unraveling the b2b process
DESCRIPTION
Unraveling the B2B Process. LTC Linda Guthrie, Laboratory Manager, WAMC LTC/Ms Robin Wein, B2B Project Manager, WAMC Mr Jeff Shockley, Roche Diagnostics. OBJECTIVES. - PowerPoint PPT PresentationTRANSCRIPT
Unraveling the B2B Unraveling the B2B ProcessProcess
LTC Linda Guthrie, Laboratory Manager, WAMCLTC/Ms Robin Wein, B2B Project Manager, WAMCMr Jeff Shockley, Roche Diagnostics
OBJECTIVESOBJECTIVESUnderstand the key functional benefits
and impact to laboratory operations that the laboratory will realize with a networked laboratory vendor
Deliver an instructive presentation on the B2B and CON certification that WAMC pursued and achieved with Roche Diagnostics as their laboratory partner
Provide recommendations on developing a B2B and achieving network certification
ABSTRACTABSTRACTSince the events of 9/11, the computer
security requirements for DOD facilities has intensified and has had an impact on laboratories and their networked instrumentation/devices. The Business to Business Gateway is how laboratories obtain remote connectivity with commercial vendors. TIMPO, DISA, MTF, Vendor all play a role, but well-planned coordination is essential in streamlining this process.
MHS B2B GatewayMHS B2B GatewayThe MHS Business to Business (B2B) Gateway
provides MHS commercial partners secure access to DoD locations for non-web based traffic. It provides an assured computing path for the enterprise.
The B2B Gateway was initially set up to support the Managed Care Support Contractors (MCSC) and is now available for use by designated providers and commercial partners connecting to the services. ◦ Currently 40+ commercial partners connect to
several DoD locations, including DMDC, DFAS, and the MTFs, via the B2B Gateway.
◦ Over 3000 users and numerous system connections provide eligibility verification and claims for Active Duty, dependents, and retirees and remote maintenance for various healthcare programs and systems.
Key StakeholdersKey StakeholdersTMA Falls Church
◦ Joint Medical Information Systems Program Office (JMIS) Defense Health Information Management
System Defense Health Services Systems (DHSS) Tri-Service Infrastructure Management Program
Office (TIMPO)◦ Information Assurance (IA) Program Office
Military Medical Departments/MTFDefense Information System Agency
(DISA)Commercial Partners – i.e. Roche, MAS
Government SponsorsGovernment SponsorsBe knowledgeable on the B2B
processDo not initiate a B2B without having
a contract with the vendor◦Vendor evaluation – always verify the
claims that a vendor states they have or can do. More often than not, vendor sales personnel do
not understand the B2B process and “think” that someone in their company has a DIACAP or a CON or a B2B initiated.
This claim usually cannot be substantiated◦Verify with TIMPO if the vendor is on their
VPN Connectivity list or if an initial B2B has been initiated or established.
Promises, Promises, Promises, Promises, PromisesPromisesOur company can remotely take
control of your instrument in the laboratory to perform:◦Troubleshooting◦Potentially make repairs◦Calibrations◦Diagnostic procedures◦Fix corrupt files◦Monitor QC and Calibration
Vendor PromisesVendor PromisesWithout an established B2B these
promised functions cannot take place in a DOD Lab!
The laboratory may be able to place equipment in the department, but the network connectivity is not possible until many lengthy requirements are met◦Certificate of Net Worthiness (CON); or◦DIACAP◦Vendor background checks; IA Training◦Diagrams◦VPN device◦Completed, tested, and approved B2B
Roles and Responsibilities Roles and Responsibilities Commercial Business PartnerCommercial Business PartnerProvide network informationProcure and install B2B Gateway compatible
VPN/encryption deviceProcure Tier I or Tier II Internet Service
Provider for connectivityProvide qualified on-site touch labor
technical support ◦ Help resolve telecommunications and support
routine maintenance activitiesObtain DOD Information Assurance
Certification and Accreditation Process /DOD Information Assurance Certification and
Accreditation Process (DIACAP) accreditation, or CON -as required
http://www.tricare.osd.mil/tmis_new/IA.htm#ditscap
Roles and Responsibilities Roles and Responsibilities Commercial Business Commercial Business Partners Partners Complete Data Use Agreement, if
requiredEnsure personnel have appropriate
security qualificationsEnsure personnel complete annual
Information Assurance TrainingReport all problems the MHS Help Desk Provide 24 X 7 on call technical points
of contact ◦ Assist in problem resolution
Provide configuration management of B2B Gateway Questionnaire/ VPN Implementation Plan
Roles and Responsibilities Roles and Responsibilities DoD LocationsDoD LocationsProvide Ports, Protocol, and Services
information necessary to support the B2B Gateway connection
Submit change request to local Change Control Board
Configure the local area network to support the B2B Gateway connection
Insure that the appropriate technical support personnel are available to participate in end-to-end connectivity test
Insure that the appropriate technical support personnel are available to participate in Problem Management
Many moving pieces in B2B Many moving pieces in B2B GatewayGateway
DD 2875
Background check –ADP Level 2
Certificate of Net worthiness - CON
Contract number
Statement of Work (SOW)
DIACAP
Management Configuration Board
Front End Connectivity Testing
End to End testing
TIMPODISA
B2B Kick-off Meeting
As-Is Diagram
Last Mile Diagram
Government Sponsor
IP Addresses
Firewalls
SAIC IA annual Training
Go/No-Go conference call
SF 85P
VPN Device
B2B Requirements-B2B Requirements-overviewoverview
B2B Gateway OverviewB2B Gateway OverviewProvides authorized MHS Business Partners
secure access to DoD Network ◦ Connects MHS information systems on Defense
Information System Network (DISN) infrastructure and MHS Business Partners on commercial infrastructure in support of DoD healthcare mission
◦ Complies with DISN policy ◦ Provides support for non-Web based applications ◦ Supports secure e-commerce for client/server and
system-to-system interfaces
Enterprise solution◦ Not intended to provide a Secure Remote Access
solution for individuals
04/19/23 15v 1.0
B2BB2B Gateway ManagementGateway Management
`
TIMPO VPN Team .Mil LocationMHS Business Partner DISA Montgomery/
DISA Columbus
Procurement of VPN and Internet Service Provider. Manages their LAN
Manages VPNs at MHS Business Partner location, DISA DECC Montgomery and Columbus
Manages MHS VPN domain. VPNs between DISA Columbus and the .Mil location
Manages their LAN
B2B Gateway FunctionsB2B Gateway Functions
• Provide an assured computing path for the enterprise
• Meet authentication, integrity, and confidentiality requirements for DoD healthcare environment
• Provide high availability and redundancy with duplicate components and diverse sites
• Share components and circuits with Web DMZ
• Support documented requirements for MHS Business Partner connections and services
B2B Gateway Security B2B Gateway Security FeaturesFeatures• Controlled access to the NIPRNet
• EncryptionTriple Data Encryption Standard (3DES) Internet Protocol Security (IPSec) VPNContractor site to gatewayGateway to DoD destination
• Traffic/transaction inspection
• Address translation simplifies DoD traffic filtering
• User authentication to the GatewayIndividual user ID and password
• Audit capability
B2B Gateway – Initial B2B Gateway – Initial StepsStepsGovernment Sponsor
◦KNOW YOUR VENDOR!◦Expectations up front
Commitment and drive to complete the B2B process Purchase of VPN device Time to coordinate with Hospital Project Manager Ability to provide confidential proprietary information
May take 6 months to one year
Contract must be established first◦ Include IT Security requirements in
Statement of Work (SOW)
Connectivity SOWConnectivity SOW
III. SOW for IT Connectivity Solution:A. Telecommunication: 1. All contractor systems that will communicate with DoD systems will interconnect through the established MHS B2B gateway. For all Web applications, contractors will connect to a DISA-established Web DMZ. 2. In accordance with contract requirements, MCS contractors will connect to the B2B gateway via a contractor procured Internet Service Provider(ISP) connection. Contractors will assume all responsibility for establishing and maintaining their connectivity to the B2B gateway.This will include acquiring and maintaining the circuit to the B2B gateway and acquiring a Virtual Private Network (VPN) deice compatible with the MHS VPN device. 3. Contractors will comply with DoD guidance regarding allowable ports, protocols and risk mitigation strategies. 4. All cost for VPN hardware and software will be incurred by the contractor.
B2B Gateway – Initial B2B Gateway – Initial StepsStepsB2B kick-off meeting conference call
◦TIMPO – Christopher McDonald◦MTF –lab, IT, SAIC◦Vendor awarded contract
Provide current B2B blank document (v6) to vendor prior to conference call
TIMPO will answer any questions from the group and steer all in the right direction
TIMPO Point of ContactTIMPO Point of ContactChristopher McDonald
KSJ & Associates, ContractorProgram Management SupportTri-Service Infrastructure Management Program Office (TIMPO)5205 Leesburg Pike, Suite 1301Falls Church, VA 22041703-399-2276 Fax: x2260
B2B Gateway B2B Gateway Coordinating/WAMCCoordinating/WAMCInitial Vendor requirements
◦Certificate of Networthiness (CON) Submitted to WAMC Project manager Submitted to WAMC Management
Configuration Board for local approval
◦Initiate Background checks (2 months+) Establish POC in Security Office
Vendor employees work directly with Security Office Complete DD85P Once WAMC Security officer is satisfied with 85P
completion, finger prints, etc, it is submitted to OPM
B2B Gateway Coordinating -B2B Gateway Coordinating -WAMCWAMCDD Form 2875 – SAAR
◦System Authorization Access Request◦Vendor employee completes after 85P
submitted to Security Office◦Information Assurance Training must be
completed (annually thereafter) Ft Gordon website Certificate of Training submitted
◦Government sponsor and Project manager provide justification and approval signatures
B2B Gateway Coordinating -B2B Gateway Coordinating -WAMCWAMCDD Form 2875 – SAAR
◦Submitted to Security officer for review and signature
◦Delivered to local IASO for review, signature, and filing
B2B Gateway B2B Gateway CoordinatingCoordinatingVendor IT staff completes B2B
◦Some items of the CON may be duplicated in the B2B document
◦System performance requirements◦VPN Implementation form◦Connectivity requirements sheet
(App E)◦“As Is” Diagram◦Last Mile Diagram
VPN device procured
B2B Gateway B2B Gateway CoordinatingCoordinatingVendor submits completed B2B
document to WAMC Project manager◦Reviewed to ensure all areas are filled
in (i.e. no major blank areas)◦Project manager works on B2B
POC information Local IP addresses from IMD engineer Project dates for testing Submit to TIMPO – Chris McDonald – for
initial approval
B2B Gateway B2B Gateway CoordinatingCoordinatingWAMC Project manager attends
local CMB to attain local IMD approvals◦Provides overview for the IMD group◦Answers IMD questions pertaining to
the B2B◦IP addresses provided following this
approval process
B2B Gateway B2B Gateway CoordinatingCoordinatingGo-No-Go Conference with TIMPO
◦Vendor, MTF, TIMPO, DISA◦Purpose is to verify that all
configuration changes needed to support successful connectivity test are complete
◦Final approval from DISA/TIMPO provided
◦Front end and End to End (E2E) testing dates projected
B2B Gateway B2B Gateway CoordinatingCoordinatingVendor mails VPN device to DISA
Montgomery◦Device is configured by DISA
engineers◦Device returned to Vendor for VPN to
be racked and stacked.◦Front end testing can now take place
between DISA and the vendor◦E2E testing usually follows two days
later and this testing brings the MTF/destination site into the testing
B2B Gateway B2B Gateway CoordinatingCoordinatingVendor may have to have service
engineers on site to assist with the testing
Once testing is complete, vendor equipment may be brought on line with full connectivity and networked capabilities
B2B – Adding another B2B – Adding another DOD siteDOD siteAppendix E
◦IP addresses changed to the new site◦The .mil POC information updated◦Government sponsor name updated
RALS/MAS B2B established in April 09◦Sites added:
Camp Lejeune William Beaumont AMC NH Guam
B2B Gateway ImplementationA Vendor’s Perspective
Jeff Shockley – March 22, 2010
B2B Gateway ImplementationHigh-Level Components of the Project
•Contract Modification•Networthiness / DIACAP Documentation•Background Checks•B2B Gateway Documentation•B2B Gateway Connectivity / End-to-End Testing
B2B Gateway ImplementationResource Requirements
•Strong Gov’t Sponsor Commitment
•Strong Vendor Commitment
•Project Management•Application Engineers•Network Administration
•Security Management
•Legal•Human Resources•Instrumentation SMEs•Call Center / Service
B2B Gateway ImplementationContract Modification
•Fairly Straightforward•Contractor responsible for their VPN Hardware
•Background Checks for all accessing systems
B2B Gateway ImplementationNetworthiness / DIACAP
•Sub-requirement for B2B Gateway•Requirement may be different per site or branch
•CON vs DIACAP•Preliminary Security Scans •Proposed Mitigations•SME Analysis (ports, protocols, restrictions)
B2B Gateway ImplementationBackground Checks
•Phased / Batch Approach •Consent Release Form (opt-in)•US Citizens vs. non-US Citizens•Hands-on / Hands-off Balance•Expense Reimbursement•Annual Security Awareness Training
B2B Gateway ImplementationB2B Gateway Documentation
•Huge Amount of Information Overlap with CON / DIACAP
•Network Infrastructure Understanding•network boundaries•firewalls
•Ports and IP Address Restrictions•As-Is Diagram•Timing / Schedule Expectations
B2B Gateway ImplementationGoing Forward – Setting the Foundation
•Contract modification (each site)•CON / DIACAP (each site)•B2B Gateway Documentation (modification)•Background Checks (no changes)
Thank you for your attention.
Roche Diagnostics Ltd.6343 RotkreuzSwitzerland
COBAS and LIFE NEEDS ANSWERS are trademarks of Roche
This presentation is our intellectual property. Without our written consent, it shall neither be copied in any manner, nor used for manufacturing, nor communicated to third parties.