Transcript Unraveling the B2B Process

Unraveling the B2B Process
LTC Linda Guthrie, Laboratory Manager, WAMC
LTC/Ms Robin Wein, B2B Project Manager, WAMC
Mr Jeff Shockley, Roche Diagnostics
OBJECTIVES
Understand the key functional benefits
and impact to laboratory operations that
the laboratory will realize with a
networked laboratory vendor
 Deliver an instructive presentation on the
B2B and CON certification that WAMC
pursued and achieved with Roche
Diagnostics as their laboratory partner
 Provide recommendations on developing
a B2B and achieving network certification

ABSTRACT

Since the events of 9/11, the computer
security requirements for DOD facilities has
intensified and has had an impact on
laboratories and their networked
instrumentation/devices. The Business to
Business Gateway is how laboratories obtain
remote connectivity with commercial
vendors. TIMPO, DISA, MTF, Vendor all play a
role, but well-planned coordination is
essential in streamlining this process.
MHS B2B Gateway
The MHS Business to Business (B2B) Gateway
provides MHS commercial partners secure access to
DoD locations for non-web based traffic. It provides
an assured computing path for the enterprise.
 The B2B Gateway was initially set up to support the
Managed Care Support Contractors (MCSC) and is
now available for use by designated providers and
commercial partners connecting to the services.

◦ Currently 40+ commercial partners connect to several
DoD locations, including DMDC, DFAS, and the MTFs, via
the B2B Gateway.
◦ Over 3000 users and numerous system connections
provide eligibility verification and claims for Active Duty,
dependents, and retirees and remote maintenance for
various healthcare programs and systems.
Key Stakeholders

TMA Falls Church
◦ Joint Medical Information Systems Program Office
(JMIS)
 Defense Health Information Management System
 Defense Health Services Systems (DHSS)
 Tri-Service Infrastructure Management Program Office
(TIMPO)
◦ Information Assurance (IA) Program Office



Military Medical Departments/MTF
Defense Information System Agency (DISA)
Commercial Partners – i.e. Roche, MAS
Government Sponsors


Be knowledgeable on the B2B process
Do not initiate a B2B without having a
contract with the vendor
◦ Vendor evaluation – always verify the claims that
a vendor states they have or can do.
 More often than not, vendor sales personnel do not
understand the B2B process and “think” that someone
in their company has a DIACAP or a CON or a B2B
initiated.
 This claim usually cannot be substantiated
◦ Verify with TIMPO if the vendor is on their VPN
Connectivity list or if an initial B2B has been
initiated or established.
Promises, Promises, Promises

Our company can remotely take control
of your instrument in the laboratory to
perform:
◦
◦
◦
◦
◦
◦
Troubleshooting
Potentially make repairs
Calibrations
Diagnostic procedures
Fix corrupt files
Monitor QC and Calibration
Vendor Promises


Without an established B2B these promised
functions cannot take place in a DOD Lab!
The laboratory may be able to place
equipment in the department, but the
network connectivity is not possible until
many lengthy requirements are met
◦
◦
◦
◦
◦
◦
Certificate of Net Worthiness (CON); or
DIACAP
Vendor background checks; IA Training
Diagrams
VPN device
Completed, tested, and approved B2B
Roles and Responsibilities
Commercial Business Partner




Provide network information
Procure and install B2B Gateway compatible
VPN/encryption device
Procure Tier I or Tier II Internet Service Provider for
connectivity
Provide qualified on-site touch labor technical support
◦ Help resolve telecommunications and support routine
maintenance activities

Obtain DOD Information Assurance Certification and
Accreditation Process /DOD Information Assurance
Certification and Accreditation Process (DIACAP)
accreditation, or CON -as required
 http://www.tricare.osd.mil/tmis_new/IA.htm#ditscap
Roles and Responsibilities
Commercial Business Partners
Complete Data Use Agreement, if required
Ensure personnel have appropriate security
qualifications
 Ensure personnel complete annual Information
Assurance Training
 Report all problems the MHS Help Desk
 Provide 24 X 7 on call technical points of
contact


◦ Assist in problem resolution

Provide configuration management of B2B
Gateway Questionnaire/ VPN Implementation
Plan
Roles and Responsibilities DoD
Locations





Provide Ports, Protocol, and Services
information necessary to support the B2B
Gateway connection
Submit change request to local Change
Control Board
Configure the local area network to support
the B2B Gateway connection
Insure that the appropriate technical support
personnel are available to participate in endto-end connectivity test
Insure that the appropriate technical support
personnel are available to participate in
Problem Management
Many moving pieces in B2B Gateway
VPN
Device
TIMPO
Government
Sponsor
Certificate of
Net
worthiness
- CON
Go/No-Go
conference
call
DD 2875
Statement
of Work
(SOW)
As-Is
Diagram
Firewalls
SAIC
Background
check –ADP
Level 2
DISA
DIACAP
Contract number
Front End
Connectivity
Testing
IA annual
Training
Management
Configuration
Board
Last Mile
Diagram
IP
Addresses
B2B Kick-off
Meeting
End to
End
testing
SF 85P
B2B Requirements-overview
Wellwritten
Contract SOW
Vendor
Personnel
Security
IT DiagramsCON/DIACAP
IP Addresses;
VPN device
Approved B2B document
DISA and TIMPO
B2B Gateway Overview

Provides authorized MHS Business Partners secure
access to DoD Network
◦ Connects MHS information systems on Defense Information
System Network (DISN) infrastructure and MHS Business
Partners on commercial infrastructure in support of DoD
healthcare mission
◦ Complies with DISN policy
◦ Provides support for non-Web based applications
◦ Supports secure e-commerce for client/server and system-tosystem interfaces

Enterprise solution
◦ Not intended to provide a Secure Remote Access solution for
individuals
B2B Gateway Management
MHS Business Partner
DISA Montgomery/
TIMPO VPN Team
.Mil Location
DISA Columbus
`
Procurement of VPN and Internet
Service Provider. Manages their
LAN
4/7/2015
Manages VPNs at MHS Business
Partner location, DISA DECC
Montgomery and Columbus
Manages MHS VPN domain.
VPNs between DISA Columbus
and the .Mil location
v 1.0
Manages their LAN
15
B2B Gateway Functions
• Provide an assured computing path for the
enterprise
• Meet authentication, integrity, and confidentiality
requirements for DoD healthcare environment
• Provide high availability and redundancy with
duplicate components and diverse sites
• Share components and circuits with Web DMZ
• Support documented requirements for MHS
Business Partner connections and services
B2B Gateway Security Features
• Controlled access to the NIPRNet
• Encryption
Triple Data Encryption Standard (3DES) Internet Protocol
Security (IPSec) VPN
Contractor site to gateway
Gateway to DoD destination
• Traffic/transaction inspection
• Address translation simplifies DoD traffic filtering
• User authentication to the Gateway
Individual user ID and password
• Audit capability
B2B Gateway – Initial Steps

Government Sponsor
◦ KNOW YOUR VENDOR!
◦ Expectations up front
 Commitment and drive to complete the B2B process
 Purchase of VPN device
 Time to coordinate with Hospital Project Manager
 Ability to provide confidential proprietary information
 May take 6 months to one year

Contract must be established first
◦ Include IT Security requirements in Statement of
Work (SOW)
Connectivity SOW
III. SOW for IT Connectivity Solution:
A. Telecommunication:
1. All contractor systems that will communicate with DoD systems will
interconnect through the established MHS B2B gateway. For all Web
applications, contractors will connect to a DISA-established Web DMZ.
2. In accordance with contract requirements, MCS contractors will
connect to the B2B gateway via a contractor procured Internet Service
Provider
(ISP) connection. Contractors will assume all responsibility for establishing
and maintaining their connectivity to the B2B gateway.
This will include acquiring and maintaining the circuit to the B2B gateway
and acquiring a Virtual Private Network (VPN) deice compatible with the
MHS VPN device.
3. Contractors will comply with DoD guidance regarding allowable ports,
protocols and risk mitigation strategies.
4. All cost for VPN hardware and software will be incurred by the
contractor.
B2B Gateway – Initial Steps

B2B kick-off meeting conference call
◦ TIMPO – Christopher McDonald
◦ MTF –lab, IT, SAIC
◦ Vendor awarded contract
Provide current B2B blank document (v6)
to vendor prior to conference call
 TIMPO will answer any questions from
the group and steer all in the right
direction

TIMPO Point of Contact
Christopher McDonald
KSJ & Associates, Contractor
Program Management Support
Tri-Service Infrastructure Management
Program Office (TIMPO)
5205 Leesburg Pike, Suite 1301
Falls Church,VA 22041
703-399-2276 Fax: x2260
 [email protected]

B2B Gateway Coordinating/WAMC

Initial Vendor requirements
◦ Certificate of Networthiness (CON)
 Submitted to WAMC Project manager
 Submitted to WAMC Management Configuration
Board for local approval
◦ Initiate Background checks (2 months+)
 Establish POC in Security Office
 Vendor employees work directly with Security Office
 Complete DD85P
 Once WAMC Security officer is satisfied with 85P
completion, finger prints, etc, it is submitted to OPM
B2B Gateway Coordinating -WAMC

DD Form 2875 – SAAR
◦ System Authorization Access Request
◦ Vendor employee completes after 85P
submitted to Security Office
◦ Information Assurance Training must be
completed (annually thereafter)
 Ft Gordon website
 Certificate of Training submitted
◦ Government sponsor and Project manager
provide justification and approval signatures
B2B Gateway Coordinating -WAMC

DD Form 2875 – SAAR
◦ Submitted to Security officer for review and
signature
◦ Delivered to local IASO for review, signature,
and filing
B2B Gateway Coordinating

Vendor IT staff completes B2B
◦ Some items of the CON may be duplicated in
the B2B document
◦ System performance requirements
◦ VPN Implementation form
◦ Connectivity requirements sheet (App E)
◦ “As Is” Diagram
◦ Last Mile Diagram

VPN device procured
B2B Gateway Coordinating

Vendor submits completed B2B
document to WAMC Project manager
◦ Reviewed to ensure all areas are filled in (i.e.
no major blank areas)
◦ Project manager works on B2B




POC information
Local IP addresses from IMD engineer
Project dates for testing
Submit to TIMPO – Chris McDonald – for initial
approval
B2B Gateway Coordinating

WAMC Project manager attends local
CMB to attain local IMD approvals
◦ Provides overview for the IMD group
◦ Answers IMD questions pertaining to the B2B
◦ IP addresses provided following this approval
process
B2B Gateway Coordinating

Go-No-Go Conference with TIMPO
◦ Vendor, MTF, TIMPO, DISA
◦ Purpose is to verify that all configuration
changes needed to support successful
connectivity test are complete
◦ Final approval from DISA/TIMPO provided
◦ Front end and End to End (E2E) testing dates
projected
B2B Gateway Coordinating

Vendor mails VPN device to DISA
Montgomery
◦ Device is configured by DISA engineers
◦ Device returned to Vendor for VPN to be
racked and stacked.
◦ Front end testing can now take place between
DISA and the vendor
◦ E2E testing usually follows two days later and
this testing brings the MTF/destination site
into the testing
B2B Gateway Coordinating
Vendor may have to have service
engineers on site to assist with the testing
 Once testing is complete, vendor
equipment may be brought on line with
full connectivity and networked
capabilities

B2B – Adding another DOD site

Appendix E
◦ IP addresses changed to the new site
◦ The .mil POC information updated
◦ Government sponsor name updated

RALS/MAS B2B established in April 09
◦ Sites added:
 Camp Lejeune
 William Beaumont AMC
 NH Guam
Jeff Shockley – March 22, 2010
B2B Gateway Implementation
A Vendor’s Perspective
B2B Gateway Implementation
High-Level Components of the Project
• Contract Modification
• Networthiness / DIACAP Documentation
• Background Checks
• B2B Gateway Documentation
• B2B Gateway Connectivity / End-to-End Testing
B2B Gateway Implementation
Resource Requirements
• Strong Gov’t Sponsor
Commitment
• Strong Vendor
Commitment
• Project Management
• Application Engineers
• Network Administration
• Security Management
• Legal
• Human Resources
• Instrumentation SMEs
• Call Center / Service
B2B Gateway Implementation
Contract Modification
• Fairly Straightforward
• Contractor responsible for their VPN Hardware
• Background Checks for all accessing systems
B2B Gateway Implementation
Networthiness / DIACAP
• Sub-requirement for B2B Gateway
• Requirement may be different per site or branch
• CON vs DIACAP
• Preliminary Security Scans
• Proposed Mitigations
• SME Analysis (ports, protocols, restrictions)
B2B Gateway Implementation
Background Checks
• Phased / Batch Approach
• Consent Release Form (opt-in)
• US Citizens vs. non-US Citizens
• Hands-on / Hands-off Balance
• Expense Reimbursement
• Annual Security Awareness Training
B2B Gateway Implementation
B2B Gateway Documentation
• Huge Amount of Information Overlap with CON /
DIACAP
• Network Infrastructure Understanding
• network boundaries
• firewalls
• Ports and IP Address Restrictions
• As-Is Diagram
• Timing / Schedule Expectations
B2B Gateway Implementation
Going Forward – Setting the Foundation
• Contract modification (each site)
• CON / DIACAP (each site)
• B2B Gateway Documentation (modification)
• Background Checks (no changes)
Thank you for your attention.
Roche Diagnostics Ltd.
6343 Rotkreuz
Switzerland
COBAS and LIFE NEEDS
ANSWERS are trademarks of
Roche
This presentation is our intellectual property. Without our written consent, it shall neither
be copied in any manner, nor used for manufacturing, nor communicated to third parties.