400 likes | 557 Views
Unraveling the B2B Process. LTC Linda Guthrie, Laboratory Manager, WAMC LTC/Ms Robin Wein, B2B Project Manager, WAMC Mr Jeff Shockley, Roche Diagnostics. OBJECTIVES.
E N D
Unraveling the B2B Process LTC Linda Guthrie, Laboratory Manager, WAMC LTC/Ms Robin Wein, B2B Project Manager, WAMC Mr Jeff Shockley, Roche Diagnostics
OBJECTIVES • Understand the key functional benefits and impact to laboratory operations that the laboratory will realize with a networked laboratory vendor • Deliver an instructive presentation on the B2B and CON certification that WAMC pursued and achieved with Roche Diagnostics as their laboratory partner • Provide recommendations on developing a B2B and achieving network certification
ABSTRACT • Since the events of 9/11, the computer security requirements for DOD facilities has intensified and has had an impact on laboratories and their networked instrumentation/devices. The Business to Business Gateway is how laboratories obtain remote connectivity with commercial vendors. TIMPO, DISA, MTF, Vendor all play a role, but well-planned coordination is essential in streamlining this process.
MHS B2B Gateway • The MHS Business to Business (B2B) Gateway provides MHS commercial partners secure access to DoD locations for non-web based traffic. It provides an assured computing path for the enterprise. • The B2B Gateway was initially set up to support the Managed Care Support Contractors (MCSC) and is now available for use by designated providers and commercial partners connecting to the services. • Currently 40+ commercial partners connect to several DoD locations, including DMDC, DFAS, and the MTFs, via the B2B Gateway. • Over 3000 users and numerous system connections provide eligibility verification and claims for Active Duty, dependents, and retirees and remote maintenance for various healthcare programs and systems.
Key Stakeholders • TMA Falls Church • Joint Medical Information Systems Program Office (JMIS) • Defense Health Information Management System • Defense Health Services Systems (DHSS) • Tri-Service Infrastructure Management Program Office (TIMPO) • Information Assurance (IA) Program Office • Military Medical Departments/MTF • Defense Information System Agency (DISA) • Commercial Partners – i.e. Roche, MAS
Government Sponsors • Be knowledgeable on the B2B process • Do not initiate a B2B without having a contract with the vendor • Vendor evaluation – always verify the claims that a vendor states they have or can do. • More often than not, vendor sales personnel do not understand the B2B process and “think” that someone in their company has a DIACAP or a CON or a B2B initiated. • This claim usually cannot be substantiated • Verify with TIMPO if the vendor is on their VPN Connectivity list or if an initial B2B has been initiated or established.
Promises, Promises, Promises • Our company can remotely take control of your instrument in the laboratory to perform: • Troubleshooting • Potentially make repairs • Calibrations • Diagnostic procedures • Fix corrupt files • Monitor QC and Calibration
Vendor Promises • Without an established B2B these promised functions cannot take place in a DOD Lab! • The laboratory may be able to place equipment in the department, but the network connectivity is not possible until many lengthy requirements are met • Certificate of Net Worthiness (CON); or • DIACAP • Vendor background checks; IA Training • Diagrams • VPN device • Completed, tested, and approved B2B
Roles and Responsibilities Commercial Business Partner • Provide network information • Procure and install B2B Gateway compatible VPN/encryption device • Procure Tier I or Tier II Internet Service Provider for connectivity • Provide qualified on-site touch labor technical support • Help resolve telecommunications and support routine maintenance activities • Obtain DOD Information Assurance Certification and Accreditation Process /DOD Information Assurance Certification and Accreditation Process(DIACAP) accreditation, or CON -as required • http://www.tricare.osd.mil/tmis_new/IA.htm#ditscap
Roles and Responsibilities Commercial Business Partners • Complete Data Use Agreement, if required • Ensure personnel have appropriate security qualifications • Ensure personnel complete annual Information Assurance Training • Report all problems the MHS Help Desk • Provide 24 X 7 on call technical points of contact • Assist in problem resolution • Provide configuration management of B2B Gateway Questionnaire/ VPN Implementation Plan
Roles and Responsibilities DoD Locations • Provide Ports, Protocol, and Services information necessary to support the B2B Gateway connection • Submit change request to local Change Control Board • Configure the local area network to support the B2B Gateway connection • Insure that the appropriate technical support personnel are available to participate in end-to-end connectivity test • Insure that the appropriate technical support personnel are available to participate in Problem Management
Many moving pieces in B2B Gateway Background check –ADP Level 2 Management Configuration Board VPN Device DD 2875 TIMPO Statement of Work (SOW) DISA DIACAP Government Sponsor Contract number B2B Kick-off Meeting Certificate of Net worthiness - CON As-Is Diagram Front End Connectivity Testing Last Mile Diagram End to End testing Firewalls Go/No-Go conference call IP Addresses IA annual Training SF 85P SAIC
B2B Gateway Overview • Provides authorized MHS Business Partners secure access to DoD Network • Connects MHS information systems on Defense Information System Network (DISN) infrastructure and MHS Business Partners on commercial infrastructure in support of DoD healthcare mission • Complies with DISN policy • Provides support for non-Web based applications • Supports secure e-commerce for client/server and system-to-system interfaces • Enterprise solution • Not intended to provide a Secure Remote Access solution for individuals
B2BGateway Management DISA Montgomery/ DISA Columbus MHS Business Partner TIMPO VPN Team .Mil Location Manages VPNs at MHS Business Partner location, DISA DECC Montgomery and Columbus Manages MHS VPN domain. VPNs between DISA Columbus and the .Mil location Manages their LAN Procurement of VPN and Internet Service Provider. Manages their LAN v 1.0
B2B Gateway Functions • Provide an assured computing path for the enterprise • Meet authentication, integrity, and confidentiality requirements for DoD healthcare environment • Provide high availability and redundancy with duplicate components and diverse sites • Share components and circuits with Web DMZ • Support documented requirements for MHS Business Partner connections and services
B2B Gateway Security Features • Controlled access to the NIPRNet • Encryption • Triple Data Encryption Standard (3DES) Internet Protocol Security (IPSec) VPN • Contractor site to gateway • Gateway to DoD destination • Traffic/transaction inspection • Address translation simplifies DoD traffic filtering • User authentication to the Gateway • Individual user ID and password • Audit capability
B2B Gateway – Initial Steps • Government Sponsor • KNOW YOUR VENDOR! • Expectations up front • Commitment and drive to complete the B2B process • Purchase of VPN device • Time to coordinate with Hospital Project Manager • Ability to provide confidential proprietary information • May take 6 months to one year • Contract must be established first • Include IT Security requirements in Statement of Work (SOW)
Connectivity SOW III. SOW for IT Connectivity Solution: A. Telecommunication: 1. All contractor systems that will communicate with DoD systems will interconnect through the established MHS B2B gateway. For all Web applications, contractors will connect to a DISA-established Web DMZ. 2. In accordance with contract requirements, MCS contractors will connect to the B2B gateway via a contractor procured Internet Service Provider (ISP) connection. Contractors will assume all responsibility for establishing and maintaining their connectivity to the B2B gateway. This will include acquiring and maintaining the circuit to the B2B gateway and acquiring a Virtual Private Network (VPN) deice compatible with the MHS VPN device. 3. Contractors will comply with DoD guidance regarding allowable ports, protocols and risk mitigation strategies. 4. All cost for VPN hardware and software will be incurred by the contractor.
B2B Gateway – Initial Steps • B2B kick-off meeting conference call • TIMPO – Christopher McDonald • MTF –lab, IT, SAIC • Vendor awarded contract • Provide current B2B blank document (v6) to vendor prior to conference call • TIMPO will answer any questions from the group and steer all in the right direction
TIMPO Point of Contact • Christopher McDonaldKSJ & Associates, ContractorProgram Management SupportTri-Service Infrastructure Management Program Office (TIMPO)5205 Leesburg Pike, Suite 1301Falls Church, VA 22041703-399-2276 Fax: x2260 • Christopher.McDonald.ctr@tma.osd.mil
B2B Gateway Coordinating/WAMC • Initial Vendor requirements • Certificate of Networthiness (CON) • Submitted to WAMC Project manager • Submitted to WAMC Management Configuration Board for local approval • Initiate Background checks (2 months+) • Establish POC in Security Office • Vendor employees work directly with Security Office • Complete DD85P • Once WAMC Security officer is satisfied with 85P completion, finger prints, etc, it is submitted to OPM
B2B Gateway Coordinating -WAMC • DD Form 2875 – SAAR • System Authorization Access Request • Vendor employee completes after 85P submitted to Security Office • Information Assurance Training must be completed (annually thereafter) • Ft Gordon website • Certificate of Training submitted • Government sponsor and Project manager provide justification and approval signatures
B2B Gateway Coordinating -WAMC • DD Form 2875 – SAAR • Submitted to Security officer for review and signature • Delivered to local IASO for review, signature, and filing
B2B Gateway Coordinating • Vendor IT staff completes B2B • Some items of the CON may be duplicated in the B2B document • System performance requirements • VPN Implementation form • Connectivity requirements sheet (App E) • “As Is” Diagram • Last Mile Diagram • VPN device procured
B2B Gateway Coordinating • Vendor submits completed B2B document to WAMC Project manager • Reviewed to ensure all areas are filled in (i.e. no major blank areas) • Project manager works on B2B • POC information • Local IP addresses from IMD engineer • Project dates for testing • Submit to TIMPO – Chris McDonald – for initial approval
B2B Gateway Coordinating • WAMC Project manager attends local CMB to attain local IMD approvals • Provides overview for the IMD group • Answers IMD questions pertaining to the B2B • IP addresses provided following this approval process
B2B Gateway Coordinating • Go-No-Go Conference with TIMPO • Vendor, MTF, TIMPO, DISA • Purpose is to verify that all configuration changes needed to support successful connectivity test are complete • Final approval from DISA/TIMPO provided • Front end and End to End (E2E) testing dates projected
B2B Gateway Coordinating • Vendor mails VPN device to DISA Montgomery • Device is configured by DISA engineers • Device returned to Vendor for VPN to be racked and stacked. • Front end testing can now take place between DISA and the vendor • E2E testing usually follows two days later and this testing brings the MTF/destination site into the testing
B2B Gateway Coordinating • Vendor may have to have service engineers on site to assist with the testing • Once testing is complete, vendor equipment may be brought on line with full connectivity and networked capabilities
B2B – Adding another DOD site • Appendix E • IP addresses changed to the new site • The .mil POC information updated • Government sponsor name updated • RALS/MAS B2B established in April 09 • Sites added: • Camp Lejeune • William Beaumont AMC • NH Guam
Jeff Shockley – March 22, 2010 B2B Gateway ImplementationA Vendor’s Perspective
B2B Gateway ImplementationHigh-Level Components of the Project • Contract Modification • Networthiness / DIACAP Documentation • Background Checks • B2B Gateway Documentation • B2B Gateway Connectivity / End-to-End Testing
B2B Gateway ImplementationResource Requirements • Strong Gov’t Sponsor Commitment • Strong Vendor Commitment • Project Management • Application Engineers • Network Administration • Security Management • Legal • Human Resources • Instrumentation SMEs • Call Center / Service
B2B Gateway ImplementationContract Modification • Fairly Straightforward • Contractor responsible for their VPN Hardware • Background Checks for all accessing systems
B2B Gateway ImplementationNetworthiness / DIACAP • Sub-requirement for B2B Gateway • Requirement may be different per site or branch • CON vs DIACAP • Preliminary Security Scans • Proposed Mitigations • SME Analysis (ports, protocols, restrictions)
B2B Gateway ImplementationBackground Checks • Phased / Batch Approach • Consent Release Form (opt-in) • US Citizens vs. non-US Citizens • Hands-on / Hands-off Balance • Expense Reimbursement • Annual Security Awareness Training
B2B Gateway ImplementationB2B Gateway Documentation • Huge Amount of Information Overlap with CON / DIACAP • Network Infrastructure Understanding • network boundaries • firewalls • Ports and IP Address Restrictions • As-Is Diagram • Timing / Schedule Expectations
B2B Gateway ImplementationGoing Forward – Setting the Foundation • Contract modification (each site) • CON / DIACAP (each site) • B2B Gateway Documentation (modification) • Background Checks (no changes)
Thank you for your attention. Roche Diagnostics Ltd.6343 RotkreuzSwitzerland COBAS and LIFE NEEDS ANSWERS are trademarks of Roche This presentation is our intellectual property. Without our written consent, it shall neither be copied in any manner, nor used for manufacturing, nor communicated to third parties.