forward Work with your CTO to get this information going Looking for both development vehicles and service vehicles Action Items: Will send out generic RFI template; please provide feedback on this document. Vendors have been asking for time to brief the committee As we look at the vendor list were developing, were going to want to look at those vendors first Want to make sure that when vendors provide briefing, it is less marketing and more services oriented, including their rate cards Action Items: Develop template of questions/formatting for the briefing for each vendor Kumar will come up with a template and circulate to the community Deliverable A0 Customer Requirements Development Lead: Earl Baum Timeline is complete, pending review Deliverable will be complete EOM March Deliverable E0 Cloud Computing Support Governance Lead: Sherry Wilke or Doug Margush st Still aiming for April 1 deadline, but need requirements Deliverable B0 Services, Costs, Contracts Ginny Howard, Terry Boyd Lead: not determined st Should be able to complete by April 1 Draft of contract language for RFI has incorporated Ginnys comments All committee members need to review the RFI draft so that it can be sent out to the vendors
2 of 6 Revision: 7/20/2011

Market Research Briefings with Vendors - Jaspal Sagoo, CDC

Work Plan and Timeline Overview - Jaspal Sagoo and Earl Baum, CDC & Workgroup Leads

ITSO <Branch>

06-CCAC Minutes Mar-1-2011

0027

CCAC Meeting Minutes

Date: 3/1/2011 Time: 9:00 10:30 AM Location: Phone

Deliverable C0 Cloud Support Services Lead: Kumar Radhakrishnan Draft timeline will be sent to Earl by EOW Deliverable F0 Solution Implementation Lead: not determined/CDC? Looking at 5/1/2011 for the Transition Plan As deliverables are developed, theyre being tied into this

Security Jay Burton tied closely with Governance workflow Ties GSA FEDRAMP ANA into CNA process Tie this to HHS driver Action Items: Workgroup leads need to send an email to Earl, CC: Jaspal and Kumar to confirm timelines Review and comment on draft documents by EOW HHS Cloud Computing RFI Draft v0.1.2 HHS Cloud Computing Implementation and Governance Draft v0.2.1 Will create list of published documents to track comments, feedback, and approval from each OPDIV for each version Jaspal will show th tracker to the CTO Council at the March 8 meeting Next Meeting March 22, 2011 9:00 10:30 AM

Wrap Up

Action Items:

ITSO <Branch>

06-CCAC Minutes Mar-1-2011

3 of 6

Revision: 7/20/2011

0028

Action Item Tracker: ID


OPDIV/ Department

Action Item CCAC Minutes

Description Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role

Priority Level High

Owner/ Lead Nicole DElia

Date Assigned 1/25/2011

Date Due

Date Complete

Percent Complete

Progress Notes In Progress

1 Target Key Business Process Model 2

CDC

1/25/2011

Target Service Component Architecture 3

HHS Federated Data Architecture HHS Federated SOA Catalog

HHS EA

1/25/2011

Target Technical Architecture Transition Recommendation & Blueprint Document

Depends on input from the previous steps


Unassigned CDC Terry Boyd

1/25/2011 1/25/2011

Guidance Development

Depends on input from the previous steps; in holding pattern Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic
4 of 6

In Progress; Jay Burton will be providing the CISO viewpoint; Transition Plan still needs to be finalized; Addressed as far as the Alternative Analysis draft document (just need review and approval) In Progress timeline will be out by Mar 4; will be reaching out to NIH as soon as Transition Plan is finalized Not Started Dependent on Item 3 In Progress/Holding Pattern initial drafts are being started, still need a lot of information

CDC?

1/25/2011

In Progress ties back to Item 2

ITSO <Branch>

06-CCAC Minutes Mar-1-2011

Revision: 7/20/2011

0029

ID

OPDIV/ Department

Action Item

Description improvement opportunities Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing EPLC process as well (recommended for HHS wide) identify consistent POC within each OPDIV Timeline for system; tie into EPLC documentation Draft of this is in the Governance Document

Priority Level

Owner/ Lead

Date Assigned 1/25/2011

Date Due Around 2/1/2011

Date Complete

Percent Complete

Progress Notes

Defined IT Infrastructure POC 7

Committee members need to talk to CTOs & CIOs

In Progress: Need to have POC for each OPDIV for coordination purposes; dont need to necessarily provide name to the CCAC

8 9 10

Requirements Definition/Gathering Document Templates for Alternative Analysis Data call for existing contract vehicles and vendors within the OPDIVs HHS Cloud Computing Implementation and Governance Draft v0.1 Workgroup Timeline and Work Plan

CDC?

1/25/2011

Around 2/1/2011 Around 2/1/2011 Prior to 2/8/2011 2/22/201 1 2/22/201 1 100% In Progress: Draft is complete pending review In Progress: As information comes back, will compile spreadsheet Complete: See Item 16

CDC? Data call went out (2/28/2011) Kumar Radhakrishnan Medium

1/25/2011 1/25/2011

11

12

CDC 13 14 15

Feedback from CIO Council

Market Vendor Question Template CCAC Published Documents Tracker HHS Cloud Computing Implementation and Governance Draft v0.2.1 HHS Cloud Computing RFI Draft v0.1.2

16 17
ITSO <Branch>

Read Alternative Analysis first draft and provide input/comments/questions/errors/omissions Draft timeline, work assignments for each team; include any information needed from other workgroups Look for any gaps in information Be prepared to talk about your work plans Provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th Starter template of questions for vendors when they brief the CCAC Create tracker to log comments, feedback, and approval for each OPDIV for CCAC documents Read Alternative Analysis draft and provide input/comments/questions/errors/omissions Read RFI draft and provide input/comments/questions/errors/omissions
5 of 6

2/8/2011

High

Workgroup Leads

2/8/2011

0%

In Progress: See Item 18

Medium

Medium High

Jaspal Sagoo/Earl Baum Kumar Radhakrishnan Nicole DElia

2/8/2011

2/22/201 1

3/1/2011

100%

Complete

3/1/2011 3/1/2011 3/4/2011

In Progress In Progress

High

Committee Members Committee Members


Revision: 7/20/2011

3/1/2011

3/4/2011

In Progress

High

3/1/2011

3/4/2011

In Progress

06-CCAC Minutes Mar-1-2011

0030

ID

OPDIV/ Department

Action Item Confirm Workgroup Timelines

Description Send email to Earl Baum to confirm the timeline for each workgroup

18

Priority Level High

Owner/ Lead Earl Baum

Date Assigned 3/1/2011

Date Due

Date Complete

Percent Complete

Progress Notes

ITSO <Branch>

06-CCAC Minutes Mar-1-2011

6 of 6

Revision: 7/20/2011

0031

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS FDA IHS IHS Facilitator: Recorder: MEMBER David Jenkins James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Michael Coene Bernie Dailleboust Mark Rives X X X X X X PRESENT NIH NIH NIH NIH

Date: 3/22/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Steve Bailey Adriane Burton Darrick Akiyama Debbie Bucci Timothy Mitchell Celine Neves Dwayne Rollins Ali Bilgrami James R. Walters Kumar Radhakrishnan Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X X X X X X X PRESENT

OCIO OCIO PSC PSC/CTR SAMHSA EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Earl Baum, CDC Notes SharePoint site now has three additional documents for the committee to review We are also working on RFQ documents which will be shared with the committee shortly Action Items: Review and comment on draft documents by March 29th HHS Cloud Computing RFI Draft v0.1.3 RACI Document Draft v 9 Role of an IT Infrastructure Critical Partner v0.9.8 Minutes were reviewed by the committee and approved as is We have been focusing our efforts on infrastructure elements There will be additional work involved and there are questions on where governance is going Please take the governance document and EPLC IT Infrastructure document out to your people to get feedback We want to make sure we are capturing the right level of detail Jaspal presented the Governance and Implementation document to the CTO Council
1 of 7 Revision: 7/20/2011

Approval of 3-1-2011 Minutes - Earl Baum, CDC Alternative Analysis and Supporting Processes / CTO Council Update - Earl Baum, CDC

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

0032

CCAC Meeting Minutes


Date: 3/22/2011 Time: 9:00 10:30 AM Location: Phone

Received mostly positive responses, with 2 exceptions Security Comments: the document is being too restrictive at this point for what can go to the cloud Check with your local CISOs and ask for feedback Want to achieve a consensus Maybe add caveat to the document OPDIVs can be more restrictive than what we proscribe, but cannot be less restrictive than this document NIH Comments: regarded the level of effort/work/money required to implement We acknowledge there is additional work, trying to minimize this to the extent possible, but still need to make sure we capture enough information Working on trying to make sure the right people/SMEs are doing this work Funding will continue to be an issue until Congress changes appropriations language, but this is a mandate, we have to consider Cloud First Action Items: Nicole will send out the CTO Council comments on the Governance and Implementation Document Committee members need to review the comments and the Governance Document with their CISOs and other relevant members of your organization Asking each OPDIV for feedback on existing contract vehicles (that include cloud services), the COTR, and POC (both on the vendor side and on the procurement side) Work with your CTO to get this information going Looking for both development vehicles and service vehicles, not limited to cloud hosting providers If you are able to support other OPDIVs on the contract vehicles, make note of that as well Action Items: Data Call needs to be answered by EOW Propos (b)(5) - deliberative process Committee agreed on having 2 presentations per call during existing CCAC meetings 40 minutes for each presentation 10 minutes for committee business Committee reviewed Draft Vendor Questionnaire for IaaS want to make sure that when vendors provide briefing, it is less marketing and more services oriented, including their rate cards Additional questions were added to the Security portion of the Questionnaire, including: Has the vendor already gone through FedRAMP A&A
2 of 7 Revision: 7/20/2011

Data Call - Earl Baum, CDC

Market Research Briefings with Vendors - Earl Baum, CDC

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

0033

CCAC Meeting Minutes


Action Items:

Date: 3/22/2011 Time: 9:00 10:30 AM Location: Phone


and at what level? TIC Intrusions, Detections Monitoring health and well-being of the systems from both SLA and reporting standpoint as well as who has access to those tools/logs and at what level? HIPPA 2 factor authentication under IAM

Work Plan and Timeline Overview - Earl Baum, CDC & Workgroup Leads

If committee members already have representatives for any of these vendors, please send contact information to Earl, Jaspal, and Nicole Once the updated Vendor Questionnaire is ready, committee needs to review for completeness Then similar questionnaires will be produced for PaaS and SaaS Jaspal and Earl will begin scheduling these vendor presentations Deliverable A0 Customer Requirements Development Lead: Earl Baum Ongoing; tied to EPLC ITI Critical Partner documents Deliverable should be complete and pending review EOM March Customer Requirements documents; RFI; RFQ Deliverable E0 Cloud Computing Support Governance Lead: Sherry Wilke / Doug Margush Meeting this afternoon with Earl to discuss status Will tie back to Governance and Implementation document st May need to push back April 1 deadline Deliverable B0 Services, Costs, Contracts Ginny Howard, Terry Boyd Lead: not determined Should be able to complete by April 1 Changed to fit SIMs contract (CDC specific) Get the draft RFQs to Ginny this week RFQ is driven by what the government needs specifically Let us know if we are way off base Number of contracts will be between 1 and many There are questions that have to be asked strategy wise at HHS level and OPDIV level What services do we actually want to implement, how do we pay for it? TBD Deliverable C0 Cloud Support Services Lead: Kumar Radhakrishnan Earl will follow-up with Kumar and team; begin tying NIH into this Deliverable F0 Solution Implementation Lead: Terry Boyd Looking at 5/1/2011 for the Transition Plan
3 of 7 Revision: 7/20/2011

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

0034

CCAC Meeting Minutes


Date: 3/22/2011 Time: 9:00 10:30 AM Location: Phone


As deliverables are developed, theyre being tied into this Looking for specific template and guidance information

Security Jay Burton commented extensively on the draft that went to the CTO Council Still reviewing the Critical Partner Documents Ties GSA FedRAMP A&A into C&A process Action Items: Wrap Up Review and comment on draft documents by March 29th Next Meeting April 5, 2011 9:00 10:30 AM

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

4 of 7

Revision: 7/20/2011

0035

Action Item Tracker: ID Action Item CCAC Minutes 1 Target Key Business Process Model 2 Description Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role HHS Federated Data Architecture HHS Federated SOA Catalog Depends on input from the previous steps Depends on input from the previous steps; in holding pattern Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing
5 of 7

Priority Level High

Owner/ Lead Nicole DElia

Date Assigned 1/25/11

Date Due

Date Complete 3/22/11

Percent Complete

Progress Notes Complete; this is now a regular part of the agenda In Progress; Jay Burton will be providing the CISO viewpoint; Transition Plan still needs to be finalized; Addressed as far as the Alternative Analysis draft document (just need review and approval) In Progress timeline will be out by Mar 4; will be reaching out to NIH as soon as Transition Plan is finalized Not Started Dependent on Item 3 In Progress/Holding Pattern initial drafts are being started, still need a lot of information

100%

CDC

1/25/11

3 4

Target Service Component Architecture Target Technical Architecture Transition Recommendation & Blueprint Document

HHS EA

1/25/11

Unassigned CDC Terry Boyd

1/25/11 1/25/11

Guidance Development

CDC?

1/25/11

In Progress ties back to Item 2

Defined IT Infrastructure POC 7


ITSO <Branch>

Committee members need to talk to CTOs

1/25/11

Around 2/1/11

In Progress: Need to have POC for each OPDIV for coordination purposes; dont need to necessarily

07-CCAC Minutes Mar-22-2011

Revision: 7/20/2011

0036

ID

Action Item

Description EPLC process as well (recommended for HHS wide) identify consistent POC within each OPDIV Timeline for system; tie into EPLC documentation Draft of this is in the Governance Document

Priority Level

Owner/ Lead & CIOs

Date Assigned

Date Due

Date Complete

Percent Complete

Progress Notes provide name to the CCAC

8 9 10

Requirements Definition/Gathering Document Templates for Alternative Analysis Data call for existing contract vehicles and vendors within the OPDIVs HHS Cloud Computing Implementation and Governance Draft v0.1 Workgroup Timeline and Work Plan

CDC?

1/25/11

Around 2/1/11 Around 2/1/11 3/25/11

In Progress

CDC? Data call went out (2/28/2011) High Kumar Radhakrishnan

1/25/11 1/25/11

20%

In Progress: Draft is complete pending review In Progress: As information comes back, will compile spreadsheet Complete: See Item 16

11

12

Feedback from CIO Council 13 Market Vendor Question Template

14

Read Alternative Analysis first draft and provide input/comments/questions/errors/omissions Draft timeline, work assignments for each team; include any information needed from other workgroups Look for any gaps in information Be prepared to talk about your work plans Provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th Starter template of questions for vendors when they brief the CCAC

Medium

2/8/11

2/22/11

100%

High

Workgroup Leads

2/8/11

2/22/11

0%

In Progress: See Item 18

Medium

Medium

Jaspal Sagoo/Earl Baum Kumar Radhakrishnan

2/8/11

2/22/11

3/1/11

100%

Complete

3/1/11

75%

15

CCAC Published Documents Tracker HHS Cloud Computing Implementation and Governance Draft v0.2.1 HHS Cloud Computing RFI Draft v0.1.2 Confirm Workgroup Timelines

16 17 18

Create tracker to log comments, feedback, and approval for each OPDIV for CCAC documents Read Alternative Analysis draft and provide input/comments/questions/errors/omissions Read RFI draft and provide input/comments/questions/errors/omissions Send email to Earl Baum to confirm the timeline for each workgroup
6 of 7

High

Nicole DElia

3/1/11

3/4/11

3/8/11

100%

In Progress awaiting additional feedback from Earl & committee members; then similar questionnaires will be developed for PaaS and SaaS Complete and posted to SharePoint

High

Committee Members Committee Members Earl Baum

3/1/11

3/4/11

3/7/11

75%

In Progress

High High

3/1/11 3/1/11

3/4/11

3/7/11

100%

Complete: See Item 19 In Progress

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

Revision: 7/20/2011

0037

ID 19 20 21 22

Action Item HHS Cloud Computing RFI Draft v0.1.3 RACI Document Draft v 9 Role of an IT Infrastructure Critical Partner v0.9.8 CTO Council Comments on the Implementation and Governance Document Vendor Contact Information

Description Read RFI draft and provide input/comments/feedback Read RACI drafts and provide input/comments/feedback Read Critical Partner draft and provide input/comments/feedback Review these comments and the Implementation and Governance document with your CISOs Send contact information for any vendor representatives that you are already working with Begin scheduling these vendor presentations

Priority Level High High High High

Owner/ Lead Committee Members Committee Members Committee Members Committee Members Committee Members Jaspal Sagoo/ Earl Baum

Date Assigned 3/22/11 3/22/11 3/22/11 3/22/11

Date Due 3/29/11 3/29/11 3/29/11 3/31/11

Date Complete

Percent Complete

Progress Notes

High

3/22/11

23 24 Set up Market Vendor Presentations

Medium

3/22/11

ITSO <Branch>

07-CCAC Minutes Mar-22-2011

7 of 7

Revision: 7/20/2011

0038

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS FDA IHS IHS Facilitator: Recorder: MEMBER David Jenkins James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Michael Coene Bernie Dailleboust Mark Rives X X X X X X PRESENT NIH NIH NIH NIH

Date: 4/05/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Steve Bailey Adriane Burton Darrick Akiyama Debbie Bucci Timothy Mitchell Dwayne Rollins Ali Bilgrami James R. Walters Kumar Radhakrishnan Brian Leitao Robert PattCorner Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X X X PRESENT X

OCIO PSC PSC/CTR SAMHSA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Approval of 3-22-2011 Minutes - Jaspal Sagoo, CDC Alternative Analysis and Supporting Processes Update - Jaspal Sagoo, CDC Action Items: Review the minutes from 3-22-2011 so we can approve them at the next meeting If there are any errors/omissions please let Nicole know We are on a fast track to get the documents we have created approved Want to get all of the committee members comments consolidated th On April 11 , the documents will be sent out to the CTO Council so that th they can vote on the documents at the meeting on the 19 HHS Cloud Computing Information System Questionnaire v0.2.0 Let us know if there are still any areas that need to be captured This is going to be a living document HHS Cloud Computing RFI Draft v0.1.3 This is a key artifact we have to have complete so that the Alternative Analysis can be completed We have refined a lot of the language in this document
1 of 6 Revision: 7/20/2011

Notes

ITSO <Branch>

08-CCAC Minutes Apr-05-2011

0039

CCAC Meeting Minutes

Date: 4/05/2011 Time: 9:00 10:30 AM Location: Phone

Pass this along to your procurement staff for them to review, if you have time ITI CP RACI Draft v0.9.1 This document was designed to enumerate who has responsibility for what Added a column for accountability Role of an IT infrastructure Architecture Critical Partner v0.9.8 Dont expect a lot of changes to this document, but we are still adding members to this workgroup Once the CTO Council approves these documents, they will be passed along to the CIO Council for approval the following week Action Items: Committee members need to review the following documents and th provide comments and feedback by Friday April 8 : HHS Cloud Computing Information System Questionnaire v0.2.0 HHS Cloud Computing RFI Draft v0.1.3 ITI CP RACI Draft v0.9.1 Role of an IT infrastructure Architecture Critical Partner v0.9.8 Weve gone through a rough draft , and are working on refining before sending out to the group The document that was sent to Jaspal and Earl seems to be on target Missed the 4/1/2011 deadline, but looks like it will be ready to send to the group before next Tuesday (4/12) Working through scheduling issues in order to discuss more in depth with NIH Should be beginning to nail stuff down over the next week or so

Governance Processes Update - Doug Margush, CMS

SOA and Data Architecture Update - Kumar Radhakrisnan, OCIO/EA/CTR Data Call - Jaspal Sagoo, CDC

Once we have a complete list, need to send RFI out to the procurement vehicles Asking each OPDIV for feedback on existing contract vehicles (that include cloud services), the COTR, and POC (both on the vendor side and on the procurement side) Work with your CTO to get this information going Looking for both development vehicles and service vehicles, not limited to cloud hosting providers Action Items: Will be contacting those OPDIVs who have not yet responded to the Data Call The workload for this is going to be quite large Going to try to stand up a permanent governance council to maintain this data Will bring up a permanent governing body again at the CTO Council meeting Rates and services are in constant flux Our information/baseline data may become stale after a month or two Baseline will have to be tackled by this committee, to capture existing contract vehicles Need to address the number one concern of the CIO Council prevent vendor sprawl, want defined boundary of approved vendors Even getting this baseline is proving to be a large project
2 of 6 Revision: 7/20/2011

Vendor RFIs and Analysis - Jaspal Sagoo, CDC

ITSO <Branch>
08-CCAC Minutes Apr-05-2011

0040

CCAC Meeting Minutes

Date: 4/05/2011 Time: 9:00 10:30 AM Location: Phone

Need some volunteers (2 or 3) to channel this along Coordinate and start working on matrix of vendors and rate cards Critical part of the Alternative Analysis IT community needs this information Send your name to Nicole, if you would like to volunteer If no one volunteers, a lead will be chosen Once the RFI is ratified, it can be sent to contract offices, who can forward it on to their vendors CDC sent out a preliminary RFI, which is due back by 4/8, as a litmus test Will make sure that the RFI is updated based on this litmus test Action Items: Work Plan and Timeline Overview - Earl Baum, CDC If you would like to volunteer to be the lead on the RFI analysis, please send an email to Nicole, Jaspal, and Earl RFI will be updated after CDC litmus test RFI is analyzed Looking to tie SOA and Data Architecture into the transition plan by May Final transition plan will lag by about a month compared to the other deliverables Built some flexibility into this

How do we assure we get input from every OPDIVs EA/PMO? Will develop something to send out to the OPDIVs EA, and CPIC offices Maybe make an announcement to the EA Community This should be a consideration in the Data Architecture Action Items: Wrap Up Reach out to OPDIV EA and CPIC offices regarding the Data Architecture Next Meeting April 19, 2011 9:00 10:30 AM

ITSO <Branch>

08-CCAC Minutes Apr-05-2011

3 of 6

Revision: 7/20/2011

0041

Action Item Tracker: ID Action Item CCAC Minutes 1 Target Key Business Process Model 2 Description Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role HHS Federated Data Architecture HHS Federated SOA Catalog Depends on input from the previous steps Depends on input from the previous steps; in holding pattern Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing
4 of 6

Priority Level High

Owner/ Lead Nicole DElia

Date Assigned 1/25/11

Date Due

Date Complete 3/22/11

Percent Complete

Progress Notes Complete; this is now a regular part of the agenda In Progress; Jay Burton will be providing the CISO viewpoint; Transition Plan still needs to be finalized; Addressed as far as the Alternative Analysis draft document (just need review and approval) In Progress timeline will be out by Mar 4; will be reaching out to NIH as soon as Transition Plan is finalized Not Started Dependent on Item 3 In Progress/Holding Pattern initial drafts are being started, still need a lot of information

100%

CDC

1/25/11

3 4

Target Service Component Architecture Target Technical Architecture Transition Recommendation & Blueprint Document

HHS EA

1/25/11

Unassigned CDC Terry Boyd

1/25/11 1/25/11

Guidance Development

CDC?

1/25/11

In Progress ties back to Item 2

Defined IT Infrastructure POC 7


ITSO <Branch>

Committee members need to talk to CTOs

1/25/11

Around 2/1/11

In Progress: Need to have POC for each OPDIV for coordination purposes; dont need to necessarily

08-CCAC Minutes Apr-05-2011

Revision: 7/20/2011

0042

ID

Action Item

Description EPLC process as well (recommended for HHS wide) identify consistent POC within each OPDIV Timeline for system; tie into EPLC documentation Draft of this is in the Governance Document

Priority Level

Owner/ Lead & CIOs

Date Assigned

Date Due

Date Complete

Percent Complete

Progress Notes provide name to the CCAC

8 9 10

Requirements Definition/Gathering Document Templates for Alternative Analysis Data call for existing contract vehicles and vendors within the OPDIVs HHS Cloud Computing Implementation and Governance Draft v0.1 Workgroup Timeline and Work Plan

CDC?

1/25/11

Around 2/1/11 Around 2/1/11 3/25/11

In Progress

CDC? Data call went out (2/28/2011) High Kumar Radhakrishnan

1/25/11 1/25/11

75%

In Progress: Draft is complete pending review In Progress: As information comes back, will compile spreadsheet Complete: See Item 16

11

12

Feedback from CIO Council 13 Market Vendor Question Template

14

Read Alternative Analysis first draft and provide input/comments/questions/errors/omissions Draft timeline, work assignments for each team; include any information needed from other workgroups Look for any gaps in information Be prepared to talk about your work plans Provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th Starter template of questions for vendors when they brief the CCAC

Medium

2/8/11

2/22/11

100%

High

Workgroup Leads

2/8/11

2/22/11

0%

In Progress: See Item 18

Medium

Medium

Jaspal Sagoo/Earl Baum Kumar Radhakrishnan

2/8/11

2/22/11

3/1/11

100%

Complete

3/1/11

75%

15

CCAC Published Documents Tracker HHS Cloud Computing Implementation and Governance Draft v0.2.1 HHS Cloud Computing RFI Draft v0.1.2 Confirm Workgroup Timelines

16 17 18

Create tracker to log comments, feedback, and approval for each OPDIV for CCAC documents Read Alternative Analysis draft and provide input/comments/questions/errors/omissions Read RFI draft and provide input/comments/questions/errors/omissions Send email to Earl Baum to confirm the timeline for each workgroup
5 of 6

High

Nicole DElia

3/1/11

3/4/11

3/8/11

100%

In Progress awaiting additional feedback from Earl & committee members; then similar questionnaires will be developed for PaaS and SaaS Complete and posted to SharePoint

High

Committee Members Committee Members Earl Baum

3/1/11

3/4/11

3/7/11

75%

In Progress

High High

3/1/11 3/1/11

3/4/11

3/7/11

100%

Complete: See Item 19 In Progress

ITSO <Branch>

08-CCAC Minutes Apr-05-2011

Revision: 7/20/2011

0043

ID 19 20 21 22

Action Item HHS Cloud Computing RFI Draft v0.1.3 RACI Document Draft v 9 Role of an IT Infrastructure Critical Partner v0.9.8 CTO Council Comments on the Implementation and Governance Document Vendor Contact Information

Description Read RFI draft and provide input/comments/feedback Read RACI drafts and provide input/comments/feedback Read Critical Partner draft and provide input/comments/feedback Review these comments and the Implementation and Governance document with your CISOs Send contact information for any vendor representatives that you are already working with Begin scheduling these vendor presentations Read Questionnaire and provide input/comments/feedback Read RFI draft and provide input/comments/feedback Read RACI drafts and provide input/comments/feedback Read Critical Partner draft and provide input/comments/feedback Review meeting minutes and provide errors and omissions to Nicole Need two or three committee member to volunteer to be the lead on creating baseline matrix of vendors, services, and rate cards

Priority Level High High High High

Owner/ Lead Committee Members Committee Members Committee Members Committee Members Committee Members Jaspal Sagoo/ Earl Baum Committee Members Committee Members Committee Members Committee Members Nicole DElia Jaspal Sagoo

Date Assigned 3/22/11 3/22/11 3/22/11 3/22/11

Date Due 3/29/11 3/29/11 3/29/11 3/31/11

Date Complete 3/29/11 3/29/11 3/29/11

Percent Complete

Progress Notes Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint In progress; updates were made to the Document Comment Tracker on SharePoint

100% 100% 100%

High

3/22/11

23 24 25 26 27 28 29 30 Set up Market Vendor Presentations HHS Cloud Computing Information System Questionnaire v0.2.0 HHS Cloud Computing RFI Draft v0.1.3 ITI CP RACI Draft v0.9.1 Role of an IT infrastructure Architecture Critical Partner v0.9.8 3-22-2011 Meeting Minutes Vendor RFI Analysis

Medium High

3/22/11 4/4/11 4/8/11

High High High

4/4/11 4/4/11 4/4/11

4/8/11 4/8/11 4/8/11

High High

4/5/11 4/5/11

4/19/11

ITSO <Branch>

08-CCAC Minutes Apr-05-2011

6 of 6

Revision: 7/20/2011

0044

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS CMS FDA IHS IHS NIH NIH Facilitator: Recorder: MEMBER David Jenkins Gary Cochran James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Bryce Golwalla Michael Coene Bernie Dailleboust Mark Rives Steve Bailey Adriane Burton X X X X X X X X Present Present Present PRESENT NIH NIH NIH

Date: 4/19/2011 Time: 9:00 10:30 AM Location: 502H Humphrey, Phone


OFFICE MEMBER Darrick Akiyama Debbie Bucci Steve Thornton Mary Forbes Timothy Mitchell Dwayne Rollins Ali Bilgrami Denise Underwood Ellen Vizzini James R. Walters Richard Stapleton Craig Lafond Kumar Radhakrishnan Robert PattCorner Brian Leitao Michelle Hines Jay Burton Charles Martin Ginny Howard X Present Present X X X X X PRESENT X Present X X X X X X X X

OCIO OCIO PSC PSC/CTR PSC/CTR PSC SAMHSA HHS/ASPA HHS/ASPA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Approval of 3-22-2011 and 4-05-2011 Minutes - Jaspal Sagoo, CDC Alternative Analysis and Supporting Processes / CTO Council Update ITSO <Branch>
09-CCAC Minutes Apr-19-2011

Notes

Minutes were approved for the March 22nd and April 5th meetings. Action Items: Email Nicole if you have any questions/comments/errors/omissions for the minutes Going to try to get these four documents approved by the CTO Council later today:
1 of 8 Revision: 7/20/2011

0045

CCAC Meeting Minutes


- Jaspal Sagoo, CDC

Date: 4/19/2011 Time: 9:00 10:30 AM Location: 502H Humphrey, Phone

HHS Cloud Computing Information System Questionnaire v1.0 HHS Cloud Computing RFI v1.0 ITI CP RACI Draft v1.0 Role of an IT infrastructure Architecture Critical Partner v1.0 They will be living documents, but we need to freeze them in time for now with the understanding that we will make additional updates as necessary based on continued feedback and comments Process for amending approved documents will be discussed at todays CTO Council meeting. Programs are waiting for the Alternatives Analysis and Guidance Governance document comments (this document was already approved by the CTO Council) We are addressing a mandate up to the individual organization to determine whether to use cloud, based on criteria and the EPLC process We have tidied up some security language FedRAMP simplifies the A&A/C&A, does not replace it Role of an IT infrastructure Architecture Critical Partner v1.0 This critical partner is very narrowly defined Will be reviewing with CPIC staff to incorporate other existing critical partners into this documentation James Walters (SAMHSA) who will fill this role for the smaller OPDIVs that are supported by the ITIO? In general whichever organization supports your IT should be taking on this role As more programs adopt the EPLC, more stage gates Required to do the Alternatives Analysis burden will fall on the IT Critical Partner, but should already be gathering most of this information Trying to develop a more streamlined process If a small OPDIV does a program outside of ITIO, then there is a void only certain programs have followed to EPLC process so far. We are developing a workflow with swim lanes on how to conduct the Alternative Analysis, which will show roles Should be ready for distribution in 1-2 weeks HHS Cloud Computing Information System Questionnaire v1.0 Purpose is to be incorporated in the EPLC process, adding cloud computing questions Cloud Alternatives Analysis will be wrapped into the Critical Partner role (IT Infrastructure CP) There are two Alternatives Analysis processes: CPIC Alternatives Analysis and now Cloud Alternatives Analysis (triggered first) Will be changes to the EPLC process going forward Need to meet with the EPLC group Action Items: No Action Items We have a draft for the Governance Process It is now posted on SharePoint for the committee to view and provide comments (in the Documents for Review folder) The governance process will be too much work for this body, but is critical to the implementation of cloud going forward
2 of 8 Revision: 7/20/2011

Governance Processes Update - Doug Margush, CMS

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

0046

CCAC Meeting Minutes


Action Items: SOA and Data Architecture Update - Kumar Radhakrisnan, OCIO/EA/CTR

Date: 4/19/2011 Time: 9:00 10:30 AM Location: 502H Humphrey, Phone

Please review the Governance Process draft and provide comments and feedback before May 3rd Working on pulling necessary documents together Have been simultaneously working on the HHS Cloud Computing Strategy, trying to divide up time equally Will be going through documents from NIH Will provide an update by the end of the week Action Items:

Data Call - Jaspal Sagoo, CDC

No Action Items Data Call is almost complete Still waiting on HRSA and ACF Once the RFI is ratified, will reach out to these vendors and contracting offices Action Items: Please respond to the Data Call if your OPDIV has not already done so Were developing the tasks for the two groups now Will take the RFI to contract vehicles, work with the contract officers Reach out to vendors; they may come back asking additional clarifying questions End result should be a fairly clear, vetted list of vendors Required to have completed FedRAMP and submit rate cards for standard services Will still have to go through new procurement cycle Cannot exclude a vendor if they did not answer the RFI, if already have a contract with them Can get around this issue by issuing a BPA, but this path could limit options going forward Similar vendors may be on multiple contract vehicles Need to consider what meets the requirements as well as whats the path of least resistance. Action Items: Set up a conference call for the two workgroups Review initial RFI analysis from CIMS responses Still looking at completing all outstanding draft documents by the end of May Looks like there is sufficient governance to at least generate key milestones High level architecture to map out long-term Transition Plan Still in the May timeframe Once everything else is complete, 30 days later the Transition Plan should be complete Need to circle back to the HHS Cloud Computing Strategy Nothing has really been done yet on the CCAC side Shared Services and Cloud Computing Architecture is coming out from Scott Bernard (OMB) probably around June or July Will probably be akin to the LOB work that has been done in
3 of 8 Revision: 7/20/2011

Vendor RFIs and Analysis - Group 1: Michael Coene, FDA; Bernie Dailleboust & Mark Rives, IHS - Group 2: David Jenkins, James Fu, & Jim Tyson, ACF; Tim Erny, AHRQ; Sue Banning, AoA

Work Plan and Timeline Overview - Earl Baum, CDC

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

0047

CCAC Meeting Minutes

Date: 4/19/2011 Time: 9:00 10:30 AM Location: 502H Humphrey, Phone

the past We are at a more detail level here Action Items: Wrap Up No Action Items Next Meeting May 3, 2011 9:00 10:30 AM Action Items: Please let Nicole know if you are having any issues accessing the documents on SharePoint Review the Action Item Tracker at the end of the minutes for accuracy and completeness

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

4 of 8

Revision: 7/20/2011

0048

Action Item Tracker: ID Action Item Target Key Business Process Model 2 Description

Priority Level

Owner/ Lead CDC

3 4

Target Service Component Architecture Target Technical Architecture Transition Recommendation & Blueprint Document

All top-level Cloud Service Processes Cloud vendor service catalog/rate-sheet maintenance Cloud alternative analysis EPLC extensions - IT Infrastructure Critical Partner Role HHS Federated Data Architecture HHS Federated SOA Catalog

Date Assigned 1/25/11

Date Due

Date Complete

Percent Complete

Progress Notes In Progress; Jay Burton will be providing the CISO viewpoint; Transition Plan still needs to be finalized; Addressed as far as the Alternative Analysis draft document (just need review and approval) In Progress timeline will be out by Mar 4; will be reaching out to NIH as soon as Transition Plan is finalized Not Started Dependent on Item 3 In Progress/Holding Pattern initial drafts are being started, still need a lot of information

HHS EA

1/25/11

Guidance Development

Defined IT Infrastructure POC 7

Depends on input from the previous steps Depends on input from the previous steps; in holding pattern Will need to divide the work up Sequence Diagram and Milestones should be complete within 90 days, to feed into OMB 120-day guidance Target Key Business Process Model Assigning who owns each process Define target business processes and their performance including organizational relationships Define target data relationships and business data stewards Define the target information services Ensure target business and information architecture addresses strategic improvement opportunities Defined individual/group specific to IT infrastructure within each OPDIV who handles the alternative analysis; tie to existing EPLC process as well (recommended for HHS wide) identify consistent POC within each OPDIV
5 of 8

Unassigned CDC Terry Boyd

1/25/11 1/25/11

CDC?

1/25/11

In Progress ties back to Item 2

Committee members need to talk to CTOs & CIOs

1/25/11

Around 2/1/11

In Progress: Need to have POC for each OPDIV for coordination purposes; dont need to necessarily provide name to the CCAC

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

Revision: 7/20/2011

0049

ID

Action Item Requirements Definition/Gathering Data call for existing contract vehicles and vendors within the OPDIVs Workgroup Timeline and Work Plan

Description Timeline for system; tie into EPLC documentation Draft of this is in the Governance Document Data call went out (2/28/2011)

Priority Level

Owner/ Lead CDC?

Date Assigned 1/25/11

Date Due Around 2/1/11 3/25/11

Date Complete

Percent Complete

Progress Notes In Progress

High

Nicole DElia

1/25/11

75%

10

In Progress: As information comes back, will compile spreadsheet In Progress: See Item 18

12

14

Market Vendor Question Template

Draft timeline, work assignments for each team; include any information needed from other workgroups Look for any gaps in information Be prepared to talk about your work plans Starter template of questions for vendors when they brief the CCAC

High

Workgroup Leads

2/8/11

2/22/11

0%

Medium

Kumar Radhakrishnan

3/1/11

75%

18 24 30

Confirm Workgroup Timelines Set up Market Vendor Presentations Vendor RFI Analysis

Send email to Earl Baum to confirm the timeline for each workgroup Begin scheduling these vendor presentations Two workgroups will be responsible for creating baseline matrix of vendors, services, and rate cards Review Governance Process Draft and provide input/comments/questions/errors/omissions Review the analysis on the CIMS contract vendor responses to the RFI document Review Action Item Tracker at end of minutes for accuracy and completeness; send updates/corrections to Nicole

High Medium High

Earl Baum Jaspal Sagoo/ Earl Baum RFI Analysis Workgroups Committee Members Committee Members Nicole DElia

3/1/11 3/22/11 4/5/11 Before 5/3/11 5/3/11

In Progress awaiting additional feedback from Earl & committee members; then similar questionnaires will be developed for PaaS and SaaS In Progress In Progress Need to set up conference call for the workgroups to discuss tasks that need to be completed

Governance Process Draft 31 32 33 RFI Analysis from CIMS Contract Responses Action Item Tracker

High

4/19/11

High High

4/19/11 4/19/11

5/3/11 5/3/11

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

6 of 8

Revision: 7/20/2011

0050

Completed Action Items: ID Action Item CCAC Minutes 1 9 11 Document Templates for Alternative Analysis HHS Cloud Computing Implementation and Governance Draft v0.1 Feedback from CIO Council Description Need to get minutes out on time for review; need to approve minutes as first order of business in future meetings Priority Level High Owner/ Lead Nicole DElia Date Assigned 1/25/11 Date Due Date Complete 3/22/11
Percent Complete

Progress Notes Complete; this is now a regular part of the agenda Complete Complete: See Item 16

100%

CDC? Read Alternative Analysis first draft and provide input/comments/questions/errors/omissions Provide feedback from the CIO Council, updates on the document; submission to OMB on February 11th Create tracker to log comments, feedback, and approval for each OPDIV for CCAC documents Read Alternative Analysis draft and provide input/comments/questions/errors/omissions Read RFI draft and provide input/comments/questions/errors/omissions Read RFI draft and provide input/comments/feedback Read RACI drafts and provide input/comments/feedback Read Critical Partner draft and provide input/comments/feedback Review these comments and the Implementation and Governance document with your CISOs Send contact information for any vendor representatives that you are already working with Read Questionnaire and provide input/comments/feedback
7 of 8

1/25/11 2/8/11

Medium

Around 2/1/11 2/22/11

100% 100%

Medium

13 CCAC Published Documents Tracker HHS Cloud Computing Implementation and Governance Draft v0.2.1 HHS Cloud Computing RFI Draft v0.1.2 HHS Cloud Computing RFI Draft v0.1.3 RACI Document Draft v 9 Role of an IT Infrastructure Critical Partner v0.9.8 CTO Council Comments on the Implementation and Governance Document Vendor Contact Information

High

Jaspal Sagoo/Earl Baum Nicole DElia

2/8/11

2/22/11

3/1/11

100%

Complete

3/1/11

3/4/11

3/8/11

100%

Complete and posted to SharePoint

15

High

16 17 19 20 21 22

Committee Members Committee Members Committee Members Committee Members Committee Members Committee Members Committee Members Committee Members

3/1/11

3/4/11

3/7/11

100%

Complete

High High High High High

3/1/11 3/22/11 3/22/11 3/22/11 3/22/11

3/4/11 3/29/11 3/29/11 3/29/11 3/31/11

3/7/11 3/29/11 3/29/11 3/29/11 4/1/11

100% 100% 100% 100% 100%

Complete: See Item 19 Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint Complete; updates were made to the Document Comment Tracker on SharePoint Received contact information from CMS Updates were made to the Document Comment Tracker on SharePoint

High

3/22/11

100%

23 HHS Cloud Computing Information System Questionnaire v0.2.0

High

4/4/11

4/8/11

4/11/11

100%

25

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

Revision: 7/20/2011

0051

ID 26 27 28 29

Action Item HHS Cloud Computing RFI Draft v0.1.3 ITI CP RACI Draft v0.9.1 Role of an IT infrastructure Architecture Critical Partner v0.9.8 3-22-2011 Meeting Minutes

Description Read RFI draft and provide input/comments/feedback Read RACI drafts and provide input/comments/feedback Read Critical Partner draft and provide input/comments/feedback Review meeting minutes and provide errors and omissions to Nicole

Priority Level High High High

Owner/ Lead Committee Members Committee Members Committee Members Nicole DElia

Date Assigned 4/4/11 4/4/11 4/4/11

Date Due 4/8/11 4/8/11 4/8/11

Date Complete 4/11/11 4/11/11 4/11/11

Percent Complete

Progress Notes Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint Updates were made to the Document Comment Tracker on SharePoint Complete minutes were approved on April 19th

100% 100% 100%

High

4/5/11

4/19/11

4/19/11

100%

ITSO <Branch>

09-CCAC Minutes Apr-19-2011

8 of 8

Revision: 7/20/2011

0052

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS CMS FDA IHS IHS IHS NIH Facilitator: Recorder: MEMBER David Jenkins Gary Cochran James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Bryce Golwalla Michael Coene Bernie Dailleboust Mark Rives Chris Schiano Steve Bailey X X X X X X X X X X X PRESENT NIH NIH NIH NIH

Date: 5/03/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Adriane Burton Darrick Akiyama Debbie Bucci Steve Thornton Timothy Mitchell Dwayne Rollins Ali Bilgrami Denise Underwood Ellen Vizzini James R. Walters Richard Stapleton Craig Lafond Kumar Radhakrishnan Robert PattCorner Brian Leitao Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X X X X X X X X X PRESENT

OCIO PSC PSC/CTR PSC/CTR PSC SAMHSA HHS/ASPA HHS/ASPA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Approval of 4-19-2011 Minutes - Jaspal Sagoo, CDC Minutes were approved from the April 19th meeting. Action Items: Email Nicole if you have any questions/comments/errors/omissions for the minutes. The following four documents were approved by the CTO Council (by majority vote):
1 of 4 Revision: 7/20/2011

Notes

Alternative Analysis and Supporting Processes / CTO Council Update ITSO <Branch>
10-CCAC Minutes May-03-2011

0053

CCAC Meeting Minutes


- Jaspal Sagoo, CDC

Date: 5/03/2011 Time: 9:00 10:30 AM Location: Phone

HHS Cloud Computing Information System Questionnaire v1.0 HHS Cloud Computing RFI v1.0 ITI CP RACI Draft v1.0 Role of an IT infrastructure Architecture Critical Partner v1.0 They will be living documents, but we need to freeze them in time for now Additional feedback and comments will be rolled into next version of the documents. Process for amending approved documents was discussed at the last CTO Council meeting. More discussion and review is th set to take place at the next meeting on May 17 . Not every document needs to go to a vote at the CTO Council, and not every document that goes for a vote at the CTO Council needs to then go to a vote by the CIO Council. It is important to get some of these CCAC documents approved by the CTO Council in order to formalize and operationalize our proposed processes. There are several new documents that will be ready to be posted to SharePoint shortly. Trying to get all documents into a single repository; trying to show where each document fits into the process as a whole. Action Items: Post additional new documents to SharePoint when ready. CCAC members need to review these documents before the next meeting (5/17). Submitted Draft Governance Process/Workflow for comment Still digesting the comments that have been received so far. Expect to merge comments into an updated diagram(s) goal is to complete this prior to the next meeting. This task may be too complex for swim lanes; maybe break this into two diagrams separate operations from implementation? This process will feed into the governance body CTO Council currently has out a data call on where this governance body should sit; dont know who will assume responsibility for this as of right now We are still going to create the baseline analysis for this body to maintain going forward. Action Items:

Governance Processes Update - Doug Margush, CMS

SOA and Data Architecture Update - Kumar Radhakrishnan, OCIO/EA/CTR

No action items. Brian and Robert have been discussing the documents provided Want to circle back with Mary Forbes, regarding this want to make sure we are moving in the same direction, all on the same page Will provide an update by the end of the week. Action Items: Provide an update to Jaspal & Earl on SOA by end of week. Met with the sub-group yesterday, will have a follow-up meeting with them to further hone the scope of this workgroup. Several issues came up in our discussion yesterday, including the value of some of the proposed work to be done. Initial idea was to create HHS catalog, OPDIV catalog, and vendor information from GSA but if same vendor on all three, dont want
2 of 4 Revision: 7/20/2011

Vendor RFIs and Analysis - Jaspal Sagoo, CDC (Workgroup members: Michael Coene, FDA; Bernie Dailleboust & Mark Rives, IHS; Gary Cochran, James Fu, & Jim Tyson, ACF; Sue Banning, AoA) ITSO <Branch>
10-CCAC Minutes May-03-2011

0054

CCAC Meeting Minutes


Date: 5/03/2011 Time: 9:00 10:30 AM Location: Phone

duplicative effort Also, an OPDIV may say no one else can use this vehicle Still trying to fine tune this Mixing IaaS, PaaS, and SaaS is hard on one RFI Maybe we should focus on only HHS specific, non-commodity services (GSA focused on commodity services). This portion is the last piece of the puzzle; could potential cripple us. Nothing is off the table yet Action Items: Work Plan and Timeline Overview - Earl Baum, CDC Follow-up meeting with the workgroup for this task on Friday 5/6. Review initial RFI analysis from CIMS responses. How long will it take to begin operational process? May take longer than initially expected especially regarding the RFI Analysis piece, based on yesterdays discussion (probably another 60-90 days) will depend on whether we use only GSA vendors.

Existing work plan/timeline: SOA need to circle back with Mary Forbes first; will have update by EOW. Logical design (scope/scale) piece and physical architecture piece If we dont have common data architecture, need to be able to translate between the different architectures. Governance Processes probably once we get this into more bite sized pieces, probably can still get this completed by EOM (May). Governance body will inherit all of these processes Critical Partner Infrastructure role approved by the CTO Council; still fine tuning language with EPLC partners, then needs to go through formal process (EPLC change review board). Action Items: IBM Presentation on Cloud Offerings No Action Items. Overview of Cloud Offerings for the Federal Space Ena Holmes IBM representative to HHS (and Julie Hunter) Jim Wilcox lead for Federal Data Center & Cloud Initiatives IBM designed their Federal Community Cloud around FedRAMP, but since FedRAMP hasnt been finalized, they cannot be FedRAMP certified yet. Have two clouds for disaster recovery Have tested a cloud outage IBM switched a client over to another nd cloud in the same location 2 facility is still being constructed, once complete also will test switching to cloud in other facility. Have a higher security private cloud, DOD is currently using this was more of a custom build. IBM has VPN capabilities if needed For dedicated/single tenancy, have not had any issues with C&A so far; one client is ramping up to C&A in the next few months.
3 of 4 Revision: 7/20/2011

ITSO <Branch>

10-CCAC Minutes May-03-2011

0055

CCAC Meeting Minutes

Date: 5/03/2011 Time: 9:00 10:30 AM Location: Phone

Multi-tenancy ensured virtual isolation between environments/clients when we designed the cloud (knew we would have to do this from a C&A perspective). Have taken a conservative approach to NIST High Standard waiting for FedRAMP to be finalized Can support almost any type of authentication in IaaS including twofactor authentication for access and establishing VPN connection.

Wrap Up

Next Meeting May 17, 2011 9:00 10:30 AM Action Items: Please let Nicole know if you are having any issues accessing the documents on SharePoint. Review the Action Item Tracker on SharePoint for accuracy and completeness, and send updates to Nicole.

ITSO <Branch>

10-CCAC Minutes May-03-2011

4 of 4

Revision: 7/20/2011

0056

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS CMS FDA IHS IHS IHS NIH Facilitator: Recorder: MEMBER David Jenkins Gary Cochran James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Bryce Golwalla Michael Coene Bernie Dailleboust Mark Rives Chris Schiano Steve Bailey X X X X X X X X Present X PRESENT NIH NIH NIH NIH

Date: 5/17/2011 Time: 9:00 10:30 AM Location: 343F Humphrey Building, Phone
OFFICE MEMBER Adriane Burton Darrick Akiyama Debbie Bucci Steve Thornton Timothy Mitchell Mary Forbes Dwayne Rollins Ali Bilgrami Denise Underwood James R. Walters Richard Stapleton Craig Lafond Kumar Radhakrishnan Robert PattCorner Brian Leitao Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X Present X Present X X X PRESENT

OCIO OCIO PSC PSC/CTR PSC/CTR SAMHSA HHS/ASPA HHS/ASPA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Approval of 5-03-2011 Minutes - Jaspal Sagoo, CDC Minutes were approved from the May 3rd meeting. Action Items: Email Nicole if you have any questions/comments/errors/omissions for the minutes. Just received NIH comments on the new CCAC CCAA documents
1 of 4 Revision: 7/20/2011

Notes

Alternative Analysis and Supporting ITSO <Branch>


11-CCAC Minutes May-17-2011

0057

CCAC Meeting Minutes


Processes / CTO Council Update - Jaspal Sagoo, CDC

Date: 5/17/2011 Time: 9:00 10:30 AM Location: 343F Humphrey Building, Phone

which have been posted to SharePoint will set up a separate call to discuss NIH comments/concerns Amendments to the new documents will be made as necessary; please continue to send in comments. Will be going over these artifacts this afternoon artifacts are operational documents, so there will not be a CTO Council vote for them IDEF0 green documents were approved by CTO Council; rest of the artifacts do not need a vote, just need to make sure everyone has reviewed them These documents are intended to assist the organization that will be doing the Alternative Analysis On the whole, they look pretty good, have already undergone several iterations Service provider analysis baseline from vendor community, (A1 Slide 5 Preliminary Cloud Alternatives Analysis/EPLC Concept Phase Stage Gate) Cloud Computing Recommendation Report feeds into A2 (Slide 5 Recommendation) There are several trigger points For the operational process, weve given step by step process (see Slide 6 Cloud First Alternatives Analysis) Action Items: Set up separate call with NIH to discuss their comments to the operational documents CCAC members need to continue to review these documents Submitted second Draft Governance Process/Workflow for comment In this draft, tried to simplify the process down to 4 swim lanes Did not add the 300s process Hopefully we have retained all the necessary information Might be able to simplify the process further because now we are limiting to the GSA vendors Diagram covers major internal and external stakeholders There are still gaps some functions that were identified in the governance documents, but it was unclear how they fit into the governance model governance document may need revision Unclear input/output in some cases, unclear accountable functions Action Items: CMS needs to identify the unclear aspects within the governance and implementation document and provide citations to Jaspal and Earl CCAC members need to review new draft workflow and provide rd feedback by May 23 This topic was skipped for now; to be addressed later Action Items: No action items. The sub-group has met several times In order to get a usable product, we need this to not be too cumbersome
2 of 4 Revision: 7/20/2011

Governance Processes Update - Doug Margush, CMS

SOA and Data Architecture Update - Kumar Radhakrishnan, OCIO/EA/CTR Vendor RFIs and Analysis - Jaspal Sagoo, CDC (Workgroup members: Michael Coene, FDA; ITSO <Branch>
11-CCAC Minutes May-17-2011

0058

CCAC Meeting Minutes


Bernie Dailleboust & Mark Rives, IHS; Gary Cochran, James Fu, & Jim Tyson, ACF; Sue Banning, AoA)

Date: 5/17/2011 Time: 9:00 10:30 AM Location: 343F Humphrey Building, Phone

The group is going to concentrate on only the GSA vendors (FedRAMP process), this will make our life easier C&A has to extend all the way to the cloud provider now Looked at apps.gov for this information, but are trying to get a hold of the raw data, so we can populate our matrix Kumar will try to leverage his contacts at GSA in order to gain access to this raw data from GSA We know that our RFI does work (demonstrated with our test case for the CIMS contract vendors) OPDIVs can certainly use this for their existing contract vehicles The sub-group members do not need to involve their procurement people in populating the matrix Only need to involve procurement people if you are going ahead with your existing contract vehicles A lot of our security questions in the RFI were modeled off of FedRAMP Need to get buy-in from the CISO community to ensure a consistent approach to C&A Sub-group needs to produce a baseline matrix using GSA vendors which includes standard rate cards Action Items: Need to schedule another sub-group call Sub-group needs to produce a baseline matrix using GSA vendors which includes standard rate cards No major updates waiting on SOA and Data Architecture piece Alternatives Analysis is up for presentation at the CTO Council today

Work Plan and Timeline Overview - Earl Baum, CDC

Transition Plan is on hold for now Action Items: Google Presentation on Cloud Offerings - Louis Simonen & Ian Kelly ITSO <Branch>
11-CCAC Minutes May-17-2011

No Action Items. NIST moderate level controls encapsulate federal moderate data Have set up a community cloud for federal customers Google Apps for Gov segregated for the government, data is stored on U.S. soil Seamless transitioning to another data center if necessary Identity management supports 2 factor authentication Whatever system you currently use, you keep using assert over to Google the authentication Accept simul2.0 Mutual SSO at least; can require 2 factor authentication for everything Google platform will work on any accepted device that you allow Google apps agency can control who does what/who has access to which apps There is a standard set package of apps, certain pieces of which can be customized Agency agrees to certain terms of service with Google; then agency users have to comply with agency terms of service Can assert enterprise control layer over Google Docs which allows
3 of 4 Revision: 7/20/2011

0059

CCAC Meeting Minutes

Date: 5/17/2011 Time: 9:00 10:30 AM Location: 343F Humphrey Building, Phone

agency to determine who can share the documents and to whom the documents can be distributed Wrap Up Docs interoperate with Microsoft products Google does not require people to use only Google client/apps Platform can create your own apps on our platform Infrastructure storage Services Google BigQuery, among others PaaS, IaaS not yet FISMA accredited, no firm timeline yet; pricing not on schedule 70 yet

Next Meeting May 31, 2011 9:00 10:30 AM Action Items: Please let Nicole know if you are having any issues accessing the documents on SharePoint. Review the Action Item Tracker on SharePoint for accuracy and completeness, and send updates to Nicole.

ITSO <Branch>

11-CCAC Minutes May-17-2011

4 of 4

Revision: 7/20/2011

0060

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS CMS FDA IHS IHS IHS NIH NIH Facilitator: Recorder: MEMBER Gary Cochran James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Bryce Golwalla Michael Coene Bernie Dailleboust Mark Rives Chris Schiano Steve Bailey Adriane Burton X X X X X X PRESENT NIH NIH NIH

Date: 5/31/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Darrick Akiyama Debbie Bucci Steve Thornton Mary Forbes Timothy Mitchell George Thomas Dwayne Rollins Ali Bilgrami Denise Underwood James R. Walters Richard Stapleton Craig Lafond Kumar Radhakrishnan Robert PattCorner Brian Leitao Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X X X X X PRESENT X

OCIO OCIO OCIO PSC PSC/CTR PSC/CTR SAMHSA HHS/ASPA HHS/ASPA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Chair Jaspal Sagoo, CDC Chief Technology Officer (CTO) Approval of 5-17-2011 Minutes - Jaspal Sagoo, CDC Minutes were approved from the May 17th meeting. Action Items: Email Nicole if you have any questions/comments/errors/omissions for the minutes. Currently working on incorporating the NIH comments into the operational documents (CCAC CCAA documents)
1 of 3 Revision: 7/20/2011

Notes

Alternative Analysis and Supporting Processes / CTO Council Update ITSO <Branch>
12-CCAC Minutes May-31-2011

0061

CCAC Meeting Minutes


- Jaspal Sagoo, CDC

Date: 5/31/2011 Time: 9:00 10:30 AM Location: Phone

NIH comments have been posted to SharePoint in the Other Document Comments folder under the Documents for Review folder As we receive further comments on these documents, will make changes as necessary; there will be additional iterations of these documents Now there is a set process for amending documents that have been approved by CTO Council, so if we need to make changes to any of the approved documents, we now have a process to follow Tried simplifying the Alternatives Analysis process for our stakeholders Will report back to the committee - will be working closely with Scott Cory in order to integrate the cloud Alternatives Analysis into the EPLC process and review with the change control board There were no questions on the artifacts which have been submitted so far Action Items: CCAC members need to continue to review the documents posted on SharePoint No additional changes have been made to the diagram since the last meeting waiting on more comments from the committee Committee members need to provide comments and feedback so we can move this forward Action Items: CCAC members need to review draft workflow and provide comments and feedback by June 7th SOA the CTO Council decided that there will be a separate workgroup for SOA; still gathering members for this workgroup now Please communicate with your CTO if you would like to participate in the new workgroup Hoping that several people from this workgroup will decide to participate in SOA workgroup Data Architecture will be taken up by the existing Data Architecture Work Group (DAWG) We will meet with the DAWG in order to bring them up to speed on what we have done so far Action Items: No action items. Working on gathering the raw data from the GSA Schedule 70 vendors trying to minimize the duplication of effort Kumar is working on getting the raw data from GSA because the information posted on apps.gov is a bit complicated Looking for IaaS information initially Need to get this done fairly quickly has to be done before the subgroup can really move forward need the data in order to populate our spreadsheets Need to have our baseline complete before we can completely operationalize our processes and then begin to sunset this workgroup Action Items: Need to follow-up with Kumar on status of gathering raw data from GSA Sub-group needs to produce a baseline matrix using GSA vendors which includes standard rate cards
2 of 3 Revision: 7/20/2011

Governance Processes Update - Doug Margush, CMS

SOA and Data Architecture Update - Kumar Radhakrishnan, OCIO/EA/CTR

Vendor RFIs and Analysis - Jaspal Sagoo, CDC (Workgroup members: Michael Coene, FDA; Bernie Dailleboust & Mark Rives, IHS; Gary Cochran, James Fu, & Jim Tyson, ACF; Sue Banning, AoA)

ITSO <Branch>

12-CCAC Minutes May-31-2011

0062

CCAC Meeting Minutes


Work Plan and Timeline Overview - Earl Baum, CDC Wrap Up

Date: 5/31/2011 Time: 9:00 10:30 AM Location: Phone

Transition Plan is will be taken on by Mary Forbes group going forward Action Items: No Action Items. Please review the step-by-step Alternatives Analysis process and make sure you can actually follow it send it to someone who will actually be doing the Alternatives Analysis need to get feedback HHS Sequence for Conducting the Cloud First Alternative Analysis

Next Meeting June 14, 2011 9:00 10:30 AM Action Items: Please let Nicole know if you are having any issues accessing the documents on SharePoint. Review the Action Item Tracker on SharePoint for accuracy and completeness, and send updates to Nicole. Review and provide feedback and comments on the following th documents by COB June 7 : HHS Sequence for Conducting the Cloud First Alternative Analysis CCAC Governance Draft 2

ITSO <Branch>

12-CCAC Minutes May-31-2011

3 of 3

Revision: 7/20/2011

0063

CCAC Meeting Minutes


Attendees: OFFICE ACF ACF ACF AHRQ AoA CDC CDC CDC CMS CMS CMS CMS CMS FDA IHS IHS IHS NIH NIH Facilitator: Recorder: MEMBER Gary Cochran James Fu Jim Tyson Tim Erny Sue Banning Jaspal Sagoo Terry Boyd Earl W. Baum Sherry Wilke Doug C. Margush Daniel Lazenby Don Bartley Bryce Golwalla Michael Coene Bernie Dailleboust Mark Rives Chris Schiano Steve Bailey Adriane Burton X X X X X X X PRESENT NIH NIH NIH

Date: 6/14/2011 Time: 9:00 10:30 AM Location: Phone


OFFICE MEMBER Darrick Akiyama Debbie Bucci Steve Thornton Mary Forbes Timothy Mitchell George Thomas Dwayne Rollins Ali Bilgrami Denise Underwood James R. Walters Richard Stapleton Craig Lafond Kumar Radhakrishnan Robert PattCorner Brian Leitao Michelle Hines Jay Burton Charles Martin Ginny Howard X X X X X X X PRESENT

OCIO OCIO OCIO PSC PSC/CTR PSC/CTR SAMHSA HHS/ASPA HHS/ASPA EA/OCIO/CTR EA/OCIO/CTR EA/OCIO/CTR CDC CDC CDC CDC

Nicole DElia, EA/OCIO/CTR Nicole DElia, EA/OCIO/CTR

Agenda & Notes


Topic/Time/Lead Welcome/Opening Remarks - Earl Baum, CDC Approval of 5-31-2011 Minutes - Earl Baum, CDC No updates. Action Items: Email Nicole if you have any questions/comments/errors/omissions for the minutes. After the last CTO Council, there are three items still pending HHS Governance for Cloud will reside somewhere in Marys office, with representation from the OPDIVs and other necessary groups
1 of 2 Revision: 7/20/2011

Notes

Update on Cloud Governance, Security, and Procurement - Earl Baum, CDC ITSO <Branch>
13--CCAC Minutes June-14-2011

0064

CCAC Meeting Minutes

Date: 6/14/2011 Time: 9:00 10:30 AM Location: Phone


rd

Security we have a formal request to accept 3 party C&As If we cant, this will be a major problem This is the biggest open question at this point Procurement working off of GSA schedule & apps.gov this work still needs to be completed but several issues have arisen Once there is a BPA in place, then it wont have to be competed, unless there are multiple venders that were awarded the BPA Cant directly award a contract to a vendor on apps.gov Each OPDIV will need to work with their procurement offices on this We will provide some language based on GSA RFQs and a potential HHS-wide BPA At least the applications on apps.gov have to be on the GSA schedule, which will narrow down the field, but vendors still need to compete for the contract Talking about competing between 3 or 4 vendors vs. simply doing a task order Action Items: Wrap Up Additional updates will be provided at the next meeting, 6/28/11. In summary: Governance will reside in HHS EA, but will have representation from all necessary groups rd Security working through CISOs on 3 party C&A acceptance Procurement cant use GSA schedule for non-competed procurement Pursuing BPA-type contracts at the HHS level CDC will provide language to the OPDIVs so they can create their own BPAs

Next Meeting June 28, 2011 9:00 10:30 AM Action Items: Please let Nicole know if you are having any issues accessing the documents on SharePoint. Review the Action Item Tracker on SharePoint for accuracy and completeness, and send updates to Nicole.

ITSO <Branch>

13--CCAC Minutes June-14-2011

2 of 2

Revision: 7/20/2011

0065

RFI #OS64495

HHS Cloud Based E-Mail Services RFI

April 25, 2011

0066

RFI #OS64495 Table of Contents Background ..................................................................................................................................... 1 Definitions: ..................................................................................................................................... 2 How to Respond .............................................................................................................................. 4 REQUEST FOR INFORMATION (RFI): ...................................................................................... 5 Service Overview ........................................................................................................................... .6

0067

RFI #OS64495

Background The Department of Health and Human Services (HHS) is required to perform an alternative analysis for each IT Investment or Initiative to determine whether it can or should be provided as a Cloud-Hosted service: The following guidance is excerpted from the report State of Public Sector Cloud Computing, May 20, 2010 by Vivek Kundra, the Federal CIO Federal agencies are to deploy cloud computing solutions to improve the delivery of IT services, where the cloud computing solution has demonstrable benefits versus the status quo. Demonstrable benefits, in this context, are measured against the following standards: Economical. Cloud computing is a pay-as-you-go approach to IT, in which a low initial investment is required to get going. Additional investment is incurred as system use increases and costs can decrease if usage decreases. In this way, cash flows better match total system cost. Flexible. IT departments that anticipate fluctuations in user load do not have to scramble to secure additional hardware and software. With cloud computing, they can add and subtract capacity as its network load dictates, and pay only for what they use. Rapid Implementation. Without the need to go through the procurement and certification processes, and with a near-limitless selection of services, tools, and features, cloud computing helps projects get off the ground in record time. Consistent Service. Network outages can send an IT department scrambling for answers. Cloud computing can offer a higher level of service and reliability, and an immediate response to emergency situations. Increased Effectiveness. Cloud computing frees the user from the finer details of IT system configuration and maintenance, enabling them to spend more time on missioncritical tasks and less time on IT operations and maintenance. Energy Efficient. Because resources are pooled, each user community does not need to have its own dedicated IT infrastructure. Several groups can share computing resources, leading to higher utilization rates, fewer servers, and less energy consumption.

OMB Circular A-11 (OMB, 2010) defines Alternative Analysis as: An analysis of alternative approaches to addressing the performance objectives of an investment, performed prior to the initial decision to make an investment, and updated periodically as appropriate to capture changes in the context for an investment decision.

1 0068

RFI #OS64495 NOTE: This RFI is issued for data gathering and planning purposes only, DOES NOT constitute a solicitation, and is not to be construed as a commitment by the Government to issue a solicitation or award a contract. The Government will not reimburse any respondent for any cost associated with information submitted in response to this RFI. Any exchanges of information shall be consistent with procurement integrity requirements (see FAR 3.104). Responses to these notices are not offers and cannot be accepted by the Government to form a binding contract. The responses from this RFI may be used to assist the Government for technical or acquisition purposes. Definitions: a) Essential Characteristics i) On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider. ii) Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

iii) Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. iv) Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. b) Service Models: i) Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. 2 0069

RFI #OS64495 ii) Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. iii) Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). c) Deployment Models: (all deployment models are in scope for this inquiry) i) Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. ii) Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. iii) Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. iv) Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

3 0070

RFI #OS64495 How to Respond Responses to this RFI shall not exceed one hundred (100) pages (including cover letter), using a 12-point fixed-pitch font such as Courier, and shall be sent via email to wendy.cruz@psc.hhs.gov no later than 9:00 AM EST on June 1, 2011. In outlining your companys response, please provide a cover letter, which includes the following: 1. Primary Point of Contact 2. Address 3. Telephone Number 4. Fax Number 5. DUNS 6. E-mail address for POC 7. Number of years of corporate experience 8. Business Size 9. Primary type of service(s) provided 10. GSA Schedule if applicable 11. Please be sure to reference RFI # OS64495 in response

Service providers responding to this RFI should include current offering(s) for each Service and Deployment Model (as described above) available for consideration. 1. Business Model, Pricing Model, and Service Levels 2. Data Management 3. Information Security 4. Interoperability and Portability 5. Cloud Computing Services for IaaS, PaaS, and SaaS 6. Network Connectivity 7. Information Assurance Support 8. Certification and Accreditation Support 9. Application Migration 10. Cloud Operations and Maintenance 11. Service Support 12. Service Delivery 13. Provision of Fixed Datacenters 14. Provision of Mobile Datacenters 15. Computing Characteristics of Supported Environments. 16. Operating Environment General Specifications 17. Directory Integration Disaster Recovery 18. Disaster Recovery (DR)

4 0071

RFI #OS64495 REQUEST FOR INFORMATION (RFI): The US Department of Health and Human Services (HHS) requests responses to Cloud Computing below, from IT hosting service providers. Table 1 - Questions related to Cloud Computing Characteristics Characteristic 1. On-demand self-service Definition A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Capabilities can be rapidly and elastically provisioned to quickly scale up and rapidly released to quickly scale down. To the consumer, the capabilities available for provisioning often appear to be infinite and can be purchased in any quantity at any time. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. General Question Does your organization provide the capability for the ordering activity to unilaterally (i.e. without vendor review or approval) provision services once the initial order has been submitted. Does your organization support Internet access to the Infrastructure, Operating System, Application Server (middleware), and Software depending on service model? Does your organization support provisioning of resources needed to deliver the PaaS and SaaS independently from the physical location of the facilities?

2. Ubiquitous network access

3. Location independent resource pooling

4. Rapid elasticity

Does your organization provide support service provisioning and deprovisioning (scale up/down) in near real-time?

5. Measured Service

Does your organization provide visibility into service usage via dashboard or similar electronic means?

5 0072

RFI #OS64495

Service Overview 1) Please address the following Business Model, Pricing Model and Service Level Agreement (SLA) questions: i) What is the scope and nature of your IaaS, PaaS, and SaaS offerings, including computing as-a-service, file storage as-a-service, and associated administration capabilities for the production environment? Please identify and explain. Platform-asa-service or application sandboxing for development and test purposes may be submitted as an appendix to the response. Describe in general terms your IaaS, PaaS, and SaaS pricing model as it relates to CPU, memory, storage, bandwidth, data transfer capacity, and other relevant pricing. Describe your capability to offer hosting services, including any capabilities for server provisioning, preconfigured system images and applications stacks, management, operating system patching, security software, and other managed services. Describe the standard SLAs, if any, that are included in your cloud computing service offerings. Please detail SLAs on the overall service as well as SLAs for the specific customer instances in use, such as a given virtual server, storage volume, or other service unit. Do you offer the flexibility of negotiated customer-specific SLAs or only fixed offerings? Please provide past performance information, to include recent and relevant contracts for the same or similar items and other references (including contract numbers, points of contact with telephone numbers and other relevant information.) Describe how you will meet the following constraints and requirements: (1) Operations are worldwide and as such the system must be available 24x7x365. Normal North-American business hours are Monday through Friday 6am to 9pm Eastern Time. System shall support 24x7 operations. (2) The Agency uses a centralized work and trouble/problem ticket tracking system (e.g. HP Service Center). This system helps to ensure work is tracked and assigned to the appropriate work team or group. It is highly encouraged that the contractor uses this system. If the contractor chooses not to use this system they shall provide the necessary automation technology to interface and integrate with the system for the purpose of taking feeds from and providing feeds into the ticketing system. Manual processes instead of automation (manually entering and updating tickets) by the government staff are not acceptable. (3) The solution shall have the ability to be branded and customized per OPDIV (4) Uptime shall be 99.99% or greater for all components, services and functions. The cloud based e-mail system will have high availability (5) The system shall support 150,000 mailboxes (6) SLA for full restoration of accidentally deleted mailbox including content and permissions and access shall be 1 hour (7) SLA for restore of a mailbox, mailbox folder or item within a mailbox shall be 1 day (8) Response time for viewing free busy data shall be 30 seconds or less on average 6 0073

ii) iii)

iv)

v)

vi)

RFI #OS64495 (9) 99% of Message delivery between mailboxes within HHS within 2 minutes (Vendor shall support but not require client side copies of the mailbox) (10) HHS provides email services for associated organizations (e.g. Indian Health, Alaskan Native and other urban hospitals). HHS also hosts domains such as foodsafety.gov that require email accounts within that domain. Many HHS Opdivs have legacy domains (e.g. nih.gov, cder.fda.gov) that must accept mail. In addition to the *.hhs.gov domain, the system shall provide e-mail services for a list of additional domains as provided by HHS. (11) The system shall support at a minimum the following languages: English, Spanish, French, Russian, German, Arabic, Hindi/Urdu, Portuguese, Bengali, Japanese & Mandarin (12) System shall be section 508 compliant

2) Data Management: i) ii) Who owns the Intellectual Property for artifacts developed in or hosted in your cloud? Can you guarantee that, when required by the specific application, data will remain within the continental United States, both in transit and at rest? If so, how? iii) Describe your roles and responsibilities regarding data ownership, e.g. logging data. iv) Describe your method for getting customer's data back in-house either on demand or in case of contract termination for any reason. v) Describe your handling of data isolation, data recovery and handling/security of data at rest and in transit. vi) How would you handle data remnants left in memory after a system failure or disorderly system shut down? vii) Describe your system sanitization process (including disaster recovery systems) to ensure no residual data exists on systems after the contract ends. viii) Describe how you will meet the following constraints and requirements: (1) Backups shall be retained for 2 weeks (exception Monthly Backup) (2) System shall support single item restore at user/customer request (3) Backups shall be maintained for more than 2 weeks when required by an eDiscovery mandate. (4) The solution shall include an e-discovery (search and retrieval) capability across archived and active files, which can be executed by select employees as part of their administrator rights across all accounts. (5) The system shall be designed to scale and accommodate exchange storage assuming a growth of 20% per year in actual usage. This storage shall be included in the initial design and installation and not added later. (6) Deleted items recovery period shall be 30 days or more (7) Deleted mailbox recovery period shall be 30 days or more (8) The default mailbox storage limit shall be 1GB before the user is prohibited from sending mail, and 1.5GB before the mailbox is prohibited from receiving mail. These limits should be configurable by OPDIV (9) Near-line storage shall allow users to retain mailboxes of unlimited size. 7 0074

RFI #OS64495 (10) To accommodate special or unique situations (such as a high-influx of messages and attachments due to a crisis data call) the system shall allow storage limit increases beyond the standard without impact to the user. (11) The solution shall include the ability, upon request, to create a repository for all data and files without affecting the ability of the individual user to manage their data or files. Effectively there is an immutable copy of the account maintained while the individual continues to function normally. 3) Information Security: i) Describe your security architecture around the cloud services that you provide, including Open Systems Interoperability layers 1-4. Please provide an overview of your methods to limit data dispersal to unauthorized entities. Please explain how you provide both physical and logical security in a shared tenant environment. Describe your approach to addressing IT security challenges in cloud computing, in particular - dealing with hacker attacks, the potential for unauthorized access, and inappropriate use of proprietary data and IT applications. What are your processes and solutions for preventing these challenges from occurring? Describe the cloud computing authentication models that you think would be most effective for Government administrative use. Describe how your service offering could enable eDiscovery, forensic analysis, auditability, and other similar governance requirements. What approaches for encryption key management do you support? Describe how you manage them. What specific expertise does your organization possess with regard to Information, System, Data and Physical Security incident response? Describe how you will meet the following Constraints/Requirements: (1) The system shall support a FISMA High categorization (2) The anti-spam solution shall have the ability to allow each opdiv to define policies and control the level of spam filtering (3) The anti-spam solution shall allow each opdiv to control the whitelist and blacklists since each will have unique situations that require specific content to be allowed or blocked. (4) The anti-spam solution shall allow each opdiv to access the quarantine to release their OPDIVs content (5) The anti-spam solution shall allow only designated administrators for that opdiv to access the quarantine for that opdiv. Administrators for other opdivs shall not be allowed to access other quarantines as these may be holding sensitive or proprietary information. (6) The system shall use multi-tiered anti-virus protection and multiple scanning engines (7) Real-time virus scanning shall be used. (8) The system shall provide filtering by attachment type during virus scanning to prevent access to attachments security has deemed unsafe, harmful or malicious. HHS will provide a minimum set of extensions to block. 8 0075

ii) iii)

iv)

v) vi) vii)

RFI #OS64495 (9) Virus checking and handling shall be performed at the SMTP Exchange Hubs as well as the mailbox servers for data in transit and at rest. The system shall provide virus scanning of inbound and outbound email (10) Virus and file filtering notifications shall be customized to notify internal users that a virus or file (as appropriate) has been identified and intercepted, that the message, attachment or file was quarantined, and include instruction for how to recover the message or file if they feel the message was removed in error. (11) The email solution shall provide malware filtering and associated reporting of events. (12) Virus notifications shall not be delivered outside of HHS (configurable by OPDIV) (13) The system shall provide SPAM filtering and scanning for inbound and outbound email. (14) The system shall provide a white list capability to allow items flagged as SPAM to pass. (15) The system shall block email received from specific domains as identified by HHS (16) New virus and SPAM filtering patters and profiles shall be obtained and implemented automatically. These shall be applied within 6 hours of release on a regular basis and within 2 hours when these are released out of normal scheduled by vendors in order to remedy or protect against a high-risk threat. SLA (17) System will not require daily management to provide effective filtering (18) The system shall implement security measures to prevent attachments viewed or accessed via the web interface from remaining on client machines in a browser cache (19) The system shall implement features that prevent the user from browsing away from the mail system before logging out. (20) Web-based access to email shall always be from the Agency networks. Web access to email shall not be direct from the internet to the mail system. I.e. If the mail system is not hosted on an Agency network behind Agency firewalls, an authenticated and secure connection must first be made to the Agency network, then a connection from the network to the mail system can be made. This is necessary so that appropriate security monitoring and intrusion detection can be performed. This feature is configured on a per OPDIV basis. (21) Any user web interface allowing access from outside of an HHS network shall authenticate with HHS-standard (Currently RSA tokens) 2-factor authentication before allowing remote access to email; internal users shall only need their standard PIV-based domain authentication for access. (22) Any administrative web interface shall be authenticated using HHS-standard (Currently RSA tokens) 2-factor authentication before allowing access regardless of where they access the system (e.g. from an HHS network or the Internet) (23) Any person performing administration or operations shall have their own account; accounts shall not be shared. (24) Administrative accounts shall be used only for administration purposes and not for user-level access and work).

9 0076

RFI #OS64495 (25) Describe how you will manage separation of e-mail system administrators duties in reference to the management of other cloud subscribers systems. (26) Administrative accounts shall not have a mailbox unless approved by security. Standard user accounts will be assigned to administrators for non-administrative network access. (27) All personnel performing work shall have a Public Trust level 5 or higher security clearance (28) Contractor shall provide HHS with notification of physical and network related security violations within 30 minutes of the detection of the violation. (29) The solution shall be kept current throughout the performance period. Updates, patches, and maintenance must be communicated to the administrative staff before implementation and may be refused if deemed unnecessary or disruptive. (30) Any person performing work without an assigned and security-cleared account shall be escorted and supervised and all work shall be observed at all times. (30) Contractor shall test and apply all security patches from vendors within 12 hours for patches deemed critical to operations (32) Permissions for people and service account shall follow the principal of least privilege (only the minimum number of privileges necessary) (33) IM traffic shall be scanned for viruses (34) Backup and Media storage: containers used to store media with data written (onsite or off-site) shall be stored in a secure & environmentally controlled vault facility. These containers shall have the following features and characteristics a. Containers must be lockable/latch securable; lock should not be removable from the container. b. Containers must be labeled, externally, with a unique serial number c. Containers must support Storage media formats used in the backup system as well as Paper/Notebook documents related to backup and recovery. (35) Daily Backups shall be placed in a Local off-site storage: Distance of storage facility away from the datacenter: 40 miles or more (36) Monthly backups shall be placed in an Extended Distance off-site storage: Distance of storage facility (for special/disaster recovery purposes) from the data center: 100 miles or more (37) Off-site media storage facilities shall meet or exceed the following DOD Storage Standards a. Industrial Security manual for safeguarding Classified Information (DOD5220.22M) (38) Shall meet the following industrial fire and intrusion ratings for storage vaults: (a) Dept. of Defense criteria for vault construction for the storage of classified data media. (b) National Bureau of Standards technical note 735 for the magnetic security protection of vaults. Vaults lined in .20 gauge steel.

10 0077

RFI #OS64495 (c) Underwriters Laboratories, All equipment and materials used in the construction of the vaults, fire alarm system, intrusion system, Halon system and the back-up power generator are U.L., approved (d) ANSI/NFPA standard 232, for the fuel fire load outside the vault area and for some construction specifications of the vault. (e) ANSI/NFPA standard 80, for the installation of all fire doors and fire dampers to the vault (f) ANSI/NFPA standard 72, for the use and installation of automatic fire detectors. (g) ANSI/NFPA standard 12A, for the use and installation of the Halon fire suppression systems. (h) ANSI/NFPA standard 90A, for the type of fire protection systems and airconditioning systems installed in our facility. (i) ANSI/NFPA standard 72, for the alarm signaling system and hook-up to an alarm monitoring company. (j) ANSI/NFPA standard 110, for Level Two of the emergency back-up power system. (k) NBS special publication 500-101, for the care and handling of all computer magnetic media. (l) The solution shall maintain version control

4) Interoperability and Portability: i) ii) iii) Does you cloud infrastructure support both cloud-to-cloud and Cloud-toSubscriber communication and ensure interoperability of cloud solutions? Describe capability and interoperability to mix multiple cloud computing service models offered by your organization, if any, or by other service providers. Describe the tools supported by your organization for integrating with other service providers and the subscribers internal infrastructure in terms of interfacing, monitoring and managing multiple cloud computing services. Do your PaaS and SaaS cloud computing services support portability; i.e. exit strategy for applications running in your cloud, should it be necessary to vacate? Do you organizations business, implementation and operation models and practices include safeguards to prevent service provider lock in?

iv) v)

5) Cloud Computing Services for IaaS, PaaS, and SaaS i) Does your organization offer professional consulting services to assist with planning and migration of existing applications from their current on-premise hosting environments to a cloud computing environment; ii) Does your organization adhere to current NIST, FISMA, and FedRAMP Security Compliance mandates and policy; 11 0078

RFI #OS64495 iii) iv) Does your organization offer expertise in Computer Security Incident Response; Does your organization have an established methodology and associated procedures for coordinating provider and subscriber Computer Security Incident Response teams?

6) Network Connectivity i) Describe the core components of ensuring availability from your perspective (e.g. # of locations, # of locations at Internet Exchange Points (IXP)? ii) Is your organizations data center Border Gateway Protocol (BGP) Peered? iii) Is your organizations data center network dual homed? If so, with whom? iv) Are your network configurations able to prioritize customer traffic? v) Please describe your system for IPv6 address assignment and persistence in a virtual environment. vi) How does the IETF and IANA expected allocation, use, and routing of IPv6 addresses complement or conflict with your approach for IPv6 address management? vii) What is your level of support for full IPv6 capabilities, especially in the network, in Domain Name System (DNS), storage, and any operating systems that you provide? Please detail any capabilities that are not fully IPv6 compliant. viii) Please identify which ports are allowed or accessible through your infrastructure (i.e. 25, 80, 139, and 443) and which we might assume would be blocked. Are there any unique ports or API calls required? ix) Describe your IP Management in a virtual environment. Can you provide renewal capabilities, including level of support for static IP addressing? x) Describe how your organization manages domain controllers in a Demilitarized Zone (DMZ). xi) Can your organization demonstrate the capability to enable TIC inspection, and intrusion prevention, of data between government and non-government co-tenants entities? Includes both external network connections and internal cloud communications with non-government entities. xii) Do your organizations IaaS service offerings include Top Level Data Network Architecture (TDNLA) routing, switching devices, and IDS/IPDs or alternative connectivity allowing use of an existing TLA stack which will be operated by the Government? xiii) Describe how penetration testing and source code analysis is performed in a cloud environment. xiv) Describe how you will meet the following Constraints/Requirements: (1) The solution shall not be limited to access via a single browser. The solution shall be accessible via web browsers on both PCs and mobile devices. The support browsers shall include (but not limited to) Internet Explorer 6.x and later; Safari 4.x and later, Firefox 3.x and later (2) The system shall support Enhanced SMTP TLS security (3) The system shall use TLS for SMTP transport beyond the HHS perimeter when both sender and receiver are capable.

12 0079

RFI #OS64495 (4) Web access shall be over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) session supporting FIPS 140-2 encryption. The solution shall provide the capability for all traffic to be over a SSL/TLS session supporting FIPS 140-2 encryption. (5) The system shall support SMTP relays limited to approved IP addresses, IP scopes, or approved sender accounts. (6) For non IP identified SMTP relays the system shall only allow relay if the sender is authenticated AND included in a security group of approved senders. (7) All SMTP transport points (Exchange, Tumbleweed and Ironport) shall have enough queue space to accommodate at least 72 hours of queued mail if the next destination is not available to receive. (8) Delivery timeouts shall be 72 hours for standard and low priority messages, 24 hours for high priority messages. (9) The system shall maintain a separate SMTP log for relays (10) The system shall maintain SMTP logs for 30 days or more (11) Message tracking logs shall be maintained for 30 days or more (12) Provide secure communications between clients and e-mail systems (13) The solution shall be accessible via multiple ISP to prevent performance degradation or outage if one or more ISPs service is unavailable. (14) Shall support TTY/TDD 7) Information Assurance Support i) Does your organization provide Information Assurance assistance to assist customers in securing their applications through application of current OMB and FISMA Information Assurance mandates and NIST recommendations? ii) Does your organization and service offering currently comply with all operational and Information Assurance guidance published by the Federal Risk and Authorization Management Program (FedRAMP)? 8) Certification and Accreditation Support: i) What is the level of FedRAMP certification for your offering? ii) Does your offering include the ability to add or modify existing security controls when needed to meet HHS-specific security requirements? 9) Application Migration i) Does your organization provide assistance in planning, scheduling, coordination and implementation/migration of applications to the IaaS, PaaS, and SaaS cloud computing environment? ii) Describe how you will meet the following Constraints/Requirements: (1) Microsoft Exchange versions 2003 and above are used at HHS and must be migrated if a different solution is chosen. (Note most of HHS is using Exchange 2007 or 2010, but some legacy 2003 is still in use) (2) The migration shall be done so that no data is lost (3) The user/mailbox migration shall be done so that users are migrated in stages/phases (not all at one time). HHS has successfully used strategies of upgrading and migrating based on Business-Unit, Building and Office groupings 13 0080

RFI #OS64495 to minimize disruption of users and impact to call center and Tier 1 and 2 support. Information needed to determine these groupings is available in the Active Directory/GAL and will be available after award should it be needed to refine the migration plan (4) The user/mailbox migration shall be done so that the call center and support staff are not overwhelmed by trouble or information calls resulting from a large number of migrations occurring at the same time. (5) Any actions requiring desktop visits (such as, but not limited to, support for assisting users with Blackberry reconnection) shall by the responsibility of the contractors migration team. (6) The user/mailbox migration shall take place after normal business hours to the extent possible to prevent disruption of work. (7) Any work requiring user action must be planned well in advance of need (usually 3-4 months) to allow adequate time for integration of tasks into the business daily work, user task training, troubleshooting etc. (8) Training for end-users, helpdesk and support technicians and administrators shall be provided. (9) The solution shall be capable of exporting data into a recognized open data format upon termination of service. The solution shall allow for the testing of this feature for a limited percentage of accounts on a periodic basis. The solution shall also provide assurance of permanent deletion of all the data after migration. (10) Need to include something about migrating from archives not just exchange. E.g. FDA uses EMC SourceOne adat inEMC Source one needs to be migrated also not just what is in-mailbox. (11) PSTs shall be supported or migrated

10) Cloud Operations and Maintenance i) What controls are in place for administrative access, both internal to your company and for administrative access from government clients? Please include discussion of administrator controls over provisioning. ii) Provide a list of all third party service providers, roles and responsibilities their interfaces to your organizations cloud service offering. iii) Does your organization offer Virtual Operating Environments? iv) Describe how you manage remote administration for provisioning and Virtual Machine (VM) access. v) Does your organization offer Physical Operating Environments? vi) What types and combinations of CPU processors, virtualization formats, and operating systems are supported by your service? vii) Does your organization provide assistance with capacity planning and forecasting/trending for growth? viii) Does your organization offer/perform configuration and management of customized servers, storage, security and networking devices with PaaS and SaaS? ix) How often does your organization offer perform technology refresh? x) Does your organization perform hardware lifecycle management?

14 0081

RFI #OS64495 Does your organization perform planning for end of life hardware and software planning to mitigate obsolete software versioning, support and hardware technology? xii) Does your organization provide assistance with Disaster Recovery and Business Continuity planning and execution services? xiii) Does your organization perform or provide assistance with application analysis in the PaaS and SaaS environment? xiv) Does your organization provide assistance with security design & configuration services? xv) Can your organization demonstrate the ability of PaaS and SaaS environments to be interoperable with HHS identification, authentication, and authorization mechanisms? xvi) Does your organization support the Security Assertion Markup Language (SAML)? xvii) What other certifications and compliance standards do you support, have third party certification for, or comply with, such as HIPAA, PCI, and SAS 70? xviii) Does your organization provide or support DNSSEC? xix) Can your organization demonstrate the ability to perform vulnerability and incident management? xx) Can your organization demonstrate the ability to perform system administration and monitoring services, including the provision of appropriate access to technical security controls and associated logs by HHS Information Security staff? xxi) What does your organization consider to be critical success factors, key performance indicators and how they measure them relative to IT Service Management (Service Support and Service Delivery)? xxii) Does your organization provide to the subscriber data center and application availability management, performance, utilization reports? (Daily, Weekly, Monthly, Annually, RT, Custom) xxiii) Does your organization provide to the system owner maintenance of network uptime and network availability guarantee per Mission Assurance Category (MAC) level? xxiv) Does your organization provide to the end user network application performance, utilization reporting? (Daily, Weekly, Monthly, Annually, RT, Custom) xxv) Does your organization provide assistance with administration, management, and troubleshooting of systems and infrastructure in the IaaS and PaaS environment? xxvi) Does your organization provide real-time notification of exception reporting from IaaS, PaaS, and SaaS operating environments? xxvii)Are technology refresh, upgrade and patching in the service provider software and infrastructure transparent to the stack layers above, end users and system owners? 11) Service Support i) Does your organization maintain any industry certification standards such as ITIL, ISO 20,000, and/or CMMI? ii) Does your organization implement processes to maintain effective levels of patch management on the Operating Systems, VMs and/or hypervisors in an open virtualization environment? iii) Describe your handling of potential availability issues such as significant cloud computing outage, high network load or insufficient bandwidth access. What is your xi)

15 0082

RFI #OS64495 mitigation strategy in case of potential network outages, bandwidth shortages, or spikes in service demand? iv) Does your organization operate a trouble ticketing system, and is it does the subscriber have access to the system? If so, at what level?? v) What level of automatic alerting can you provide to our support staff in the event of failure, degraded service, or exceeded planned utilization? vi) Does your organization perform formal and recognized Service Desk / Service Request Management practices? vii) Does your organization implement formal and recognized Incident Management practices? viii) Does your organization perform formal and recognized Problem Management practices? ix) Does your organization perform formal and recognized Change Management practices? x) Does your organization perform formal and recognized Release Management practices? xi) Does your organization perform formal and recognized Configuration Management practices? xii) Describe how you will meet the following Constraints/Requirements: (1) Monitoring and reporting must integrate and up-link with the Manager of Managers so that system status is updated on dashboards used by the IT and Agency leadership (2) Specific Tier1 and Tier2 helpdesk/support personnel shall be delegated rights to perform operations such as mail account password resets, limited and shortduration quota increases, remote handheld password reset, remote lock, remote wipe, establishing enterprise activation passwords. (An example of where and how these types of functions and access have been achieved in the current system are via the Blackberry/RIM Administration delegation groups: rim_db_admin_jr_helpdesk and rim_db_admin_sr_helpdesk). (3) Blackberries are used extensively for remote access to email. HHS requires 2 of its staff from each OpDiv (12 people) to be added to the allowed caller list for RIM T-Support in addition to any needed by the Contractor. This is required so that the Support and Engineering teams may access and leverage RIM Support such as downloads, knowledge base and telephone access to RIM technical experts without having to acquire a separate support agreement. (4) Continue to provide a detailed mailbox billing reports, including optional features such as BlackBerry support, on a per Area basis. (5) The solution shall have a Federal Information Processing Standard (FIPS) 140-2 compliant synchronization interface to the HHS BlackBerry Enterprise Server (BES) to support the synchronization of emails, calendars, contacts, journals, folders, memos, etc. (6) The solution shall provide the ability for authorized administrators to add, delete, disable or modify Blackberry accounts on demand. (7) The solution shall provide some administrative functions via a Web Interface. These include provisioning/de-provisioning of users, account creation, alias and 16 0083

RFI #OS64495 mailing list creation/management, mailbox and email size constraints, and enduser feature management. (8) The solution shall provide the ability for HHS technical staff to automate common tasks. It will also provide an interface to allow for bulk changes to objects including Contacts, Mailboxes, etc (i.e. a scripting interface) 12) Service Delivery i) Does your organization perform formal and recognized Service Level Management and Reporting practices? ii) Does your organization perform formal and recognized Capacity Management practices? iii) Does your organization perform formal and recognized Service Continuity Management practices? iv) Does your organization perform formal and recognized Availability Management practices? v) Does your organization perform formal and recognized Security Management practices? vi) Does your organization perform formal and recognized Infrastructure Management practices? 13) Provision of Fixed Datacenters i) Does your organization provide, maintain, operate, and support fixed datacenters, supplying virtualized resource capacity? ii) Does your organization perform fixed data center management tasks that may include datacenter maintenance, power, HVAC, and/or any aspects of physical plant necessary for operation of a fixed data center? Sub-contracted/Partnership? iii) Do the fixed data center facilities have appropriate physical and environmental security measures to ensure compliance with OMB, FISMA, NIST, and FedRAMP mandates and requirements? iv) Does your organization provide resources in commercial Tier 1, 2, 3, and/or 4 datacenters as defined by the Uptime Institute? (http://www.uptimeinstitute.org) 14) Provision of Mobile Datacenters i) Does your organization provide, maintain, operate, and support mobile datacenters, supplying virtualized resource capacity? ii) Does your organization, sub-contractor/partner possess transportation and logistics expertise related to the transport of containerized datacenters, including mechanical engineers? iii) Does your organization provide a solution capable of addressing handling challenges such as shock and vibration with transport, non-operating temperatures during transport, extreme temperatures, and unpressurized aircraft cargo hold? iv) Does your organization provide transportation and setup of the containerized data center including all logistics such as transport and customs? v) Does your organization perform container modification for harsh operating environments (temp extremes and other environmental conditions); and

17 0084

RFI #OS64495 vi) vii) Does your organization provide on-site or escalated/priority remote support for the containerized infrastructure? Does your organization provide perform containerized data center management tasks that may include maintenance of the container, power, HVAC, and/or any aspects of physical plant necessary for operation of a containerized data center?

15) Computing Characteristics of Supported Environments. i) Does your organization provide services encompassing the following computing characteristics: (1) Sensitivity categorization: (a) Classified (b) Sensitive (c) Public (2) Network connectivity to: (a) Internet2 (3) Geographic support in: (a) CONUS (b) CONUS austere environments (e.g., national or regional emergency situation) (c) OCONUS (d) OCONUS austere environments (e.g., Africa Central/South America, Southeast Asia) (4) Operating Systems including but not limited to: (a) Windows (b) Linux (c) Unix (d) Solaris (5) Databases including but not limited to: (a) Oracle (b) All flavors of SQL Server (c) DB2 (d) Sybase (6) Application Tier including but not limited to: (a) WebSphere (b) WebLogic (c) Biztalk (d) Oracle/Sun Java Glassfish (e) Geronimo (f) JBoss (g) Tomcat (7) Virtual infrastructure: (a) Storage (b) Computing capacity (c) Bandwidth (d) Systems Administration to support a specific system (8) Software Applications (a) Name: 18 0085

RFI #OS64495 (b) Software Vendor: (c) Description: Describe how you will meet the following Constraints/Requirements: (1) Available APIs: The system shall support email and PIM functions such as but not limited to: calendaring, tasks, notes, journaling, contacts (2) The system shall support access via MAPI, IMAP, POP3 and SMTP (3) The system shall support unified messaging (4) The system shall support fax integration (5) TLS on the POP3 connections is not possible in all cases so the system shall support encrypted connections between server and clients independent of the POP3 protocol/connection. (6) Access via IMAP shall require the client to use SSL (7) The system shall support the use of LDAP for GAL lookups (8) The system shall support the use of ICAL (9) The system shall support the use of VCARD (10) The system shall support Microsoft Outlook, Entourage, MacMail, Thunderbird, and other clients as required (11) The system shall support the use of Outlook calendaring and Free/Busy information sharing (12) System shall support calendar sharing with external users (13) By default Outlook clients shall publish 12 months of free/busy data (14) Message delivery size limits shall be at least 100MB. Messages larger than 100MB are rejected and returned to the sender. (OPDIVs can choose to configure smaller delivery size limits) (15) The solution shall allow users to create Out of Office notifications/replies. In addition, the solution shall allow users to schedule Out of Office notifications to start and end, and provide a mechanism to customize the notification body. It will also provide the ability to send different Out of Office notification messages based on the sender (i.e. A sender that is external to the organization will get one notification, a sender within the organization receives a different notification (16) The solution shall provide the capability for individual users of the email solution to set up rules for filtering (blocking), forwarding, or diverting email traffic into managed objects/folders. (17) The solution shall provide a capability for users to schedule resources (such as conference rooms, phone and web conference slots, communications equipment, etc.). The resources will respond with accept/decline information and update as the meeting request updates. The responses shall be customizable, and there will be granular control delegated to resource owners. (18) The service shall provide a mechanism that allows for secure large file transfers. This mechanism should be secure pull technology, where users are able to access a secure webserver, upload large datasets, and fill out an e-mail form that sends a secure link to the intended recipients of the data set. The recipients can use the link and retrieve the data. The data is purged from the system automatically after 90 days. The data at rest should be encrypted and accessible ONLY by the intended recipients

ii)

19 0086

RFI #OS64495 (19) Outlook security settings that enforce client configurations shall be enforced by implementing administrative settings via a public folder (20) Exchange forms shall be supported or migrated (21) All client functions shall be available off-line allowing the customer to work offline. That is customers that are working disconnected from any network or internet connectivity shall have access to cached copies of their email, calendar, PIM etc. so that they may continue to work. The cached copy shall synchronize with the mailbox when the client connects. (22) The system shall support connection to multiple mailboxes simultaneously by the same user using the same desktop. e.g. a user will need to connect to their primary mailbox and may also need to connect to one or more mailboxes that are used for specific purposes (e.g. Help Desk inbox, Drug Application Inbox, Sendonly mailbox, etc.) (23) The system shall support the ability to access other users mailboxes when approved by security. e.g. User John may be granted permissions to access User Janes mailbox so that John can review and respond to Janes email. (24) The system shall support the ability to access another mailbox as impersonate and send mail send-as the other mailbox. There shall not be an indication that the messages was not send by the owner (i.e. the message shall not indicate send on behalf of or similar) (25) The system shall support the ability to access another mailbox and send mail on behalf of another user. (i.e. The message shall indicate that the message was sent by someone other than the owner e.g. From Steve on behalf of Phil) (26) The system shall support mailboxes with wireless connectivity. Wireless technologies include but are not limited to: Blackberry / Blackberry Enterprise Server (BES), Microsoft AntivSync, and Good for Enterprise. (27) The BES shall support Enterprise Instant Messaging via Microsoft Office Communications Server and the Enterprise IM client loaded on Blackberry handhelds (28) The BES shall support Mobile Data Services (29) The BES shall use policies to enforce handheld security and configurations identified by HHS. OPDIVs can add their custom requirements after the HHS baseline is implemented. (30) The system shall support access by internal and remote users through a web interface. (31) Support the use of Outlook Anywhere (RPC over HTTPS) (32) The web interface shall have a inactivity timeout maximum of 2 hours for internal users (OPDIVs may configure more stringent settings) (33) The web interface shall have an inactivity timeout maximum of 20 minute for external (non-VPN) users connecting via the internet (OPDIVs may configure more stringent settings) (34) The solution shall provide Web Conferencing capabilities (35) The web interface shall present a government warning and policy screen before allowing connection (36) The system shall allow non-delivery notifications to the internet

20 0087

RFI #OS64495 (37) The system shall not allow delivery or read receipts to the internet except for domain defined by HHS (38) By default the system shall not allow forwarding or auto-replies to the internet; the system shall allow these only with security and security and operations manager approval. This is configurable by OPDIV (39) Design shall provide Instant Messaging with presence. Microsoft Office Communications Server (OCS) is currently used and must be migrated if a different solution is chosen. (40) The solution shall provide the ability for users to add/delete/update Contact records and personal contact information contained within those records. This capability shall synchronize with mobile devices. (41) The solution shall support the ability to permanently remove an email or document from all internal accounts and from the service providers systems. (42) The solution shall provide integrated calendar functionality such as appointment and meeting scheduling, updating, meeting notification, sharing calendars. This capability shall synchronize with mobile devices (43) The solution shall allow users to find other HHS accounts, contact information, and shared mailing lists within the enterprise. The solution shall also allow for custom contacts to be created for individuals external to HHS. It will also synchronize and display entries from all OPDIVS within the Department of Health and Human Services (44) The solution shall provide users with the capability to communicate securely over instant messaging to internal and external users, provides an online-presence indicator, and/or provides a status message capability, provide audio chats, provide video chats, and persistent chat rooms. This capability shall be available from PCs, Blackberry, and other mobile devices and must be configurable by OPDIVs (45) IM shall support 108,000 concurrent users (46) The solution shall provide the ability to establish and maintain mailing lists/distribution lists (including nested mailing lists) of internal and external email addresses. (47) Telephony integration and group collaboration features S are not needed at this time. These features may be explored for use at later dates as a separate project (48) Support or provide a suitable substitute for the HHS Public Folder Infrastructure (49) Integrate with a new secure email and large file transfer mechanism. The solution must:
a. Integrate with the IHS AD for internal user authentication. b. Provide outside users a way to create and authenticate with stand alone

accounts.
c. Use FIPS 140-2 data transfer and storage mechanisms. d. Not be overly complex to users. e. Not interfere with normal mail flow.

21 0088

RFI #OS64495 16) Operating Environment General Specifications Note: Service Providers should assume that the difference in Operating Environments represents bursting levels for each resource. For example, the small environment starts at 1 CPU but can burst as high as 3 CPUs. Similarly, the small environment starts with 1 GB of memory and can burst as high as 3.999 GB of memory. Finally, the disk storage starts at 250 GB and can burst to 499 GB. If an environment needs to exceed the large specification, it will be addressed per task order. i. OPERATING ENVIRONMENT The HHS IaaS/PaaS operating environment (OE) is a server configuration that consists of physical and virtual CPU(s), physical and virtual memory and disk storage space. Applications can require one or more OEs to perform their functions properly. Operating Environment Sizing is defined into three categories: small, medium and large. Each one of these levels represents a certain amount of key computer resources assigned to the OE. ITEM 2: CPU COUNT - Identify the current base and Step Levels in your originations cloud offering portfolio, OEs and their performance are considered the virtual equivalent of the following: ITEM 3: CPU PERFORMANCE % - What is your organizations CPU Performance Overhead % threshold? This is the percentage overhead caused by virtualization, thus decreasing the relative performance of the CPU. ITEM 4: MEMORY - What is base memory installed? This is the virtualized RAM available for this environment. ITEM 5: MEMORY PERFORMANCE %: What is your organizations memory utilization threshold? This is the percentage overhead caused by virtualization, thus decreasing the relative performance of the RAM ITEM 6: DISK CAPACITY What is the base disk capacity? This is the amount of virtual disk storage available to the environment for application usage and does not include space for any data center or vendor overhead. ITEM 7: DISK PERFORMANCE OVERHEAD % - What is the threshold for disk capacity overhead? This is the percentage of overhead caused by virtualization, thus decreasing the relative performance of the Disk. ITEM 8: RECOVERY TIME OBJECTIVE Measured in hours, what Recover Time Objective are you capable of meeting in your standard service offerings? Describes the duration of time within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. Includes (1) the time attempting to correct the problem without a recovery, (2) the recovery itself, (3) testing the recovery and (4) communication to the users regarding the recovery. ITEM 9: RECOVERY POINT OBJECTIVE - Measured in hours, what Recover Point Objective are you capable of meeting in your standard service offerings? Describes the maximum amount of data an IT-based business process may lose before causing detrimental harm to the organization ITEM 10: AVAILABILITY (A0) Stated as a %, what level of availability can you provide in your standard service offerings? Defined as service availability of application

ii.

iii.

iv. v.

vi.

vii.

viii.

ix.

x.

22 0089

RFI #OS64495 or business process and excludes Government-approved downtime. (http://www.uptimeinstitute.org) ITEM 11: OPEN API, OPEN IAAS SUPPORT AND MGMT, TOOLS - Does your organization provide Open API, Open IaaS Support and Mgmt, Tools? This provides the ability for applications to be moved from the vendors environment to another environment with no proprietary dependencies imposed by the vendors environment. This also includes the included availability of complete Application Programming Interfaces (APIs) for any application that operates in the vendors environment. Finally, it includes access to operating environment performance and tuning tools and reports. ITEM 12: SUPPORT FOR INDUSTRY STANDARD PROTOCOLS, FRAMEWORKS, STANDARDS - Does your organization support standard industry protocols, frameworks, standards? This represents the ability to support popular and industry standard layers, frameworks and development environments within the virtual operating environment. Examples of this are J2EE, .NET, SOAP, XML, PhP. Directory Integration i. Describe how you will meet the following Constraints/Requirements: (a) The system shall use the multiple Active Directory domains or the agency PIV-Card (HSPD-12) infrastructure to facilitate authentication to mailboxes; separate/external logon credentials are not acceptable. (b) The system shall import the directory data from HHS so that an HHS-wide Global Address List (GAL) is available and maintained. (c) The system shall segment the directory data so that other HHS Systems and OpDivs will access a pertinent subset of the information from the Global Address List (GAL). The system shall have the ability to filter out specified accounts so that they are NOT included in the export or the full HHS-wide GAL view or be available outside of an authorized list of users (examples, accounts of criminal investigators, specific non-people/system accounts). (d) Specific Active Directory attributes (for example: title, address, phone number, Department, Center, Office etc.) shall be synchronized with the identity management system (e) Directory synchronization shall be performed at least once every 12 hours. (f) Support a segregated tiered administration model where sub-groups of admins are granted specific rights (g) The system shall support the ability to distinguish government and non government users in accord with the HHS standards. (h) The system shall provide and use the same namespace for internal and external email addresses and web-access to email access (i) A standardized domain portion of the @<opdiv>.hhs.gov address shall be used. e.g. @fda.hhs.gov, @cdc.hhs.gov, @nih.hhs.gov, etc. (j) Legacy and alternate email addresses shall be supported (e.g. but not limited to @fda.gov, @cdc.gov, @nih.gov) (k) Maintain established DHHS directory standards in the HHSMail system (documented in a separate document called HHSMail Global Address List (GAL) OPDIV Design Results). (l) The solution shall support authenticated access to shared mailboxes. 23 0090

xi.

xii.

17.

RFI #OS64495 18. Disaster Recovery (DR) i) Describe how you will meet the following Constraints/Requirements: (a) Provide DR functionality so that the complete loss of one data center will not disrupt access to the messaging system. Also address the following FEMA Continuity of Operations (COOP) requirements: (b) Be capable of implementation anytime, with and without warning (c) Provide full operational capability for essential functions not later than 12 hours after activation (d) Be capable of sustaining operations for up to 30 days (e) DR location should be at least 300 miles away from primary location

24 0091

RFI #OS64495 Operating Environment General Specifications Worksheet Operating Environment CPU Count CPU Performance Memory Memory Performance % Disk Capacity Disk Performance % Recovery Time Objective Recovery Point Objective Availability % Open API Support and Mgmt, Tools <Yes/No> Support for industry standards, protocols, and frameworks <Yes/No>

Small Medium Large Other

<x>

<x%>

<xGb>

<x%>

<x%>

Maximum RTO <x hrs>

Maximum RPO <x hrs>

<x%>

25 0092

HHS Cloud Computing Implementation and Governance Alternative Analysis and Supporting Processes Version 1.0 08 March, 2011

0093

Contents
Executive Summary ....................................................................................................................................................4 Overview and Background .........................................................................................................................................5 Definitions ..............................................................................................................................................................6 The NIST Definition of Cloud Computing (NIST, 2011) .......................................................................................6 Cloud-First Alternative Analysis..........................................................................................................................8 The OMB Cloud First Strategy .........................................................................................................................9 Service Provider ..................................................................................................................................................9 Cloud Computing and HHS .........................................................................................................................................9 Cloud Computing Governance ...............................................................................................................................9 HHS Cloud Computing Reference Architecture ................................................................................................... 10 Integration of Cloud Computing at HHS Roles and Responsibilities ................................................................ 11 HHS Cloud Computing Governance Council .................................................................................................... 11 HHS Enterprise Architecture PMO / CPIC ........................................................................................................ 11 HHS PGO .......................................................................................................................................................... 11 HHS OCISO ....................................................................................................................................................... 12 OpDiv IT Governance ....................................................................................................................................... 12 OpDiv Enterprise Architecture PMO / CPIC ..................................................................................................... 12 OpDiv IT Service Office / EPLC IT Infrastructure Critical Partner ..................................................................... 12 Integration of Cloud Computing at HHS Processes and Functions................................................................... 14 HHS Enterprise Performance Life Cycle (EPLC) ............................................................................................... 15 Governance ..................................................................................................................................................... 15 Procurement .................................................................................................................................................... 15 Security ............................................................................................................................................................ 16 Implementation of Cloud Computing at HHS Processes and Workflows ............................................................. 17 Cloud Computing Governance Processes ............................................................................................................ 18 Identifying and vetting External Service Providers.......................................................................................... 19 Analyzing and vetting Internal Service Providers ............................................................................................ 20 Acceptable-Use Matrix Example and Template .............................................................................................. 21 Security ................................................................................................................................................................ 22 FedRAMP ......................................................................................................................................................... 22 C&A .................................................................................................................................................................. 22 Cloud Computing Alternative Analysis ................................................................................................................ 23 2

0094

System Characterization .................................................................................................................................. 23 Alternative Analysis ......................................................................................................................................... 24 Procurement .................................................................................................................................................... 26 List of Attachments.................................................................................................................................................. 27 Works Cited ............................................................................................................................................................. 27

0095

Executive Summary
The performance of the Cloud Computing Alternative Analysis is a critical component in the deployment of Cloud Computing Systems, Services and Applications within and across all HHS OpDivs and StaffDivs. This document defines, for each stakeholder entity in this process, the roles, functions and processes for which they are responsible in the performance of this analysis.

0096

Overview and Background


The Characteristics, Service Models and Deployment Models of Cloud Computing are an evolutionary step in providing Information Technology (IT) Services, enabling organizations in both the public and private sectors to make the best possible use of limited human and financial resources to meet the demands of their respective Missions. The Federal CIO Council identified Cloud Computing as a Federal IT Priority and formed the Cloud Computing Executive Steering Committee (CCESC) in March of 2009. The Vision Statement for Cloud Computing calls for the FCCI to:
Establish secure, easy to use, rapidly provisioned IT services for the Federal Government, including: Agile and simple acquisition and certification processes Elastic, usage-based delivery of pooled computing resources Portable, reusable and interoperable business-driven solutions Browser-based ubiquitous internet access to services; and Always on and available, utility-like solutions.

(GSA, 2010)

To meet the Presidents strategy to achieve efficient and effective Information Technology:
Federal agencies are to deploy cloud computing solutions to improve the delivery of IT services, where the cloud computing solution has demonstrable benefits versus the status quo. OMB, as part of the FY 2011 Budget Process, requested all agencies to evaluate cloud computing alternatives as part of their budget submissions for all major IT investments, where relevant. (Kundra, 2010)

Late in 2010, the HHS CIO Council approved the HHS Reference Architecture for Cloud Computing (HHS, 2010). The Reference Architecture provides a high-level strategy and roadmap for the deployment of Cloud-related services within HHS. A key provision of the HHS Reference Architecture is the implementation of the OMB Cloud Computing Alternative Analysis, with associated support processes and services. This document establishes stakeholder responsibilities and guidance for implementing these processes as an integrated component of the overall HHS Cloud Computing deployment strategy. Specific items addressed by this document include: Stakeholder Roles and Responsibilities in support of the Alternative Analysis Cloud Computing Alternative Analysis Integration of the Alternative Analysis with the HHS EPLC process Governance processes in support of the Alternative Analysis Procurement processes in support of the Alternative Analysis Information Security risk management in support of the Alternative Analysis

This document is tactical in nature, in that it defines specific workflows and processes used to analyze and support the deployment of Cloud-hosted applications and services. This document explicitly does not address Department or Agency strategies for the use of Cloud-Computing in support of HHS Mission Objectives.

0097

Definitions

To ensure consistency across all documents and processes under the HHS Cloud Computing umbrella, it is essential that all stakeholders use standard language and definitions when describing Cloud-Computing-related services, processes and activities. To facilitate this, standard definitions for Cloud Computing-related terms will be used across all documents pertaining to the HHS Cloud Computing initiative. NIST Special Publication 800-145 provides the core definition of cloud characteristics, service models and deployment models. Each of these, both individually and in combination, are included within the scope of this document. OMB, through existing pass-back language (Kundra, 2010), the Federal Cloud Computing Initiative (GSA, 2010), the 25 Point Implementation Plan to Reform Federal Information Technology Management (OMB, 2010) and the Draft Federal Cloud Computing Strategy (OMB, 2011), provides both the definition of and guidance for the Cloud Computing Alternative Analysis process described in this document.

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

The NIST Definition of Cloud Computing (NIST, 2011)

Essential Characteristics:
On-demand self-service Broad network access

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider.

Resource pooling

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Rapid elasticity

Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

0098

Cloud systems automatically control and optimize resource use by leveraging a metering capability 1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Measured Service

Service Models:

Cloud Software as a Service (SaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS)

Cloud Platform as a Service (PaaS)

The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models:
Private cloud

The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Typically through a pay-per-use business model

0099

The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Hybrid cloud

Public cloud

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

OMB requires that the Cloud-First Alternative Analysis be performed for each IT Investment or Initiative to determine whether it can or should be provided as a Cloud-Hosted service. This analysis triggers automatically as part of the EPLC process. If not done during EPLC, it must occur as part of the OMB Exhibit 300 process for all current and future investments: The following guidance is excerpted from the report State of Public Sector Cloud Computing, May 20, 2010 by Vivek Kundra, the Federal CIO
Federal agencies are to deploy cloud computing solutions to improve the delivery of IT services, where the cloud computing solution has demonstrable benefits versus the status quo.

Cloud-First Alternative Analysis

Demonstrable benefits, in this context, are measured against the following standards:
Economical. Cloud computing is a pay-as-you-go approach to IT, in which a low initial investment is required to get going. Additional investment is incurred as system use increases and costs can decrease if usage decreases. In this way, cash flows better match total system cost. Flexible. IT departments that anticipate fluctuations in user load do not have to scramble to secure additional hardware and software. With cloud computing, they can add and subtract capacity as its network load dictates, and pay only for what they use. Rapid Implementation. Without the need to go through the procurement and certification processes, and with a near-limitless selection of services, tools, and features, cloud computing helps projects get off the ground in record time. Consistent Service. Network outages can send an IT department scrambling for answers. Cloud computing can offer a higher level of service and reliability, and an immediate response to emergency situations. Increased Effectiveness. Cloud computing frees the user from the finer details of IT system configuration and maintenance, enabling them to spend more time on mission-critical tasks and less time on IT operations and maintenance. Energy Efficient. Because resources are pooled, each user community does not need to have its own dedicated IT infrastructure. Several groups can share computing resources, leading to higher utilization rates, fewer servers, and less energy consumption.

00100

The OMB Cloud First Strategy

In December of 2010, Vivek Kundra, the Federal Chief Information Officer, directed all Federal Government Departments and Agencies to adapt a Cloud First policy (OMB, 2010): When evaluating options for new IT deployments, OMB will require that agencies default to cloudbased solutions whenever a secure, reliable, cost-effective cloud option exists. The net effect of this policy is that, when evaluating service providers for IT Service initiatives, Cloud-hosted alternatives must be considered first, and the IT Service must utilize the Cloud-hosted approach unless there are compelling reasons not to do so.

Service Provider

Throughout this document, the term Service Provider applies equally to the following types of entity: 1. All internal HHS and OpDiv IT Service organizations 2. Any private or commercial entity (including both non-profit and for-profit organizations) providing or hosting Cloud Computing services or applications 3. Any US Government entity providing or hosting Cloud Computing services or applications on behalf of other US Government Agencies or Departments 4. Academic or Research institutions who provide or host Cloud Computing services or applications 5. State or Local Government entity providing or hosting Cloud Computing services or applications

To ensure that internal HHS and OpDiv IT Service Organizations compete on an apples-to-apples basis with other Service Providers, this document treats them equally in all respects, specifically including the provision and maintenance of standard service and rate information for use in the Cloud Computing Alternative Analysis described above.

Cloud Computing and HHS


The implementation of Cloud Computing services at HHS requires the close coordination of activities across multiple organizations at multiple levels. IT Governance, Security, Procurement, IT Services, Enterprise Architecture, Capital Planning, EPLC Critical Partners and Program-level Project Teams each have roles to play. This document defines the roles, responsibilities, processes and interactions within and between each or those groups. Given the Federated nature of IT Operations and associated support services within HHS, a one-size-fitsall approach is both impractical and counter-productive. Instead, this document defines what activities must be accomplished within broad categories (Governance, Security, etc.) and leaves each organization to determine, based on their existing structure and policies, the specific relationships and interactions required to perform those activities.

Cloud Computing Governance

To implement, manage and support the overall Cloud Computing Strategy HHS-wide, a single body consisting of representatives from the HHS CIO and CTO Councils, along with representatives from each HHS OpDiv, should be established. This body would then be responsible for coordinating Cloud Computing activities within and between all stakeholder organizations, maintaining and publishing all Cloud Computing-related documentation and associated metadata and ensuring that HHS Cloud Computing Initiatives support both the overall mission of HHS and HHS OpDivs and the requirements established by OMB and other regulatory bodies.

00101

The HHS Cloud Computing Reference Architecture (HHS, 2010) is a model for implementing and managing an effective and comprehensive approach to Cloud Computing across HHS and all HHS Operating Divisions. Specific topics include design approaches, stakeholder guidance, governance, security, business value, limitations and next steps.
Figure 1 - Cloud Computing Reference Architecture

HHS Cloud Computing Reference Architecture

There are three layers to the Reference Architecture: Governance and Policy (Executive guidance, HHS Policies, OMB Guidance) Back-Office/Supporting Services and Standards (IAM, Implementation Guidance, Standards, SOA, Data Architecture and related services) Applications and Application Services (Applications, catalogs, portals)

The Reference Architecture established the requirements, broad guidelines and structures for the implementation and integration of Cloud Computing within HHS; the implementation of those guidelines was beyond the scope of the Architecture document.

10

00102

This document bridges the three layers of the Reference Architecture, applying specific guidance and back-office processes to the selection and implementation of Cloud-Hosted Services and Applications. Related areas such as Service-Oriented Architecture (SOA), Data Architecture, Identity and Access Management (IAM) will be addressed separately.

Integration of Cloud Computing at HHS Roles and Responsibilities HHS Cloud Computing Governance Council

Cloud computing at HHS will utilize the existing HHS governance structure, with the addition of a proposed HHS Cloud Computing Governance Council (CCGC) responsible for coordinating Cloud Computing Initiatives HHSwide. The HHS CCGC reports to the HHS CIO Council. The HHS representative on the Federal CCAC will also be a member of the HHS CCGC. HHS CCGC functions as the HHS POC for input and guidance from the FCCAC, developing HHS-specific Cloud Computing guidance/recommendations/policies from that input. The HHS CCGC takes input from the FCCAC, and applies it to HHS, developing specific guidance for use by HHS and HHS OpDivs. The HHS CCGC will also review and reach consensus on input from the HHS CIO and CTO Councils and HHS EA. The CCGC disseminates this information and artifacts as guidance and/or policy, following the established HHS governance process for approval. Individual HHS OpDivs have the option to establish internal Cloud Computing Governance Council (CCGC), or working through their existing governance structures. In either instance, the OpDiv governing bodies will be represented on the HHS CCGC. The CCGC shall maintain and update the HHS list of approved cloud providers and their respective rates for standard service offerings. Additionally the CCGC shall develop standard RFI templates to be used by the HHS CCGC and the OpDiv CCGC to solicit standard and custom cloud service rates for the HHS approved cloud provider list and OpDiv contract vehicles.

HHS Enterprise Architecture PMO / CPIC

All HHS Staff Offices and OPDIVs shall conform to the HHS Cloud Computing Reference Architecture. The HHS EA shall be responsible for implementing and updating the HHS Cloud Computing Reference Architecture and for tracking milestones in the Cloud Computing Transition Plan, ensuring adoption and compliance with the plan. The HHS Enterprise Architecture Office shall maintain and update the HHS Cloud Computing Architecture in accordance with guidance from the HHS CCGC. The HHS EA will coordinate with the OpDiv EA offices, acting as a two-way conduit for information and updates pertaining to the HHS Cloud Computing Reference Architecture. HHS EA and CPIC Offices, via the HHS Enterprise Performance Life Cycle (EPLC) process, will ensure compliance with the OMB pass-back language included as part of the Federal Cloud First Computing Initiative. The EPLC process will be used to ensure that HHS and OpDiv Cloud initiatives meet the OMB Cloud First policy when reviewing their respective IT investments.

HHS PGO

The Procurement and Grants (PGO) office working in conjunction with the HHS CCGC shall develop, maintain and update standard cloud computing contract language for insertion into all IT contracts and services. 11

00103

HHS CISO working in collaboration with OpDiv CISO community; HHS and EA / CPIC Offices, HHS CCGC shall ensure that all cloud initiatives and investments adhere to OMB, NIST and departmental policies/standards necessary for complying with FISMA and privacy requirements.

HHS OCISO

OpDiv IT Governance

Cloud computing at each OpDiv will utilize the existing OpDiv governance structure, with the addition of a proposed Cloud Computing Governance Council (CCGC) responsible for coordinating Cloud Computing Initiatives with the OpDiv. The CCGC reports to the OpDiv IT Governance Council. The representative on the OpDiv CCGC will also be a member of the HHS CCGC.

OpDiv Enterprise Architecture PMO / CPIC

The OpDiv Enterprise Architecture Office shall maintain and update the OpDiv Cloud Computing Architecture in accordance with guidance from the HHS CCGC. EA / CPIC Office, working with the HHS CCGC, shall maintain and document the OpDiv Cloud Computing Architecture. The EA will coordinate with the IT Service Organization, acting as a two-way conduit for information and updates pertaining to the HHS Cloud Computing Reference Architecture. OpDiv EA and CPIC Offices, via the HHS Enterprise Performance Life Cycle (EPLC) process, will ensure compliance with the OMB Cloud First pass-back language. The EPLC process will be used to ensure that OpDiv Cloud initiatives meet the OMB Cloud First policy when reviewing their respective IT investments.

OpDiv IT Service Office / EPLC IT Infrastructure Critical Partner Requisitions & Inter Agency Agreements

OpDiv IT Service Office(s) will review all Purchase Requests and Inter-Agency Agreements that reference or contain hosted IT Services, in order to analyze and develop/recommend solutions in accordance with the HHS Cloud Computing Architecture. All Purchase Requests and Inter-Agency Agreements referencing hosted IT services will be reviewed by the respective OpDiv IT Service Organization (ITSO) and IT Infrastructure Critical Partner regardless of whether Cloud Computing is explicitly mentioned. The IT Service Office and IT Infrastructure Critical Partner will coordinate the analysis and provide an approved solution for the hosted cloud service(s).

Cloud Computing Alternative Analysis


Business Owners or Project Managers shall ensure that Cloud Computing is considered and documented as a potential solution in the early phases of system development, with assistance from the OpDiv IT Service Office. As projects move through the EPLC Stage-Gate review process, Business/System Owners, Enterprise Architecture Critical Partners and OpDiv IT Service Office staff will assist in reviewing the analysis of cloud computing as an alternate solution and make recommendations based on that analysis.

12

00104

OpDiv IT Service Office and IT Infrastructure Critical Partner Guidance


Approved Vendors

IT Service Organizations shall use the HHS list of approved vendors for the cloud computing alternate analysis. HHS CCGC maintains and provides the list of approved Cloud Computing hosting services, with coordination with the HHS CISO for Security and C&A purposes. No hosted IT service will use a vendor or provider that is not on this list. Security and Privacy Guidance

IT Service Offices and the IT Infrastructure Critical Partner shall take into account system and data categorization when conducting the alternative analysis. No High data or system shall be recommended for placement into any hosted off-premise cloud service, and Moderate data or systems shall only be recommended for placement on Private Cloud systems where the host infrastructure and the data/system have a FedRAMP A&A at the Moderate level, a Moderate C&A and joint approval from the governing CISO. Use of Approved Cloud Service and Deployment Models

IT Service Offices and the IT Infrastructure Critical Partner shall only recommend solutions approved for the specific combination of Service Model, Deployment Model and NIST Security Categorization applicable to the solution and included in the Acceptable-Use Matrix maintained by the HHS Cloud Computing Governance Council. Adherence to established Information Security Risk Management Processes

IT Service Offices and the IT Infrastructure Critical Partner shall ensure that all systems destined for cloud services have completed the Security Authorization (formerly C&A) process and have an Authorization To Operate (ATO) including those hosted off-premise.

All systems utilizing cloud services must also provide for continuous monitoring as required by the NIST Risk Management Framework. Cloud Computing and offsite hosting cannot be used to evade established security guidance, processes and/or controls. No Cloud-hosted service or applications will be approved until and unless it meets all applicable security and privacy requirements.

OpDiv PGO
The OpDiv Procurement and Grants (PGO) office working in conjunction with the OpDiv CCGC shall maintain and update standard cloud computing contract language for insertion into all IT contracts and services.

OpDiv OCISO
OpDiv CISO working in collaboration with OpDiv ISSO community; OpDiv EA / CPIC Offices, OpDiv CCGC and the OpDiv IT Service Organization shall ensure that all cloud initiatives and investments adhere to OMB, NIST and departmental policies/standards necessary for complying with FISMA and privacy requirements.

System/Initiative Sponsor and Project Team


Business Owners or Project Managers shall ensure that Cloud Computing is considered and documented as a potential solution in the early phases of system development, with assistance from the OpDiv IT Service Office. 13

00105

As projects move through the EPLC Stage-Gate review process, Business/System Owners, Enterprise Architecture Critical Partners and OpDiv IT Service Office staff will assist in reviewing the analysis of cloud computing as an alternative solution and make recommendations based on that analysis.

As noted above, implementing a Cloud Computing service or application requires that a number of entities work closely together with standardized processes and workflows. Many of those processes and workflows already exist EPLC, C&A, Procurement, EA, Governance and others this document defines only those processes and workflows that are specific to Cloud Computing and the Alternative Analysis process.
Figure 2 - Cloud Computing Role and Process Roadmap

Integration of Cloud Computing at HHS Processes and Functions

Top-Level Processes
EPLC Initiation Concept Planning

ITI CP

Alt. Analysis

Every Initiative Periodic Updates

CCAC

Governance

FedRAMP A&A Sec C&A

PGO

RFI

14

00106

HHS Enterprise Performance Life Cycle (EPLC)

The HHS EPLC process (HHS EA, 2010) is the core to which all other Cloud Computing activities connect. This is a well-mapped and well-understood suite of processes used across all HHS OpDivs. Existing EPLC Critical Partners address Project Planning, Security, Enterprise Architecture and Procurement activities. In order to address the specific requirements of Cloud Computing initiatives and to ensure that all IT initiatives work within a consistent IT Infrastructure model, an EPLC Critical Partner Role for IT Infrastructure was proposed in January of 2011. (ITI CP Role, 2011) The proposed IT Infrastructure Critical Partner is responsible for two primary functions: 1. Ensuring that IT Infrastructure-related initiatives (including both Cloud and Internally-hosted services) integrate with existing IT Infrastructure systems and services through all phases of the EPLC process. 2. Perform or coordinate the performance of the Cloud Computing Alternative Analysis, which is now a component of the EPLC Project Selection Review and the EPLC Concept Phase.

Governance

HHS and OpDiv IT Governance entities take on additional responsibilities with the integration of Cloud Computing services and applications into the HHS environment. Those responsibilities can be wrapped into existing entities, or new entities could be stood up with Cloud Computing-related activities as their primary charter. The processes and workflows described in this document apply transparently to either approach. IT Governance entities are responsible for the following functions: 1. Maintaining and updating a collection of Cloud Computing policies and mandates originating outside of HHS (NIST and OMB in particular) and providing relevant guidance to all other stakeholders. 2. Maintaining and updating a collection of HHS and OpDiv Cloud-Computing policies and guidance and providing relevant guidance to all other stakeholders. 3. Establishing, publishing and maintaining an authoritative list of vetted and approved Solution Providers (specifically including OpDiv IT Service Organizations and third-party entities, both commercial and governmental) and their Service-Specific Rate Cards. 4. Maintaining Service Provider service and rate cards via periodic Requests for Information (RFI) via existing HHS and/or OpDiv procurement channels. 5. Coordinating and integrating the approval of Cloud-hosted services through the FedRAMP and/or Certification and Accreditation (C&A) process. 6. Populating and maintaining an acceptable-use matrix of vetted service providers and their standard service rates, mapped against Cloud service types NIST security levels (Low/Moderate/High) 7. Providing the acceptable-use matrix to the IT Infrastructure Critical Partner for use in the Cloud Computing Alternative Analysis process.

Procurement

Existing procurement processes and contract vehicles remain unchanged with the addition of Cloud Computing services to the HHS portfolio. One new task, coordinated by IT Governance entities as described above, is the periodic update of commercial Service provider service and rate information, specifically: 1. Ensure that consistent service and price information is available to key stakeholders (enabling a true apples-to-apples comparison between products) through the use of standard RFI language for the periodic updates described above. 15

00107

Security takes on added importance when external service providers integrate with or connect to internal HHS IT Services and assets. Ensuring that risks to HHS Information Systems are identified, documented, and mitigatedand residual risk accepted by the appropriate authority-- is the responsibility of IT Security staff and processes at all levels. IT Security entities are responsible for the following functions: 1. Ensuring that systems and applications hosted by external Service Providers meet security authorization requirements appropriate to the security categorization (Low, Moderate, High) of the information or system(s) to which they connect. 2. Coordinating with IT Governance entities to perform FedRAMP and/or C&A certifications of services provided by external entities as described above. 3. Ensuring that services and applications hosted by external Service Providers fully integrate with existing security-related systems and services, specifically including Continuous Monitoring, Incident Response, Identity and Access (IAM), User and System account management and System/Service Authorization services.

Security

16

00108

Implementation of Cloud Computing at HHS Processes and Workflows


The implementation of a Cloud-hosted service or application depends on all of the components, roles and responsibilities described above to work together in a consistent fashion across all HHS OpDivs and StaffDivs. Briefly, the steps are as follows: 1. Establish specific Strategic and Tactical Goals (Out-of-scope for this document) 2. Establish responsibilities and assign roles for Cloud Computing Governance a. Document and publish applicable policies and processes b. Identify potential Cloud Service Providers c. Coordinate with Procurement staff and IT Service Offices to gather and maintain Service Provider standard service and cost data (Rate Sheets) d. Coordinate with Security staff to maintain a current record of Service Providers security certifications (FedRAMP and/or C&A, as appropriate) e. Establish, maintain and publish an acceptable-use matrix that maps Service Provider offerings against service and deployment models, security requirements, SLA requirements and related information f. Provide all of this information as input to the Alternative Analysis process g. Track and report on status of new and existing initiatives as required by HHS and OMB guidance h. Maintain and publish service and application catalogs, including data required by the HHS EA Repository (HEAR) and HHS SOA (to be developed) 3. Establish and integrate the IT Infrastructure Critical Partner Role (Defined elsewhere) a. Identify and train ITI Critical Partners b. Integrate the ITI Critical Partner with existing IT initiatives c. Position the ITI Critical Partner to work with Project Teams on new IT initiatives as they arise d. Coordinate the Cloud Computing Alternative Analysis described below; provide results and recommendations to both the Project Team and Cloud Computing Governance entities 4. Initiate Cloud Computing Alternative Analyses for IT initiatives in accordance with OMB and HHS guidance a. Review deliverables from EPLC Initiation and Concept Phases to ensure that sufficient information exists to perform the analysis b. Determine if the Goals, Scope and Scale of the initiative can be met by External Service Provider offerings (Cloud First strategy) available at the appropriate security level as determined by the sensitivity of the service and/or application, based on information contained within the Business Needs Statement, Business Case, PIA and other supporting documents) c. Where an existing solution from one or more approved/vetted External Service Provider(s) meets the business need, provide a Service Provider recommendation to the Project Team, based on existing Service Provider price/performance information d. Where an existing solution from a Service Provider requires customization, work with the Project Team, Security Steward, EA and Procurement staff to recommend a custom design e. Where security requirements or lack of available external solutions preclude the selection of an External Service Provider, recommend development of the service or application as an internally-hosted system f. In all cases, work with IT Service Organizations to ensure that the service or application will function within the existing IT Infrastructure 5. Track and Report information as required These processes and associated workflows are described in the following pages. 17

00109

Cloud Computing Governance Processes

These processes support Service Provider identification and selection, management of service and rate data and the development and maintenance of acceptable-use criteria.

Figure 3 - Governance Processes

18

00110

19

00111

20

00112

Acceptable-Use Matrix Example and Template


Figure 4 - Risk to Model Guidance Matrix

The Cloud Computing Service and Deployment Models vary in their ability to securely support sensitive information, services and/or applications. The following table reflects current guidance based on the intersection of NIST Risk Category (High, Moderate or Low as applied to System Confidentiality, Integrity and/or Accessibility) with Cloud Service and Delivery Models.

Approved and vetted Service Provider offerings will be mapped using this template as a guideline. This information is then provided as input to the Cloud Computing Alternative Analysis.

21

00113

Security

HHS and OpDiv processes for the evaluation, certification and accreditation (C&A) of internal systems are well-established. Consistent and standardized processes for evaluating systems and/or services used across multiple Agencies and Departments are less mature, leading to duplication of effort, increased costs and inconsistent results. To address this, the Federal CIO initiated the FedRAMP process, described below. This process will be used to evaluate the services and applications provided by all External Service Providers to any HHS OpDiv or StaffDiv.

The Federal Risk & Authorization Management Program (FedRAMP) is part of an evolutionary journey of the A&A and Continuous Monitoring Process of Cloud Computing within the Infrastructure Information Assurance Lifecycle (Bhagowalia, 2010). FedRAMP is a standardized set of processes and criteria for security Assessment and Authorization (A&A) for Cloud-hosted, outsources and/or multi-agency systems and services.
The Federal Risk and Authorization Management Program or FedRAMP has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to "approve once, and use often" by ensuring multiple agencies gain the benefit and insight of the FedRAMP's Authorization and access to service providers authorization packages. (CIO.Gov, 2011)

FedRAMP

The FedRAMP Assessment Procedures for a given Service Provider offering can be initiated by OCISO staff at any Department or Agency. If a Service Provider possesses a current FedRAMP A&A for a given offering, there is no requirement to repeat the process. In this case, the existing A&A can be used as input for the internal C&A process, subject to any additional HHS and/or OpDiv requirements. If the Service Provider does not yet possess a FedRAMP A&A for a given offering, the Assessment Process defined in FedRAMP_Assessment_Procedures.pdf (attached) will be initiated by the vendor and be vetted through the responsible OCISO.

The existence of a FedRAMP A&A does not replace the existing HHS C&A process; rather it provides a set of inputs to allow for standardized and consistent evaluation of Service Provider offerings. This simplifies the C&A process for external offerings and shortens the timeframe for granting an Authority to Operate (ATO) for those offerings.

C&A

22

00114

Cloud Computing Alternative Analysis System Characterization


The Information System Business Case and Requirement Definitions are the foundation for project success and proper deployment of services to the cloud. Defining information system needs, purpose, functional, non-functional, and technical requirements is a stabled process within the EPLC. To avoid replication of effort and improve consistency, cloud computing requirements gathering for alternative analysis will reuse deliverables from the EPLC.
Figure 5 - System Characterization Processes

Characterize System
2/6/2011 EPLC Concept Stage
EPLC Business Needs Statement

Business Owner and Project Business Owner and Project Team Team

Cloud Computing Information System Questionnaire

2/6/2011 EPLC Concept Stage Gate

EPLC Business Case

IT Infrastructure Critical IT Infrastructure Critical Partner Partner

HHS Policy, Cloud Computing Governance, OMB Governance

System Characterization

Input to Alternative Analysis

23

00115

Alternative Analysis

The analysis of deployment alternatives depends on inputs from the IT customers requirements, Cloud Computing governance, security requirements and available contract services. Additionally, significant consideration must be given to the capabilities and requirements of Support Services such as HHS SOA and authentication and authorization mechanisms utilized within the department as well as IT Service Implementation Processes that are unique to the OpDiv. Gathering specific information related to the Alternative Analysis is the responsibility of the IT Infrastructure Critical partner, and includes answers to the following questions (extracted from the IT Infrastructure Critical partner manual): 1. What is the rough scope and scale of the proposed information system or service? a. What is the purpose of the system and how will it be used? b. What is the approximate number of end-users, and where are they located internal, external, both, general public? c. How often will it be used, by type of end-user? 2. Are there any regulatory or compliance issues associated with the system or service, including those associated with sensitive data and/or international use or access? 3. Are the intended recipients of the service internal, external, or both? 4. Does this initiative potentially depend on an IT Service or Infrastructure Component that is not currently available in the existing IT Service Portfolio? 5. How will the system or service be accessed? Internet, Intranet, both? 6. Have the critical technology elements (authentication and authorization, data/service dependencies, SLA, etc.) been identified? 7. Is this a new system, or a modification/migration of an existing system? 8. Alternative Analysis is this initiative a potential candidate for deployment as a Cloud-hosted service? 9. Has funding been considered for the duration of the system or service lifecycle (including out-year O&M and potential telecommunication costs)? 10. What are the boundaries for the proposed information system what is explicitly included and/or excluded? In addition to the information collected above, The IT Infrastructure Critical partner or their designee will use the information collected in HHS Cloud Computing Information System Questionnaire.docx (attached) and the Service Provider Acceptable-Use Matrix created as part of the Cloud Computing Governance Processes described above as a basis for identifying and recommending potential solutions.

24

00116

Figure 6 - Alternative Analysis Roles and Processes


Alternative Analysis

Cloud Computing Governance Cloud Computing Governance Council Council

FedRAMP, HHS Policy, Cloud Computing Governance, OMB Governance

Service Provider Offerings & Specs

IT Infrastructure Critical IT Infrastructure Critical partner partner

System Characterization

2/7/2011 EPLC Concept Stage Gate

2/7/2011 EPLC Requirements Analysis Stage


Refresh Alternative Analysis Recommendations if Necessary

2/7/2011 EPLC Design Stage

Time, Security, Resource, Constraints

Service Provider Alternative Analysis

Preliminary Recommendation for Solution Target Deployment

Final Recommendation for Solution Target Deployment

Business Owner and Project team

Recommended Service Offering

Detailed System Requirement and Design Analysis

System Requirements Analysis Results

Recommended Service Offering

25

00117

The following principles form the basis of the alternative analysis: Security: Cloud Computing and offsite hosting cannot be used to evade established security guidance, processes and/or controls Cost/Efficiency: Agencies should consider potential improvements (utilization rates, per-user costs, O&M costs) that could result from deploying to the cloud. Agility: Agencies should consider potential agility improvements (Upgraded or enhanced capacity or lead time for new or existing systems) for IT services within their portfolio. Innovation: Agencies should consider any innovation needs or signals (customer satisfaction, overall usage trends and functionality) to improve IT services within their portfolio.

The IT Infrastructure Critical Partner performing the analysis should also consider performance (e.g., bandwidth, availability, and reliability), scalability, vendor reliability, and architectural compatibility. Likewise, the ITI Partner should avoid the risk of service provider lock-in to encourage portability and competition among providers (service portability). Finally, the entity performing the analysis should consider the readiness of the business unit to migrate their service to the cloud. Management and organization practices, related technical experience and supportive change management cultures should all be considered as part of the Alternative Analysis.

Procurement

The use of standard Request for Information (RFI) language during the vendor identification process is essential to ensure that accurate and consistent information is available for use in the Cloud Computing Alternative Analysis. Sample RFI language is included as an attachment to this document. It should be used as a template for all Cloud-Computing related requests to vendors on any contract vehicle used by HHS OpDivs or StaffDivs.

26

00118

List of Attachments
1. 2. 3. 4. 5. 6. 7. 25-Point-Implementation-Plan-to-Reform-Federal IT.pdf Federal Cloud Computing Strategy.pdf HHS EPLC Critical Partner Role for IT Infrastructure v0 9 2.docx Bhagowalia FedRAMP Presentation.pdf FedRAMP_Assessment_Procedures.pdf HHS Cloud Computing RFI Draft v0.1.2.docx HHS Cloud Computing Information System Questionnaire.docx

Works Cited
Bhagowalia, S. (2010). Presentation: Federal Risk & Authorization Management Program (FedRAMP). Washington, DC: GSA. CIO.Gov. (2011, January). Federal Risk and Authorization Management Program (FedRAMP). Retrieved January 2011, from http://www.cio.gov/pages-nonnews.cfm/page/Federal-Risk-and-Authorization-ManagementProgram-FedRAMP GSA. (2010). About the Federal Cloud Computing Initiative. Retrieved August 2010, from info.apps.gov: http://info.apps.gov/node/2 HHS EA. (2010). Enterprise Performance Life Cycle. Retrieved 2010, from HHS.gov: http://www.hhs.gov/ocio/eplc/index.html HHS. (2010). HHS Reference Architecture for Cloud Computing, September 2010. Washington, DC: HHS. ITI CP Role. (2011). HHS EPLC Framework, Role of Critical Partners, IT Infrastructure - Draft, January 2011. Atlanta: CDC CTO/IA. Kundra, V. (2010). State of Public Sector Cloud Computing. Washington, DC: Federal CIO Council. NIST. (2010). NIST SP 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010. Washington, DC: NIST. NIST. (2010). NIST SP 800-39 Managing Information Security Risk, March 2010. Washington, DC: NIST. NIST. (2011). NIST SP 800-145 (Draft) The NIST Definition of Cloud Computing, January 2011. Washington, DC: NIST. OMB. (2010). 25 Point Implementation Plan to Reform Federal Information Technology Management. Washington, DC: OMB. OMB. (2011). Draft Federal Cloud Computing Strategy. Washington, DC: OMB. OMB. (2010). OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition and Management of Capital Assets, July 2010. Washington, DC: OMB.

27

00119

HHS Cloud Computing Information System Questionnaire Version 1.0

04/18/11

HHS Cloud Computing Information System Questionnaire


The information collected in this document is used to support both the Cloud-First Alternative Analysis and the Security Accreditation and Authorization (A&A) processes. The information in each section builds on that entered in earlier phases. The maintenance of the information in this document is the responsibility of the IT Initiative Business Steward and Project Team

1 00120

HHS Cloud Computing Information System Questionnaire Version 1.0

04/18/11

Concept and Initiation Phase Information


Document Last Updated: Document Updated by: EPLC Stage: What is the deployment deadline?

System Ownership
System Name and Acronym: C/I/O Responsible: C/I/O ISSO: Table 1. System Stewards Business Steward Name Title Address Technical Steward Security Steward

Phone E-mail

Functional Description
Briefly describe the systems function here. Attach system concept of operations, vision statements, and/or project justification documents if available. Describe the function or purpose of the application/system and the information processed. Describe the processing flow of the application from system input to system output. List user organizations (internal/external) and type of data processing provided.

2 00121

HHS Cloud Computing Information System Questionnaire Version 1.0

04/18/11

Requirements Phase Information Data Description / System Information Types & System Security Categorization
Table 2. System Information Types & Impact Levels Information Type NIST SP 800-60 Reference Confidentiality (choose one) (choose one) (choose one) (choose one) Integrity (choose one) (choose one) (choose one) (choose one) Availability (choose one) (choose one) (choose one) (choose one) Justification for Enhanced Control

OVERALL RATINGS

NOTE: If any impact level is high, the system will require special management attention due to the potential risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to (or modification of) the information in the application (See Question 1.d) and is therefore considered a general support system or major application (see Question 6) and MUST go through the full system authorization process. NOTE: If C/I/A ratings differ from NIST SP 800-60 Rev 1, provide justification and obtain approval from OCISO.

Protection Requirement Findings


Provide a statement of the estimated risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification to the system or information in the system. Confidentiality: Integrity: Availability:

Detailed System Information and Technical Description


1. Briefly describe the system platform and technologies characteristics (OS, COTS, Custom Development, .NET, Java, etc.) here. Attach current system / network diagrams. Complete the separate Host Characterization/Firewall Worksheet(s) to capture system-level specifics. Describe the technical environment and primary computing platform(s) used, include a description of the principal system components, including hardware, operating systems, software applications and communications resources.

Include any security software protecting the system and information.

3 00122

HHS Cloud Computing Information System Questionnaire Version 1.0 2.

04/18/11

Provide information on the operating system currently used (e.g., type and version numbers). Authentication and Authorization a. Do any users authenticate remotely? b. If yes, what mechanisms are used for remote electronic authentication? c. How do end-users register and prove their identity? d. How quickly can user access be revoked? e. What system data or application is available to remotely authenticated users or administrators?

Y/N

User Description
3. List the system user categories and privileges here. Access Level (Read/Write/Full) Number of Users (Estimated) Organization Geographic Location User Category
(CDC, HHS, Gov, Partner, Public.)

System Interconnections/Dependencies
4. List all systems, data feeds, etc. that this system depends upon. List the organization responsible for this dependency, if the dependency is critical (can this system function if the dependency fails), and indicate if a formal agreement (SLA, SIA, MOU, etc.) is in place between this system and the dependency. System Dependency Owner Critical Y/N Y/N Y/N Comments: 5. List all systems supported by this system. List the organization responsible for the supported system, if this system is a critical dependency of the supported system (can the supported system function if this system fails), the maximum allowable downtime for this system as required by the supported system before agency missions are seriously impacted, and indicate if a formal agreement (SLA, SIA, MOU, etc.) is in place between this system and the supported system. 4 00123 SIA/SLA Y/N Y/N Y/N

HHS Cloud Computing Information System Questionnaire Version 1.0

04/18/11

Supported System

Owner

Maximum Downtime

Critical Y/N Y/N Y/N

SIA/SLA Y/N Y/N Y/N

Comments:

System-Specific Laws or Regulations


6. List any laws, authorities, policies (CDC, DHHS), or regulations that establish specific requirements for confidentiality, integrity, or availability affecting the data or system. Do not include broad information system or security requirements that affect all agency systems such as FISMA, or the Clinger-Cohen Act. Do include system specific requirements such as the Privacy Act, HIPAA, or the Bio-Terrorism Preparedness Act. If there are no systemspecific requirements, please indicate none.

Preliminary High-Level Requirement Traceability Functionality Functionality requirements identify aspects of the desired final product such as: What the system should do and how the system should do it as it relates to the user's interaction with the system. Performance Performance requirements identify aspects of the desired final product such as: Response time for a transaction (minimum, average, maximum) Throughput (e.g., transactions per second) Resource utilization: memory, disk, communications, etc. Regulatory/Legal Regulatory/Legal requirements identify aspects of the desired final product such as: Compliance related requirements such as CPIC, C&A, etc. Federal, state, and local laws Reliability Reliability requirements identify aspects of the desired final product such as: Availability specify % of time available hours of use, maintenance access, degraded mode operations etc. Accuracy specify precision (resolution) and accuracy (by some known standard) that is required in the systems output. Availability Availability requirements identify aspects of the desired final product such as: 5 00124

HHS Cloud Computing Information System Questionnaire Version 1.0

04/18/11

Availability specify % of time available hours of use, maintenance access, degraded mode operations etc. Supportability Supportability requirements identify aspects of the desired final product's requirements that enhance the supportability or maintainability of the system being built, including: Coding standards Naming conventions Maintenance access

Requirements Phase
Requirements Analysis
Functional

Non-Functional

Transition

Stakeholder Business Ana lyst Custom er System SME Infra struc ture SME

Op era tiona l Sup p ort Projec t Ma na g er Sup p lier Tester Reg ula tor Sp onsor

Alternate Roles Business System s Ana lyst, System s Ana lyst, Proc ess Ana lyst, Consulta nt, Prod uc t Ow ner, etc . Seg m ented b y use c a se, g eog ra p hy, etc . Broken out b y org a niza tiona l unit, job role, etc . Cha ng e Ma na g em ent SME, Config ura tion Ma na g er, Netw ork SME, Develop er, DBA, Inform a tion Arc hitec t, Usa b ility Ana lyst, Tra iner, Tec hnic a l , Relea se Ma na g er Sc rum Ma ster, Tea m Lea d er Provid ers, Consulta nts, etc . Qua lity Assura nc e Ana lyst Government, Reg ula tory Bod ies, Aud itors Ma na g ers, Exec utives, Prod uc t

TRM Mapped Requirements

6 00125

HHS Cloud Computing Information System Questionnaire Version 1.0


Stakeholder Alternate Roles Ma na g ers, Proc ess Owners

04/18/11
TRM Mapped Requirements

7 00126

HHS Cloud Computing Services and Hosting RFI Version 1.0 18 April, 2011

00127

Table of Contents
Table of Revisions ......................................................................................................................................... 1 Background ................................................................................................................................................... 2 Definitions: ................................................................................................................................................ 3 How to Respond ............................................................................................................................................ 5 REQUEST FOR INFORMATION (RFI): ............................................................................................................. 5 Service Overview........................................................................................................................................... 7

00128

Table of Revisions
Revision Date 02/18/2011 02/22/2011 Version # Draft v0.1.1 Draft v0.1.2 Author/Editor Charles Martin and Earl Baum, CDC Earl Baum, CDC Reason for Revision Revision of original GSA Cloud Computing RFI template language to reflect HHS requirements Updated draft to reflect comments from Contract/Acquisition Support Staff (replaced Contract with Inquiry on p 3 and expanded vendor response limit from 10 to 50 pages on p 4) Incorporating comments from IHS and CMS Convert from draft to final

03/14/2011 04/18/2011

Draft v0.1.3 Final Version 1.0

Earl Baum, CDC Earl Baum, CDC

1 00129

Background
The Department of Health and Human Services (HHS) is required to perform an alternative analysis for each IT Investment or Initiative to determine whether it can or should be provided as a Cloud-Hosted service: The following guidance is excerpted from the report State of Public Sector Cloud Computing, May 20, 2010 by Vivek Kundra, the Federal CIO Federal agencies are to deploy cloud computing solutions to improve the delivery of IT services, where the cloud computing solution has demonstrable benefits versus the status quo. Demonstrable benefits, in this context, are measured against the following standards: Economical. Cloud computing is a pay-as-you-go approach to IT, in which a low initial investment is required to get going. Additional investment is incurred as system use increases and costs can decrease if usage decreases. In this way, cash flows better match total system cost. Flexible. IT departments that anticipate fluctuations in user load do not have to scramble to secure additional hardware and software. With cloud computing, they can add and subtract capacity as its network load dictates, and pay only for what they use. Rapid Implementation. Without the need to go through the procurement and certification processes, and with a near-limitless selection of services, tools, and features, cloud computing helps projects get off the ground in record time. Consistent Service. Network outages can send an IT department scrambling for answers. Cloud computing can offer a higher level of service and reliability, and an immediate response to emergency situations. Increased Effectiveness. Cloud computing frees the user from the finer details of IT system configuration and maintenance, enabling them to spend more time on missioncritical tasks and less time on IT operations and maintenance. Energy Efficient. Because resources are pooled, each user community does not need to have its own dedicated IT infrastructure. Several groups can share computing resources, leading to higher utilization rates, fewer servers, and less energy consumption.

OMB Circular A-11 (OMB, 2010) defines Alternative Analysis as: An analysis of alternative approaches to addressing the performance objectives of an investment, performed prior to the initial decision to make an investment, and updated periodically as appropriate to capture changes in the context for an investment decision.

2 00130

NOTE: This RFI is issued for data gathering and planning purposes only, DOES NOT constitute a solicitation, and is not to be construed as a commitment by the Government to issue a solicitation or award a contract. The Government will not reimburse any respondent for any cost associated with information submitted in response to this RFI. Any exchanges of information shall be consistent with procurement integrity requirements (see FAR 3.104). Responses to these notices are not offers and cannot be accepted by the Government to form a binding contract. The responses from this RFI may be used to assist the Government in developing evaluation criteria for a future procurement.

Definitions:
a) Essential Characteristics i) On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider. ii) Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). iii) Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. iv) Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. v) Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. b) Service Models: i) Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. 3 00131

ii) Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. iii) Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). c) Deployment Models: (all deployment models are in scope for this inquiry) i) Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. ii) Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. iii) Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. iv) Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

4 00132

How to Respond
Responses to this RFI shall not exceed Fifty (50) pages (including cover letter), using a 12-point fixed-pitch font such as Courier, and shall be received via email to ______________ not later than 11:59 PM EDT, XXXX XX, 20XX.

In outlining your companys response, please provide a cover letter, which includes the following: 1. Primary Point of Contact 2. Address 3. Telephone Number 4. Fax Number 5. E-mail address for POC 6. Number of years of corporate experience 7. Business Size 8. Primary type of service(s) provided

Service providers responding to this RFI should include current offering(s) for each Service and Deployment Model (as described above) available for consideration. a) b) c) d) e) f) g) h) i) j) k) l) m) n) Business Model, Pricing Model, and Service Levels Data Management Information Security Interoperability and Portability Cloud Computing Services for IaaS, PaaS, and SaaS Network Connectivity Information Assurance Support Certification and Accreditation Support Application Migration Cloud Operations and Maintenance Service Support Service Delivery Provision of Fixed Datacenters Provision of Mobile Datacenters

REQUEST FOR INFORMATION (RFI):


The US Department of Health and Human Services (HHS) requests responses to Cloud Computing below, from IT hosting service providers.

5 00133

Table 1 - Questions related to Cloud Computing Characteristics

Characteristic 1. On-demand self-service

2. Ubiquitous network access

3. Location independent resource pooling

4. Rapid elasticity

5. Measured Service

Definition A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Capabilities can be rapidly and elastically provisioned to quickly scale up and rapidly released to quickly scale down. To the consumer, the capabilities available for provisioning often appear to be infinite and can be purchased in any quantity at any time. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

General Question Does your organization provide the capability for the ordering activity to unilaterally (i.e. without vendor review or approval) provision services once the initial order has been submitted. Does your organization support Internet access to the Infrastructure, Operating System, Application Server (middleware), and Software depending on service model? Does your organization support provisioning of resources needed to deliver the PaaS and SaaS independently from the physical location of the facilities?

Does your organization provide support service provisioning and de-provisioning (scale up/down) in near real-time?

Does your organization provide visibility into service usage via dashboard or similar electronic means?

6 00134

Service Overview
1) Please address the following Business Model, Pricing Model and Service Level Agreement (SLA) questions: i) What is the scope and nature of your IaaS, PaaS, and SaaS offerings, including computing as-a-service, file storage as-a-service, and associated administration capabilities for the production environment? Please identify and explain. Platformas-a-service or application sandboxing for development and test purposes may be submitted as an appendix to the response. Describe in general terms your IaaS, PaaS, and SaaS pricing model as it relates to CPU, memory, storage, bandwidth, data transfer capacity, and other relevant pricing. Describe your capability to offer hosting services, including any capabilities for server provisioning, preconfigured system images and applications stacks, management, operating system patching, security software, and other managed services. Describe the standard SLAs, if any, that are included in your cloud computing service offerings. Please detail SLAs on the overall service as well as SLAs for the specific customer instances in use, such as a given virtual server, storage volume, or other service unit. Do you offer the flexibility of negotiated customer-specific SLAs or only fixed offerings? Please provide past performance information, to include recent and relevant contracts for the same or similar items and other references (including contract numbers, points of contact with telephone numbers and other relevant information).

ii)

iii)

iv)

v) vi)

2) Data Management: i) ii) iii) iv) v) vi) Who owns the Intellectual Property for artifacts developed in or hosted in your cloud? Can you guarantee that, when required by the specific application, data will remain within the continental United States, both in transit and at rest? If so, how? Describe your roles and responsibilities regarding data ownership, e.g. logging data. Describe your method for getting customer's data back in-house either on demand or in case of contract termination for any reason. Describe your handling of data isolation, data recovery and handling/security of data at rest and in transit. How would you handle data remnants throughout their service lifecycle?

7 00135

3) Information Security: i) Describe your security architecture around the cloud services that you provide, including Open Systems Interoperability layers 1-4. Please provide an overview of your methods to limit data dispersal to unauthorized entities. Please explain how you provide both physical and logical security in a shared tenant environment. Describe your approach to addressing IT security challenges in cloud computing, in particular - dealing with hacker attacks, the potential for unauthorized access, and inappropriate use of proprietary data and IT applications. What are your processes and solutions for preventing these challenges from occurring? Describe the cloud computing authentication models that you think would be most effective for Government administrative use. Describe how your service offering could enable eDiscovery, forensic analysis, auditability, and other similar governance requirements. What approaches for encryption key management do you support? Describe how you manage them. What specific expertise does your organization possess with regard to in Information, System, Data and Physical Security incident response?

ii) iii)

iv)

v) vi)

4) Interoperability and Portability: i) ii) iii) Does you cloud infrastructure support both cloud-to-cloud and Cloud-toSubscriber communication and ensure interoperability of cloud solutions? Describe capability and interoperability to mix multiple cloud computing service models offered by your organization, if any, or by other service providers. Describe the tools supported by your organization for integrating with other service providers and the subscribers internal infrastructure in terms of interfacing, monitoring and managing multiple cloud computing services. Do your PaaS and SaaS cloud computing services support portability; i.e. exit strategy for applications running in your cloud, should it be necessary to vacate? Do you organizations business, implementation and operation models and practices include safeguards to prevent service provider lock in?

iv) v)

5) Cloud Computing Services for IaaS, PaaS, and SaaS i) Does your organization offer professional consulting services to assist with planning and migration of existing applications from their current on-premise hosting environments to a cloud computing environment; ii) Does your organization adhere to current NIST, FISMA, and FedRAMP Security Compliance mandates and policy; iii) Does your organization offer expertise in Computer Security Incident Response; iv) Does your organization have an established methodology and associated procedures for coordinating provider and subscriber Computer Security Incident Response teams? 8 00136

6) Network Connectivity i) Describe the core components of ensuring availability from your perspective (e.g. # of locations, # of locations at Internet Exchange Points (IXP)? ii) Is your organizations data center Border Gateway Protocol (BGP) Peered? iii) Is your organizations data center network dual homed? If so, with whom? iv) Are your network configurations able to prioritize customer traffic? v) Please describe your system for IPv6 address assignment and persistence in a virtual environment. vi) How does the IETF and IANA expected allocation, use, and routing of IPv6 addresses complement or conflict with your approach for IPv6 address management? vii) What is your level of support for full IPv6 capabilities, especially in the network, in Domain Name System (DNS), storage, and any operating systems that you provide? Please detail any capabilities that are not fully IPv6 compliant. viii) Please identify which ports are allowed or accessible through your infrastructure (i.e. 25, 80, 139, and 443) and which we might assume would be blocked. Are there any unique ports or API calls required? ix) Describe your IP Management in a virtual environment. Can you provide renewal capabilities, including level of support for static IP addressing? x) Describe how your organization manages domain controllers in a Demilitarized Zone (DMZ). xi) Can your organization demonstrate the capability to enable TIC inspection, and intrusion prevention, of data between government and non-government co-tenants entities? Includes both external network connections and internal cloud communications with non-government entities. xii) Do your organizations IaaS service offerings include Top Level Data Network Architecture (TDNLA) routing, switching devices, and IDS/IPDs or alternative connectivity allowing use of an existing TLA stack which will be operated by the Government? xiii) Describe how penetration testing and source code analysis is performed in a cloud environment. 7) Information Assurance Support i) Does your organization provide Information Assurance assistance to assist customers in securing their applications through application of current OMB and FISMA Information Assurance mandates and NIST recommendations? ii) Does your organization and service offering currently comply with all operational and Information Assurance guidance published by the Federal Risk and Authorization Management Program (FedRAMP)?

9 00137

8) Certification and Accreditation Support: i) What is the level of FedRAMP certification for your offering? ii) Does your offering include the ability to add or modify existing security controls when needed to meet HHS-specific security requirements? 9) Application Migration i) Does your organization provide assistance in planning, scheduling, coordination and implementation/migration of applications to the IaaS, PaaS, and SaaS cloud computing environment? 10) Cloud Operations and Maintenance i) What controls are in place for administrative access, both internal to your company and for administrative access from government clients? Please include discussion of administrator controls over provisioning. ii) Provide a list of all third party service providers, roles and responsibilities their interfaces to your organizations cloud service offering. iii) Does your organization offer Virtual Operating Environments? iv) Describe how you manage remote administration for provisioning and Virtual Machine (VM) access. v) Does your organization offer Physical Operating Environments? vi) What types and combinations of CPU processors, virtualization formats, and operating systems are supported by your service? vii) Does your organization provide assistance with capacity planning and forecasting/trending for growth? viii) Does your organization offer/perform configuration and management of customized servers, storage, security and networking devices with PaaS and SaaS? ix) How often does your organization offer perform technology refresh? x) Does your organization perform hardware lifecycle management? xi) Does your organization perform planning for end of life hardware and software planning to mitigate obsolete software versioning, support and hardware technology? xii) Does your organization provide assistance with Disaster Recovery and Business Continuity planning and execution services? xiii) Does your organization perform or provide assistance with application analysis in the PaaS and SaaS environment? xiv) Does your organization provide assistance with security design & configuration services? xv) Can your organization demonstrate the ability of PaaS and SaaS environments to be interoperable with HHS identification, authentication, and authorization mechanisms? xvi) Does your organization support the Security Assertion Markup Language (SAML)? xvii) What other certifications and compliance standards do you support, have third party certification for, or comply with, such as HIPAA, PCI, and SAS 70? 10 00138

xviii) Does your organization provide or support DNSSEC? xix) Can your organization demonstrate the ability to perform vulnerability and incident management? xx) Can your organization demonstrate the ability to perform system administration and monitoring services, including the provision of appropriate access to technical security controls and associated logs by HHS Information Security staff? xxi) What does your organization considers to be critical success factors, key performance indicators and how they measure them relative to IT Service Management (Service Support and Service Delivery)? xxii) Does your organization provide to the subscriber data center and application availability management, performance, utilization reports? (Daily, Weekly, Monthly, Annually, RT, Custom) xxiii) Does your organization provide to the system owner maintenance of network uptime and network availability guarantee per Mission Assurance Category (MAC) level? xxiv) Does your organization provide to the end user network application performance, utilization reporting? (Daily, Weekly, Monthly, Annually, RT, Custom) xxv) Does your organization provide assistance with administration, management, and troubleshooting of systems and infrastructure in the IaaS and PaaS environment? xxvi) Does your organization provide real-time notification of exception reporting from IaaS, PaaS, and SaaS operating environments? xxvii) Are technology refresh, upgrade and patching in the service provider software and infrastructure transparent to the stack layers above, end users and system owners? 11) Service Support i) Does your organization maintain any industry certification standards such as ITIL, ISO 20,000, and/or CMMI? ii) Does your organization implement processes to maintain effective levels of patch management on the Operating Systems, VMs and/or hypervisors in an open virtualization environment? iii) Describe your handling of potential availability issues such as significant cloud computing outage, high network load or insufficient bandwidth access. What is your mitigation strategy in case of potential network outages, bandwidth shortages, or spikes in service demand? iv) Does your organization operate a trouble ticketing system, and is it does the subscriber have access to the system? If so, at what level?? v) What level of automatic alerting can you provide to our support staff in the event of failure, degraded service, or exceeded planned utilization? vi) Does your organization perform formal and recognized Service Desk / Service Request Management practices? vii) Does your organization implement formal and recognized Incident Management practices? 11 00139

viii) Does your organization perform formal and recognized Problem Management practices? ix) Does your organization perform formal and recognized Change Management practices? x) Does your organization perform formal and recognized Release Management practices? xi) Does your organization perform formal and recognized Configuration Management practices? 12) Service Delivery i) Does your organization perform formal and recognized Service Level Management and Reporting practices? ii) Does your organization perform formal and recognized Capacity Management practices? iii) Does your organization perform formal and recognized Service Continuity Management practices? iv) Does your organization perform formal and recognized Availability Management practices? v) Does your organization perform formal and recognized Security Management practices? vi) Does your organization perform formal and recognized Infrastructure Management practices? 13) Provision of Fixed Datacenters i) Does your organization provide, maintain, operate, and support fixed datacenters, supplying virtualized resource capacity? ii) Does your organization perform fixed data center management tasks that may include datacenter maintenance, power, HVAC, and/or any aspects of physical plant necessary for operation of a fixed data center? Sub-contracted/Partnership? iii) Do the fixed data center facilities have appropriate physical and environmental security measures to ensure compliance with OMB, FISMA, NIST, and FedRAMP mandates and requirements? iv) Does your organization provide resources in commercial Tier 1, 2, 3, and/or 4 datacenters as defined by the Uptime Institute? (http://www.uptimeinstitute.org) 14) Provision of Mobile Datacenters i) Does your organization provide, maintain, operate, and support mobile datacenters, supplying virtualized resource capacity? ii) Does your organization, sub-contractor/partner possess transportation and logistics expertise related to the transport of containerized datacenters, including mechanical engineers? iii) Does your organization provide a solution capable of addressing handling challenges such as shock and vibration with transport, non-operating temperatures during transport, extreme temperatures, and unpressurized aircraft cargo hold? 12 00140

iv) v) vi) vii)

Does your organization provide transportation and setup of the containerized data center including all logistics such as transport and customs? Does your organization perform container modification for harsh operating environments (temp extremes and other environmental conditions); and Does your organization provide on-site or escalated/priority remote support for the containerized infrastructure? Does your organization provide perform containerized data center management tasks that may include maintenance of the container, power, HVAC, and/or any aspects of physical plant necessary for operation of a containerized data center?

15) Computing Characteristics of Supported Environments. Does your organization provide services encompassing the following computing characteristics: i. Sensitivity categorization: i) Classified ii) Sensitive iii) Public Network connectivity to: i) Internet2 Geographic support in: i) CONUS ii) CONUS austere environments (e.g., national or regional emergency situation) iii) OCONUS iv) OCONUS austere environments (e.g., AfricaCentral/South America, SouthEast Asia) Operating Systems including but not limited to: i) Windows ii) Linux iii) Unix iv) Solaris Databases including but not limited to: i) Oracle ii) All flavors of SQL Server iii) DB2 iv) Sybase Application Tier including but not limited to: i) WebSphere ii) WebLogic iii) Biztalk iv) Oracle/Sun Java Glassfish v) Geronimo vi) JBoss vii) Tomcat Virtual infrastructure: i) Storage 13 00141

ii. iii.

iv.

v.

vi.

vii.

ii) Computing capacity iii) Bandwidth iv) Systems Administration to support a specific system viii. Software Applications i) Name: ii) Software Vendor: iii) Description: iv) Available APIs: 16) Operating Environment General Specifications Note: Service Providers should assume that the difference in Operating Environments represents bursting levels for each resource. For example, the small environment starts at 1 CPU but can burst as high as 3 CPUs. Similarly, the small environment starts with 1 GB of memory and can burst as high as 3.999 GB of memory. Finally, the disk storage starts at 250 GB and can burst to 499 GB. If an environment needs to exceed the large specification, it will be addressed per task order. i. OPERATING ENVIRONMENT The HHS IaaS/PaaS operating environment (OE) is a server configuration that consists of physical and virtual CPU(s), physical and virtual memory and disk storage space. Applications can require one or more OEs to perform their functions properly. Operating Environment Sizing is defined into three categories: small, medium and large. Each one of these levels represents a certain amount of key computer resources assigned to the OE. ITEM 2: CPU COUNT - Identify the current base and Step Levels in your originations cloud offering portfolio, OEs and their performance are considered the virtual equivalent of the following: ITEM 3: CPU PERFORMANCE % - What is your organizations CPU Performance Overhead % threshold? This is the percentage overhead caused by virtualization, thus decreasing the relative performance of the CPU. ITEM 4: MEMORY - What is base memory installed? This is the virtualized RAM available for this environment. ITEM 5: MEMORY PERFORMANCE %: What is your organizations memory utilization threshold? This is the percentage overhead caused by virtualization, thus decreasing the relative performance of the RAM ITEM 6: DISK CAPACITY What is the base disk capacity? This is the amount of virtual disk storage available to the environment for application usage and does not include space for any data center or vendor overhead. ITEM 7: DISK PERFORMANCE OVERHEAD % - What is the threshold for disk capacity overhead? This is the percentage of overhead caused by virtualization, thus decreasing the relative performance of the Disk. ITEM 8: RECOVERY TIME OBJECTIVE Measured in hours, what Recover Time Objective are you capable of meeting in your standard service offerings? Describes the duration of time within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business 14 00142

ii.

iii.

iv. v.

vi.

vii.

viii.

ix.

x.

xi.

xii.

continuity. Includes (1) the time attempting to correct the problem without a recovery, (2) the recovery itself, (3) testing the recovery and (4) communication to the users regarding the recovery. ITEM 9: RECOVERY POINT OBJECTIVE - Measured in hours, what Recover Point Objective are you capable of meeting in your standard service offerings? Describes the maximum amount of data an IT-based business process may lose before causing detrimental harm to the organization ITEM 10: AVAILABILITY (A0) Stated as a %, what level of availability can you provide in your standard service offerings? Defined as service availability of application or business process and excludes Government-approved downtime. (http://www.uptimeinstitute.org) ITEM 11: OPEN API, OPEN IAAS SUPPORT AND MGMT, TOOLS - Does your organization provide Open API, Open IaaS Support and Mgmt, Tools? This provides the ability for applications to be moved from the vendors environment to another environment with no proprietary dependencies imposed by the vendors environment. This also includes the included availability of complete Application Programming Interfaces (APIs) for any application that operates in the vendors environment. Finally, it includes access to operating environment performance and tuning tools and reports. ITEM 12: SUPPORT FOR INDUSTRY STANDARD PROTOCOLS, FRAMEWORKS, STANDARDS - Does your organization support standard industry protocols, frameworks, standards? This represents the ability to support popular and industry standard layers, frameworks and development environments within the virtual operating environment. Examples of this are J2EE, .NET, SOAP, XML, PhP.

15 00143

Operating Environment General Specifications Worksheet


Operating Environment CPU Count CPU Performance Memory Memory Performance % Disk Capacity Disk Performance % Recovery Time Objective Recovery Point Objective Availability % Open API Support and Mgmt, Tools <Yes/No> Support for industry standards, protocols, and frameworks <Yes/No>

Small Medium Large Other

<x>

<x%>

<xGb>

<x%>

<x%>

Maximum RTO <x hrs>

Maximum RPO <x hrs>

<x%>

16 00144

ITI Critical Partner RACI Version 1.0 04/18/2011

Wednesday, July 20, 2011

00145

Business Steward Project Team IT Operations ITI Critical Partner R Responsible This is the individual(s) who will actually complete the task. The individual(s) is responsible for action/implementation. Responsibility can be shared. The individual who is accountable ultimately answerable for the activity or decision. Only one individual can be assigned to an action. The consult role is individual(s) who is typically a subject matter expert to be consulted prior to a final decision or action. Input from the consult position is required. This is individual(s) who needs to be informed after an action has occurred. This individual(s) may need to take action as a result of the outcome.

Accountable

Consulted

Informed

Note: The entity to be held Accountable has not been designated; however, it is likely that the assignment will reside with the business organization. Probable candidates would be the Project Manager, Business Steward or Technical Steward.

Wednesday, July 20, 2011

00146

Role of an IT Infrastructure Critical Partner in Initiation Phase Deliverables (Project Planning & Execution) Lane 1 Project Reviews Lane 2 Stage Gate Reviews Lane 3 Review the Business Needs Statement. Evaluate the core business needs against existing ITSO services. Participate in the IT Infrastructure Review to determine the service capabilities required to meet known Business Needs. 1. What is the rough scope and scale of the proposed information system or service? a. What is the purpose of the system and how will it be used? b. What is the approximate number of end-users, and where are they located internal, external, both, general public? c. How often will it be used, by type of end-user? 2. Are there any regulatory or compliance issues associated with the system or service, including those associated with sensitive data and/or international use or access? 3. Are the intended recipients of the service internal, external, or both? 1. Does this initiative potentially depend on an IT Service or Infrastructure Component that is not currently available in the existing ITSO Service Portfolio?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Major Probing Questions for the IT Infrastructure Critical Partner

Wednesday, July 20, 2011

00147

Role of an IT Infrastructure Critical Partner in Concept Phase Deliverables (Project Planning & Execution) Conduct a review of the business case and Information system concept. Determine if the business, intended outcomes, and objectives conceptually align with the agency IT Infrastructure. Consult with the project manager, stakeholders, and technical leads during the Alternative Analysis of IT Service offerings. Provide guidance in the assessment of the information system case and provide insight into the state of the IT infrastructure and the factors that may influence the information system architecture and development approach. 1. How will the system or service be accessed? Internet, Intranet, or both? 2. Have the critical technology elements (authentication and authorization, data/service dependencies, SLA, etc.) been identified? 3. Is this a new system, or a modification/migration of an existing system? 1. Alternative Analysis is this initiative a potential candidate for deployment as a Cloudhosted service?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

Wednesday, July 20, 2011

00148

Role of an IT Infrastructure Critical Partner in Planning Phase Deliverables (Project Planning & Execution) Lane 1 Assess the project scope and approach to develop the project implementation and resource plans. Assess the current and proposed technical environments. Review the overarching information system and management strategy that will support the program. Address the Programs current and future information technology needs. Provide IT Infrastructure strategies for specific information system capabilities. Create an IT infrastructure target to be met during ensuing design phase to transition to the future state information system environment. Provide guidance and recommendations for the following line of questions: Is the information systems scope well defined and unambiguous? Have IT infrastructure support organization considerations been reviewed. 1. Does the scope assessment include key processes, procedures, hardware, software, network, and/or support services?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Wednesday, July 20, 2011

00149

Major Probing Questions for the IT Infrastructure Critical Partner

2. Is there a need for additional IT processes, procedures, and/or standards? Are there potential conflicts? 3. Does the Scope statement include a high-level description of the major IT infrastructure requirements and/or capabilities? Have relationships with and dependencies on existing infrastructure services and shared resources been evaluated? 1. Has the scope of the initiative changed since initiation, and if so, has the scope statement been updated? 2. Have processes, procedures, and standards related to IT governance and IT infrastructure operations been considered?

Wednesday, July 20, 2011

00150

Role of an IT Infrastructure Critical Partner in Requirements Analysis Phase Deliverables (Project Planning & Execution) Lane 1 Review project scope and provide guidance for IT Infrastructure implementation and resource planning. Provide insight into the current IT organizational and technical environments and to establish compliance of information system to IT Infrastructure standards. Provide assessments of existing IT Infrastructure technical environment(s) and security controls as well as IT Infrastructure organization and management. Participate in requirements review by providing recommendations to the project technical lead in reference to IT Infrastructure, support organization, and security controls related directly to infrastructure services. Review and update the results of the Cloud Computing Alternative Analysis. 1. Provide guidance in identifying requirements for system application components including database, server and client services.

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews

Lane 2

Stage Gate Reviews

Wednesday, July 20, 2011

00151

Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

2. Provide assistance in identifying requirements for supporting the integration between legacy applications and the proposed system. 3. Provide guidance in identifying requirements for third-party tools required to support the application IT infrastructure. 4. Provide guidance in identifying configuration requirements for both third-party tools and primary software required to support the initiative. 5. Provide guidance in identifying requirements for network services, including LAN, WAN, WLAN, telecommunications, and/or mobile networking requirements.

Wednesday, July 20, 2011

00152

Role of an IT Infrastructure Critical Partner in Design Phase Deliverables (Project Planning & Execution) Lane 1 Conduct a review of the proposed IT infrastructure related to information system. Consult with developers to develop artifacts used to build and configure information systems and the supporting infrastructure. Participate in the Detailed Design review with project manager and SMEs in reference to application technical specifications, change, and IT Infrastructure. Participate in Design Stage Gate Review by ensuring that the following questions have been answered in sufficient detail to design the underlying IT Infrastructure supporting systems and services, and to award contract to outside service providers where appropriate: 1. Has the logical design for the proposed system been fully developed?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Wednesday, July 20, 2011

00153

Major Probing Questions for the IT Infrastructure Critical Partner

2. Have the procedures for ongoing information system maintenance and updates been defined? 1. Have change control procedures related to configuration, patches, updates, fixes, changes and any changes been approved by project management 2. Have change control procedures related to configuration, patches, updates, fixes, changes and any changes been communicated to IT infrastructure service providers? 3. Does the design document include backup and recovery plans/requirements? 4. Are all documented SLAs relevant to the business operation and information system, quantifiable, and measurable?

Wednesday, July 20, 2011

10

00154

Role of an IT Infrastructure Critical Partner in Development Phase Deliverables (Project Planning & Execution) Lane 1 Provide guidance and the project manager and information system SMEs to develop and configure the IT infrastructure and to test the systems components and procedures to ensure compliance with both business requirements and agency technology standards. Participate in the review of the information systems and IT infrastructure process and procedures developed. 1. Has a test plan been developed for the dev/test environment? 2. Are the information system and performance requirements and capacity metrics upto-date, relevant and accurate? 3. Does the current IT Infrastructure performance meet performance requirements and achieve desired system/service metrics?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Wednesday, July 20, 2011

11

00155

Major Probing Questions for the IT Infrastructure Critical Partner

1. Does the information system and IT infrastructure scale to meet projected requirements?

Wednesday, July 20, 2011

12

00156

Role of an IT Infrastructure Critical Partner in Test Phase Deliverables (Project Planning & Execution) Lane 1 Review the results of system, integration, performance, operational, useracceptance, and deployment tests described the previous phases. Participate in the review of the information systems and IT infrastructure component to ensure the system is ready for implementation. 1. Does the test environment accurately represent the demands of the projected production environment, including connectivity, security and access to dependent resources? 2. Have backup and recovery systems and procedures been tested, found to be ready for implementation, and documented? 3. Have required third-party tools been tested, found to be ready for implementation, and documented?

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Wednesday, July 20, 2011

13

00157

Major Probing Questions for the IT Infrastructure Critical Partner

4. Have all system and infrastructure components been tested and do the results fall within design metrics? 1. Has the system technical steward tested all softwarerelated components? 2. Has the system developer tested functionality and data elements?

Wednesday, July 20, 2011

14

00158

Role of an IT Infrastructure Critical Partner in Implementation Phase Deliverables (Project Planning & Execution) Lane 1 Provide guidance to the project manager and technical lead to prepare for and execute the implementation of the new enterprise information system into the IT Infrastructure. Confirm the results of final user-acceptance testing, administrator and operator training, and establish ongoing operations. Participate in the Implementation Stage Gate Review the process for management of configuration changes, environmental preparedness, system monitoring, and cutover execution. 1. Participate in the Operational Readiness Review. 2. Provide assistance in identifying performance bottlenecks within the IT infrastructure and offer recommendations to fine tune the information system to improve performance.

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Wednesday, July 20, 2011

15

00159

Major Probing Questions for the IT Infrastructure Critical Partner

3. Provide guidance for documenting procedures to monitor the information system, including application and performance for system accessibility, stability, and reliability. 4. Provide guidance for managing release control of the information system into the production IT infrastructure. 1. Are all individual system and infrastructure components installed, configured and ready for deployment?

Wednesday, July 20, 2011

16

00160

Role of an IT Infrastructure Critical Partner in Operations & Maintenance Phase Deliverables (Project Planning & Execution) Lane 1 Provide guidance for the project manager and the system technical lead on the details pertaining to IT infrastructure during the Operations and Maintenance phase. Confirm that the IT infrastructure and support organization is capable of sustaining system availability. Participate in Operational Analysis and Service Level Reviews. 1. Participate in the Operations and Maintenance Stage Gate Review and provide guidance regarding operations of related IT Infrastructure. 2. Has responsibility and accountability been established to support operational management of the information system and IT Infrastructure environment? 3. Have change-control procedures been implemented as designed? 4. Are the responsible and accountable parties prepared to monitor and manage the information system and supporting services? 1. Is there a procedure in place to stay current with

Business Steward R A C I R

Project Team A C I

ITI Critical Partner R A C I

IT Operations R A C I

Project Reviews Lane 2 Stage Gate Reviews Lane 3

Major Probing

Wednesday, July 20, 2011

17

00161

Questions for the IT Infrastructure Critical Partner

vendor patches and updates?

Wednesday, July 20, 2011

18

00162

Role of an IT Infrastructure Critical Partner in Disposition Phase Deliverables (Project Planning & Execution) Lane 1 Handle transition reviews from the IT Infrastructure perspective. Ensure the support organization underpinning the information system marked for decommissioning is adequately informed and that the supporting infrastructure is appropriately managed during the process. Participate in the Disposition Review related to IT Infrastructure management of configuration changes and infrastructure monitoring for the recapture and inventory of IT capabilities and assets.

Business Steward R A C I

Project Team R A C I R

ITI Critical Partner A C I

IT Operations R A C I

Project Reviews Lane 2

Wednesday, July 20, 2011

19

00163

Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

1. Participate in the Disposition Review to decommission legacy systems pertaining to the IT infrastructure for archival and handling of data, software, and facilities. 1. If the legacy system is being replaced, does the new system and IT infrastructure support all essential business or scientific functions?

Wednesday, July 20, 2011

20

00164

HHS Enterprise Performance lifecycle (EPLC) Framework Role of Critical Partners IT Infrastructure Version 1.0 04/18/2011

00165

This document contains the current draft set of questions for the ITI Critical Partner across all ten EPLC stage gates, along with supporting graphics that describe the process. The purpose behind these questions is to ensure that IT Operations staff get the information they need regarding any IT initiative early enough in the process to evaluate it against existing systems, standards and other dependencies. A secondary purpose is to ensure that IT Operations is engaged early in any new IT initiative, improving their ability to provide meaningful and valuable support to the impacted program mission and goals. The goal of the ITI partner is to ensure that IT projects align with current or planned IT infrastructure, services, facilities, and processes. The IT Infrastructure Critical Partners interact with the initiatives Project Manager (PM), and IT Operational Branches. The ITI Critical Partner acts as point of contact or conduit between the Programs and IT Operations to ensure that infrastructure-dependent aspects of the project are taken into full consideration before moving through subsequent stage gates. The Process begins with the PM passing project documents to the IT Infrastructure Critical Partner. The IT Infrastructure Critical Partner then provides copies to IT Operations team members to review and provide comment.

00166

Table of Contents
martSummary..................................................................................................................................................... 4 Role of a Critical Partner in a Project ............................................................................................................ 5 Role of an IT Infrastructure Critical Partner in Initiation Phase ................................................................ 13 Role of an IT Infrastructure Critical Partner in Concept Phase ............................................................... 14 Role of an IT Infrastructure Critical Partner in Planning Phase ................................................................ 15 Role of an IT Infrastructure Critical Partner in Requirements Analysis Phase ....................................... 17 Role of an IT Infrastructure Critical Partner in Design Phase ................................................................... 18 Role of an IT Infrastructure Critical Partner in Development Phase ...................................................... 19 Role of an IT Infrastructure Critical Partner in Test Phase ......................................................................... 20 Role of an IT Infrastructure Critical Partner in Implementation Phase................................................... 21 Role of an IT Infrastructure Critical Partner in Operations & Maintenance Phase ............................. 22 Role of an IT Infrastructure Critical Partner in Disposition Phase............................................................. 23 Additional Questions ...................................................................................................................................... 24 Resources .......................................................................................................................................................... 27

00167

Summary

EPLC Background In October 2008, HHS issued the HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC) along with the EPLC Framework. The EPLC framework consists of ten life cycle phases. Within each phase, activities, responsibilities, reviews, and deliverables are defined. Exit criteria are established for each phase and Stage Gate reviews are conducted through the IT governance process to ensure that the projects management quality, soundness, and technical feasibility remain adequate and the project is ready to move forward to the next phase. The EPLC framework provides a guide to Project Managers, Business Owners, IT Governance Executives, other Stakeholders, and Critical Partners throughout the life of the project. The EPLC framework is designed to provide the flexibility needed to adequately manage risk while allowing for differences in project size, complexity, scope, duration, etc. Examples of flexibility include the ability (with IT governance approval) to tailor the framework where particular phases or deliverables may not apply, to aggregate phases and deliverables when appropriate, to provide for conditional stage gate approvals that allow progress to a subsequent phase in a manner that identifies and controls for risk. The EPLC is a framework for managing the life cycle for projects. It recognizes that there is an implied hierarchy of an IT portfolio made up of IT investments, which are made up of projects, which are made up of systems. When a project has only one system, or an investment has only one project, then the distinction of exactly what is a project can become blurred. In HHS, investments are comprised of one or more projects and include those covered both by development/modernization/enhancement funding and by steady state funding for ongoing operations and maintenance. Each project within the investment is required to follow the EPLC. The annual Capital Planning & Investment Control (CPIC) process will address the investment as an entity and will ensure that each project within the investment has been compliant with the requirements. Small Projects Although the first glance of this manual will give the impression of too much overhead for small projects, Critical Partners are encouraged to work with the Project Managers and Business Owners to identify the amount of rigor required for success. Many of the project deliverables and reviews can be tailored (i.e., used, not used, or combined) to fit the needs of a small project using the standard EPLC Project Process Agreement template; however, for consistency, this manual is inclusive of all requirements without tailoring. HHS is currently working on defining a Project Process Agreement for small and fast-track projects which will provide more detailed guidance. It is expected that this document will be available in February 2010.

00168

Purpose of this Manual The purpose of this manual is to abstract out the relevant requirements for the IT Infrastructure Critical Partner within the EPLC and HHSs implementation of the requirements. This manual is intended to be used as a quick reference manual.

Role of a Critical Partner in a Project


Overview The EPLC framework and associated best practices in IT project management combine to reduce risk within individual IT projects and across the HHS and CDC IT investment portfolio. Only sound, viable IT projects with reasonable baselines for funding should be included in the IT investment portfolio. EPLC requires that IT projects be managed and implemented in a structured manner, using sound project management practices, and involving business stakeholders and technical experts throughout the projects life cycle. Critical Partners are essential project stakeholders. EPLC defines Critical Partners as functional managers in ten areas: Enterprise Architecture (EA), Security, IT Infrastructure, Acquisition Management, Finance, Budget, Human Resources, Section 508, Capital Planning and Investment Control (CPIC), and Performance (the Business Owner). They participate in IT projects and governance decisions to confirm compliance with policies in their respective areas and to make timely tradeoff decisions where conflicts arise during the planning and execution of projects. Subordinate organizations may also define other Critical Partner roles such as Health Scientists, Statisticians, or Epidemiologists. In this document the term National Center encompasses all subordinate organizational entities including Offices and Institutes. Because organizational structures vary, the expertise for these Critical Partner roles may be fulfilled in various ways as defined by the National Centers; however, the general guidance of the roles as defined below should be considered in the National Center definitions. Overall Responsibility for each Critical Partner Enterprise Architecture The EA Critical Partners are charged with ensuring that the Enterprise Architecture Program supports, augments, and reinforces the EPLC process to ensure achievement of the organizational mission, strategic and operational business needs. Their goal is to ensure that an IT project provides demonstrable alignment with architecture principles, business processes, and technical architecture. IT Infrastructure The IT infrastructure Critical Partners are charged with ensuring that the IT Infrastructure Program supports, augments, and reinforces the EPLC process to ensure achievement
5

00169

of the organizational mission, strategic and operational business needs. Their goal is to ensure that an IT project provides demonstrable alignment with IT infrastructure, services, facilities, and processes. Security The Security Critical Partners are charged with ensuring that the Security Program supports, augments, and reinforces the EPLC process to ensure achievement of the organizational mission, strategic and operational business needs. They must ensure that all projects demonstrate that the appropriate planning and budgeting for the appropriate IT privacy and security controls are explicitly incorporated into the life cycle. Acquisition Management The Acquisition Management Critical Partners are charged with ensuring that the Procurement activity supports, augments, and reinforces the EPLC process to ensure achievement of the organizational mission, strategic and operational business needs. They are responsible for reviewing project business cases for conformance with the Federal Acquisition Regulation and HHS acquisition policies and procedures, and successful business practices. Finance & Budget The Budget/Finance Critical Partners are responsible for ensuring that the business case and projects financial needs are adequately identified and planned and that any of the projects financial management components interact with financial systems in such a way as to ensure compliance with financial and budget standards and regulations. During the lifecycle of the project, the Budget / Finance Critical Partners provide guidance to project managers regarding financial management policies and issues. Human Resources/Business Owner The Human Resources Critical Partners are responsible for ensuring that the project has the skills and competencies necessary to accomplish the business objectives and that all human resource and union issues that may affect a projects progress are addressed in an appropriate manner. The Atlanta Human Resources Center (AHRC) handles HR issues for Civil Service personnel while HR issues for Commissioned Corps personnel is handed by the Office of Workforce and Career Development (OWCD). All training is handled by OWCD. The Business Owner of a project is most often responsible for ensuring that the project has the skills and competencies required; therefore, a combination of individuals may need to fulfill this responsibility.

00170

Section 508 The Section 508 Critical Partners are responsible for reviewing the IT business cases and project deliverables to ensure that the project design and any associated contracts contain all of the accessibility requirements and those issues are identified and addressed prior to implementation. CPIC The CPIC Critical Partners are responsible for reviewing IT business cases and project deliverables to ensure compliance with CPIC policies and procedures and for providing guidance to IT project managers regarding the overall project management requirements of EPLC and CPIC. They are also responsible for the coordination of the other Critical Partners in the preparation and review during Stage Gates. Performance/Business Owner The Performance Critical Partners are the Business Owners who are responsible for ensuring that their projects achieve the organizational mission, strategic and operational business needs while meeting the business need as originally identified. The Business Owner are responsible for identifying the business needs and the performance measures to be satisfied by their projects and have the overall financial and management responsibility.

00171

EPLC Framework The EPLC framework shown in Figure 1 consists of ten life-cycle phases and three major lanes of activities that are conducted during a phase. Critical Partners have responsibilities in all phases and lanes of activities. This manual provides specific information for the IT Infrastructure Critical Partner on all responsibilities.

Figure 1. EPLC Framework Showing Phases and Three Lanes of Activities Lane 1: Deliverables (Project Planning & Execution) The project manager is responsible and accountable to the Business Owner for meeting the business requirements of a project within the cost, schedule, and scope baselines. In order for a project manager to be successful, Critical Partners need to ensure that project requirements from their respective areas are planned for at the earliest possible point in the project. This requires that Critical Partners be actively engaged in the project from beginning to end. EPLC also considers Critical Partners to be members of the Integrated Project Team assisting project managers with the planning and execution of the project.

00172

Lane 2: Project Reviews There are 13 different project reviews that are required by the EPLC. These project reviews are conducted at specific points in the life cycle to confirm that events have occurred and decisions have been made before continuing with the project. Some of these reviews may be performed concurrently, e.g., the System Re-Certification and System Re-Accreditation Project Reviews in EPLC will be performed as a part of the CDC Certification & Accreditation process. The different project reviews are spelled out in the individual phases with indication of the requirements for the Critical Partners. The EPLC requires Critical Partner participation in the IT Infrastructure Review [Initiation Phase] and Requirements Review [Requirements Analysis Phase]. National Centers may also require Critical Partner participation in some or all of the remaining project reviews as a method for Critical Partners to provide oversight, advice and counsel to the project manager on a regular basis. Lane 3: Stage Gate Reviews Stage Gate Reviews are conducted by IR Governance as defined in the IR Governance Stage Gate Review Plan. In this plan, IR Governance has defined a process for the IR Governance bodies to conduct the following four Stage Gates: Project Selection Review [B] Project Baseline Review [C] Preliminary Design Review [E] Operational Readiness Review [H]

For these four gates, each Critical Partner will be responsible for reviewing projects to ensure that the project meets Critical Partners respective requirements. Based on these reviews, Critical Partners must provide recommendations to the applicable IR Governance bodies on whether the project should proceed to the next phase [with or without condition] or whether the project should be discontinued. The CPIC Critical Partner is responsible for coordinating these Critical Partner reviews. The IR Governance Stage Gate Review Plan requires that projects with an annual budget of $1 million or greater be reviewed at the Enterprise level. For projects with an annual budget of less than $1 million, the National Center Governance body is responsible.

00173

The National Center Governance body also has the responsibility for determining the most appropriate approach for conducting the following Stage Gate Reviews, irrespective of the projects annual budget: Initiation Phase End Stage Gate Review [A] Requirements Analysis Phase End Stage Gate Review[D] Development Phase End Stage Gate Review [F] Test Phase End Stage Gate Review [G] Operations & Maintenance Phase End Stage Gate Review [I] Disposition Phase End Stage Gate Review [J]

These gates may be delegated to individuals or organizations inside the Center or performed by the National Center Governance. The role of Critical Partners in these reviews will vary based on the decisions of the National Centers governance body. This manual provides information and guidance to the IT Infrastructure Critical Partner for all ten Stage Gate Reviews in case they are called upon for providing a recommendation.

10

00174

The following graphic in Figure 2 represents the high level process that HHS has utilized in each Stage Gate Review processes. Critical Partners in conjunction with the Project Manager, Business Owner and IR Governance bodies must remember that the degree of rigor applied to each Stage Gate Review needs to reflect a consideration of the size of the project, level of technical risk, complexity, and criticality to the mission. No project should proceed into the next phase without receiving a decision to proceed for the IR Governance Review body or delegated authority.

Figure 2. Stage Gate Review Process

11

00175

Probing Questions Probing Questions are provided to help Critical Partners know what to ask as a part of their responsibilities in all three lanes of project activities. These questions have been separated into Major Probing Questions and Additional Questions. The major probing questions are those that have been identified as providing significant information for the phase activities. The additional questions should also be considered as appropriate for the size of the project, level of technical risk, complexity, and criticality to the mission. While the Major Probing Questions are included in the sections with responsibilities by phase, additional questions are located in the Additional Questions section of this manual. Summary Critical Partners are key project stakeholders and must be involved in all phases and activities of a project including the project planning and execution along with the appropriate reviews that occur throughout the life cycle. This manual serves as one available resource that may be helpful in accomplishing the required responsibilities of the IT Infrastructure Critical Partner. Other resources available to CDC Critical Partners are identified in the Resources Section of this manual.

12

00176

Brief Description of Phase The Initiation phase identifies the business need, Rough Order of Magnitude (ROM) cost and schedule, and basic business and technical risks. The outcome of the Initiation Phase is the decision to invest in a full business case analysis and preliminary project management plan. Deliverables (Project Planning & Execution) Lane 1 Project Reviews Lane 2 Stage Gate Reviews Lane 3 Review the Business Needs Statement. Evaluate the core business need against the IT Service Portfolio. Participate in the IT Infrastructure Review to determine the service capabilities required to meet known Business Needs. 1. What is the rough scope and scale of the proposed information system or service? a. What is the purpose of the system and how will it be used? b. What is the approximate number of end-users, and where are they located internal, external, both, general public? c. How often will it be used, by type of end-user? 2. Are there any regulatory or compliance issues associated with the system or service, including those associated with sensitive data and/or international use or access? 3. Are the intended recipients of the service internal, external, or both? Major Probing Questions 1. Does this initiative potentially depend on an IT Service or for the IT Infrastructure Infrastructure Component that is not currently available in the existing IT Service Portfolio? Critical Partner

Role of an IT Infrastructure Critical Partner in Initiation Phase

13

00177

Role of an IT Infrastructure Critical Partner in Concept Phase

Brief Description of Phase The Concept phase identifies the high level business and functional requirements required to develop the full business case analysis and preliminary Project Management Plan for the proposed project. The outcomes of the Concept Phase are the initial Cloud Computing Alternative Analysis and resulting IT Service Provider recommendation; approval of initial project cost, schedule and performance baselines; and issuance of a Project Charter. Deliverables (Project Planning & Execution) Lane 1 Conduct a review of the business case and Information system concept. Determine if the business, intended outcomes, and objectives conceptually align with the agency IT Infrastructure. Consult with the project manager, stakeholders, and technical leads during the Alternative Analysis of IT Service offerings. Project Reviews Lane 2 Provide guidance in the assessment of the information system case and provide insight into the state of the IT infrastructure and the factors that may influence the information system architecture and development approach. 1. How will the system or service be accessed? Internet, Intranet, or both? 2. Have the critical technology elements (authentication and authorization, data/service dependencies, SLA, etc.) been identified? 3. Is this a new system, or a modification/migration of an existing system? 1. Cloud-First Alternative Analysis is this initiative a potential candidate for deployment as a Cloudhosted service?

Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

14

00178

Role of an IT Infrastructure Critical Partner in Planning Phase

Brief Description of Phase The Planning phase completes the development of the full Project Management Plan and refinement of project cost, schedule and performance baselines as necessary. Outcome of the Planning phase is complete and adequate project planning and sufficient requirements determination to validate the planning and project baselines.

Deliverables (Project Planning & Execution) Lane 1

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Assess the project scope and approach to develop the project implementation and resource plans. Assess the current and proposed technical environments. Review the overarching information system and management strategy that will support the program. Address the Programs current and future information technology needs. Provide IT Infrastructure strategies for specific information system capabilities. Create an IT infrastructure target to be met during ensuing design phase to transition to the future state information system environment. Provide guidance and recommendations for the following line of questions: Is the information systems scope well defined and unambiguous? Have IT infrastructure support organization considerations been reviewed. 1. Does the scope assessment include key processes, procedures, hardware, software, network, and/or support services? 2. Is there a need for additional processes, procedures, and/or standards? Are there potential conflicts? 3. Does the Scope statement include a high-level description of the major IT infrastructure requirements and/or capabilities? Have relationships with and dependencies on existing infrastructure services and shared resources been evaluated?

Major Probing Questions for the IT Infrastructure Critical Partner

1. Has the scope of the initiative changed since initiation, and if so, has the scope statement been updated?

15

00179

2. Have processes, procedures, and standards related to IT governance and IT infrastructure operations been considered?

16

00180

Role of an IT Infrastructure Critical Partner in Requirements Analysis Phase

Brief Description of Phase The Requirements Analysis phase develops detailed functional and non-functional requirements and the Requirements Traceability Matrix (RTM). The outcome of the Requirements Analysis Phase is an actionable list of requirements, with sufficient detail to develop the design of required IT Infrastructure supporting services and to begin the development of SLA and/or contract language with the selected IT Service Provider (whether internal or external). Deliverables (Project Planning & Execution) Lane 1 Review project scope and provide guidance for IT Infrastructure implementation and resource planning. Provide insight into the current IT organizational and technical environments and to establish compliance of information system to IT Infrastructure standards. Provide assessments of existing IT Infrastructure technical environment(s) and security controls as well as IT Infrastructure organization and management. Participate in requirements review by providing recommendations to the project technical lead in reference to IT Infrastructure, support organization, and security controls related directly to infrastructure services. Review and update the results of the Cloud Computing Alternative Analysis. 1. Provide guidance in identifying requirements for system application components including database, server and client services. 2. Provide assistance in identifying requirements for supporting the integration between legacy applications and the proposed system. 3. Provide guidance in identifying requirements for third-party tools required to support the application IT infrastructure. 4. Provide guidance in identifying configuration requirements for both third-party tools and primary software required to support the initiative. 5. Provide guidance in identifying requirements for network services, including LAN, WAN, WLAN, telecommunications, and/or mobile networking requirements.

Project Reviews Lane 2

Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

17

00181

Role of an IT Infrastructure Critical Partner in Design Phase

Brief Description of Phase The Design phase develops the Design Document. The outcome of the Design Phase is completion of Business Product design and successful completion of Preliminary and Detailed Design Reviews. Deliverables (Project Planning & Execution) Lane 1 Project Reviews Lane 2 Stage Gate Reviews Lane 3 Conduct a review of the proposed IT infrastructure related to information system. Consult with developers to develop artifacts used to build and configure information systems and the supporting infrastructure. Participate in the Detailed Design review with project manager and SMEs in reference to application technical specifications, change, and IT Infrastructure. Participate in Design Stage Gate Review by ensuring that the following questions have been answered in sufficient detail to design the underlying IT Infrastructure supporting systems and services, and to award contract to outside service providers where appropriate:

1. Has the logical design for the proposed system been fully developed? 2. Have the procedures for ongoing information system maintenance and updates been defined? Major Probing Questions for the IT Infrastructure Critical Partner 1. Have change control procedures related to configuration, patches, updates, fixes, changes and any changes been approved by project management 2. Have change control procedures related to configuration, patches, updates, fixes, changes and any changes been communicated to IT infrastructure service providers? 3. Does the design document include backup and recovery plans/requirements? 4. Are all documented SLAs relevant to the business operation and information system, quantifiable, and measurable?

18

00182

Role of an IT Infrastructure Critical Partner in Development Phase

Brief Description of Phase The Development phase continues the design phase, with IT Support services implemented in a test environment with sufficient detail and depth to begin the evaluation of the performance of the Business Product and initiate an Independent Verification & Validation Assessment. The outcome of the Development Phase is validation of the system design; user, operator and maintenance documentation, and test planning. Deliverables (Project Planning & Execution) Lane 1 Provide guidance and the project manager and information system SMEs to develop and configure the IT infrastructure and to test the systems components and procedures to ensure compliance with both business requirements and agency technology standards. Participate in the review of the information systems and IT infrastructure process and procedures developed. 1. Has a test plan been developed for the dev/test environment? 2. Are the information system and performance requirements and capacity metrics up-to-date, relevant and accurate? 3. Does the IT Infrastructure performance asdesigned meet configuration requirements and achieve desired system/service performance metrics? 1. Does the information system and IT infrastructure scale to meet projected requirements?

Project Reviews Lane 2 Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

19

00183

Role of an IT Infrastructure Critical Partner in Test Phase

Brief Description of Phase The Test phase has thorough testing and auditing of the Business Products design, coding and documentation. The outcome of the Test Phase is completed acceptance testing and readiness for training and implementation. Review test procedures and outcomes in the areas affecting the IT Infrastructure. Deliverables (Project Planning & Execution) Lane 1 Project Reviews Lane 2 Stage Gate Reviews Lane 3 Review the results of system, integration, performance, operational, user-acceptance, and deployment tests described the previous phases. Participate in the review of the information systems and IT infrastructure component to ensure the system is ready for implementation. 1. Does the test environment accurately represent the demands of the projected production environment, including connectivity, security and access to dependent resources? 2. Have backup and recovery systems and procedures been tested, found to be ready for implementation, and documented? 3. Have required third-party tools been tested, found to be ready for implementation, and documented? 4. Have all system and infrastructure components been tested and do the results fall within design metrics? 1. Has the system technical steward tested all software-related components? 2. Has the system developer tested functionality and data elements?

Major Probing Questions for the IT Infrastructure Critical Partner

20

00184

Brief Description of Phase The Implementation phase conducts user and operator training, determines readiness to implement, and executes the Implementation Plan, including any phased implementation. The outcome of the Implementation Phase is successful establishment of full production capability and completion of the Post-Implementation Review. Deliverables (Project Planning & Execution) Lane 1 Provide guidance for the project manager and technical lead to prepare for and execute the implementation of the new enterprise information system into the IT Infrastructure. Confirm the results of final user-acceptance testing, administrator and operator training, and establish ongoing operations. Participate in the Implementation Stage Gate Review the process for management of configuration changes, environmental preparedness and system monitoring, and cutover execution. 1. Participate in the Operational Readiness review. 2. Provide assistance in identifying performance bottlenecks within the IT infrastructure and offer recommendations to fine tune the information system to improve performance. 3. Provide guidance for documenting procedures to monitor the information system, including application and performance for system accessibility, stability, and reliability. 4. Provide guidance for managing release control of the information system into the production IT infrastructure. 1. Are all individual system and infrastructure components installed, configured and ready for deployment?

Role of an IT Infrastructure Critical Partner in Implementation Phase

Project Reviews Lane 2 Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

21

00185

Role of an IT Infrastructure Critical Partner in Operations & Maintenance Phase

Brief Description of Phase The Operations & Maintenance phase operates and maintains the production system and conducts annual operational analyses. The outcome of the Operations and Maintenance Phase is successful operation of the asset against current cost, schedule and performance benchmarks. Deliverables (Project Planning & Execution) Lane 1 Provide counsel to the project manager and the system technical lead on the details pertaining to IT infrastructure during the Operations and Maintenance phase. Confirm that the IT infrastructure and support organization is capable of sustaining system availability. Participate in Operational Analysis and Service Level Reviews. 1. Participate in the Operations and Maintenance Stage Gate Review and provide guidance regarding operations of related IT Infrastructure. 2. Has responsibility and accountability been established to support operational management of the information system and IT Infrastructure environment? 3. Have change-control procedures been implemented as designed? 4. Are the responsible and accountable parties prepared to monitor and manage the information system and supporting services? 1. Is there a procedure in place to stay current with vendor patches and updates?

Project Reviews Lane 2 Stage Gate Reviews Lane 3

Major Probing Questions for the IT Infrastructure Critical Partner

22

00186

Role of an IT Infrastructure Critical Partner in Disposition Phase

Brief Description of Phase The Disposition phase retires the asset when operational analysis indicates that it is no longer cost-effective to operate the asset. The outcome of the Disposition Phase is the deliberate and systematic decommissioning of the Business Product with appropriate consideration of data archiving and security, migration of data or functionality to new assets, and incorporation of lessons learned over the project life cycle. Deliverables (Project Planning & Execution) Lane 1 Handle transition reviews from the IT Infrastructure perspective. Ensure the support organization underpinning the information system marked for decommissioning is adequately informed and that the supporting infrastructure is appropriately managed during the process. Participate in the Disposition Review related to IT Infrastructure management of configuration changes and infrastructure monitoring for the recapture and inventory of IT capabilities and assets. 1. Participate in the Disposition Review to decommission legacy systems pertaining to the IT infrastructure for archival and handling of data, software, and facilities. 1. If the legacy system is being replaced, does the new system and IT infrastructure support all essential business or scientific functions?

Project Reviews Lane 2 Stage Gate Reviews Lane 3 Major Probing Questions for the IT Infrastructure Critical Partner

23

00187

Additional Questions
Role of an IT Infrastructure Critical Partner in Initiation Phase 1. Has funding been considered for the duration of the system or service lifecycle (including out-year O&M and potential telecommunication costs)? 2. What are the boundaries for the proposed information system what is explicitly included and/or excluded? Role of an IT Infrastructure Critical Partner in Concept Phase Role of an IT Infrastructure Critical Partner in Planning Phase 3. Have database, application and system interactions been defined in sufficient detail to determine essential communication requirements between dependent systems? Role of an IT Infrastructure Critical Partner in Requirements Analysis Phase 4. What are the requirements for network, hardware, database, and supporting software interoperability? 5. Does the initiative call for High Availability, Fault Tolerance, Continuous Availability or related capabilities? 6. What are the recovery and restoration requirements, based on business impact and risk? 7. Do IT Infrastructure requirements differ between Dev/Test and Production environments? 8. Have owners and subject matter experts for each information system component of the initiative been identified? 9. Have any required Third-party/non-standard tools been identified? 10. If applicable, is required third-party software implementation included in this initiative or is it a separate effort? 11. Will the proposed information system require interoperability with legacy systems or infrastructure? 12. Do the system requirements provide sufficient detail to begin design of the information system? 13. Are there any automated processes that might be negatively impact the performance of other information systems or underlying infrastructure in the environment? 14. What are the performance, security and activity reporting requirements associated with the system/service? 15. Do the standard reports provided by the service provider meet those requirements? 16. If not, what are the options and costs for developing custom reporting capabilities? 17. Have performance criteria for the network (network traffic rates/volume, network response and delay times, availability, reliability and etc.) been taken into consideration. 18. Does the service providers backup and recovery capacity provide the required level of protection in the event of an outage? 19. Does the service provider allow the IT Customer to specify the recovery point and recovery time objectives (RPO/RTO) that is required? 20. System/Service Portability does the service provider provide support for the
24

00188

migration of the system or service to a different provider if/when necessary? 21. How rapidly can the service provider offerings scale to accommodate an increase in system usage or scope? 22. Does the service provider provide quality assurance (QA), user-acceptance (UA), and/or security testing during the SDLC? Role of an IT Infrastructure Critical Partner in Design Phase 23. Does the detailed design documentation describe the logical components needed to keep the information system and data available and accessible? 24. Does the design documentation describe required monitoring and reporting, tools, operations, and procedures? 25. Have the logical models for data communication-related components been finalized? 26. Have the logical data models of the proposed information system been finalized? 27. Have procedures for developing, testing, and deploying changes, patches, updates, and configuration changes been defined? 28. Has the process to migrate the information system through the Dev/Test, staging, and production environments been defined? 29. Has the process for testing and deploying patches and updates through the Dev/Test, staging, and production environments been defined? 30. Has the disaster recovery requirement been developed in sufficient detail to meet recovery time objectives (RTO), and recovery point objectives (RPO) requirements within limits set by the standards and policies of the owning organization? 31. Have the roles, skill sets, tools, and technologies required to support the information system been documented? 32. Does the design document include details for managing internal and external relationships and service and/or Operational level agreements (SLAs/OLAs)? 33. Does the design document include a Service Level Agreement monitor and reporting plan for the provider organization? 34. Does the IT infrastructure Request for Proposal (RFP) contain the appropriate detail to procure the production components to support the implementation? 35. What is the service provider strategy for integrating with external components (databases, authentication & authorization services, etc.)? 36. Do the service providers IT infrastructure service level agreements (SLAs) align with the functional requirements? 37. Is there a mechanism to audit against the SLAs? 38. Does the SLA meet risk-tolerance requirements? Role of an IT Infrastructure Critical Partner in Development Phase 39. Were system and IT infrastructure components designed to support both anticipated and unanticipated growth? 40. Was information system and IT infrastructure performance tuning conducted synchronously with interrelated/dependent systems and services? Role of an IT Infrastructure Critical Partner in Test Phase 41. Was there any tuning of system or infrastructure configuration items based on test results? Was the system documentation updated? 42. Have all internal and external network connectivity and data feeds from other
25

00189

systems been tested? 43. Have all test results, issues, and changes to technical environment been recorded? 44. Did the Disaster Recovery test cover the key threats to the system and infrastructure identified in the risk management analysis? 45. Was a full integration test completed to validate end-to-end connectivity of integrated systems to meet system requirements and metrics? 46. Was user-acceptance testing conducted in an environment that accurately reflects the production use of the system or service? Role of an IT Infrastructure Critical Partner in Implementation Phase 47. Has the impact of changed or updated configuration items been assessed? 48. Has a final review been preformed following any required system tuning? 49. Are performance monitoring tools used to collect data operating as designed? 50. Have the monitoring thresholds for the system and infrastructure been defined in alignment with established SLAs (Service Level Agreements)? 51. Has the Service Level Agreement (SLA), reporting, communication, and mitigation criteria been finalized to account for actual operating conditions? 52. Is all system and IT infrastructure documentation finalized? 53. Is the documentation maintained in accordance with established changecontrol procedures? Role of an IT Infrastructure Critical Partner in Operations & Maintenance Phase 54. Is there a procedure in place to handle high priority/out-of-band patches? 55. Is each functional operation and support area ready to assume operational responsibility and accountability for the information system and supporting infrastructure? Role of an IT Infrastructure Critical Partner in Disposition Phase 56. Have all decommissioning activities related to the IT infrastructure been communicated to appropriate stakeholders and users? 57. Are there any Third-party system retirement instructions to be taken into account?

26

00190

Resources
The following list is a composite of resources to assist in conducting Stage Gate Reviews: CDC Enterprise Critical Partners as of 12/1/09. The names of these individuals may change over time; therefore, it is recommended that you visit the CPIC intranet site CDC http://intranet.cdc.gov/cpic/ for up-to-date individuals (coming soon) Enterprise Architecture IT Infrastructure Security Acquisition Management Finance/Budget Human Resources* Section 508 CPIC Performance Mike Perry & John Fitzpatrick Earl Baum Joseph Domingue & Kerey Carter Terrance Perry & Gary Sentelle Daniel J Hardee Angelia Jarrard & Debbie George Mark Urban Sandra McGill Steve Racine

* the Atlanta Human Resources Center (AHRC) handles HR issues for Civil Service personnel; HR for Commissioned Corps personnel and Training for all personnel are handled by Office of Workforce and Career Development (OWCD) or its successor organizations CDC UP for definition and examples of documents and deliverables at all phases (http://www.cdc.gov/cdcup) CDC Information Technology Strategic Plan FY 2009 2013 for CDC IT goals; also includes appendices with o CDC Health Protection Goals o HHS Information Technology Strategic Plan Goals & Objectives 2006 -2010 CDC Enterprise Architecture web site for CDC EA guiding principles (http://intranet.cdc.gov/ncphi/ea/ea_document_library.html )

27

00191

CDC Enterprise Systems Catalog for inventory of existing CDC systems (http://esc.cdc.gov/ ) CDC Financial Management Office (FMO) for budget formulation and appropriations guidance, budget execution, payments and executions, accounting, financial management systems, regulations/policies/procedures, and FMO Service Desk http://intra-apps.cdc.gov/fmo/ ) CDC HealthImpact.net for inventory of existing CDC projects (http://healthimpactnet.cdc.gov/ ) CDC policy and procedures related to Capital Planning and Investment Control (CPIC), including Earned Value Management (EVM) (http://intranet.cdc.gov/cpic/ ) CDC Office of Career Development (OWCD) for training considerations (http://intranet.cdc.gov/owcd/) CDC Office of Commissioned Corps Personnel for HR considerations for USPHS officers (http://www.cdc.gov/od/occp/ ) CDC Procurement and Grants (PGO) web site for contracts information and guidance (http://pgo.cdc.gov/pgo/ViewCategory.do?AudienceID=2 ) and IT Program Management Office (ITPMO) (http://pgo.cdc.gov/pgo/ViewCategory.do?AudienceID=4) CDC Section 508 guidance for web (http://intranet.cdc.gov/cdcweb/usability/508/) CDC Security information from OCISO (http://intranet.cdc.gov/ociso/ ) HHS Atlanta Human Resources Center (AHRC) for Civil Service HR considerations (http://intranet.cdc.gov/hr/index.html ) HHS Enterprise Architecture Principles (http://www.hhs.gov/ocio/ea/architecture/index.html ) HHS Portfolio Management Tool (PMT) also known as ProSight for descriptions of existing investments (https://pmt.hhs.gov/ ) HHS Enterprise Architecture Repository (HEAR) also known as Troux Architect for the architectural artifacts for existing Major and Tactical investments (see Enterprise EA Critical Partner for access information) Federal Acquisition Regulation (FAR) web site (http://www.arnet.gov/far/ ) Federal Enterprise Architecture web site for e-Government Initiatives and their architectures as described in the Federal Transition Framework (http://www.whitehouse.gov/omb/e-gov/fea/ ) Federal CIO Council: Architecture Principles for the U.S. Government (http://www.cio.gov/library/documents_details.cfm?id=Architecture%20Principle s%20for%20The%20U.S.%20Government%20&structure=Enterprise%20Architecture &category=Enterprise%20Architecture) OMB Circular A-11 for description of the Exhibit 300 and Exhibit 53 (http://www.whitehouse.gov/omb/financial_offm_circulars/ )
28

00192

Pages 193 through 951 redacted for the following reasons: ---------------------------All pages withheld under exemptions (b)(3) and (b)(4) - vendors response to RFI