Office of the Chief Information Officer

United States Department of Agriculture

Enterprise Services

Decorative image of an array of icons representing service offerings hovering over a hand with the world map in the background.

 

 

 

 

 

 

Service Description

Enterprise Services is a collection of services that offer the customer wide reaching IT solutions with robust capability at attractive costs. Messaging, Active Directory, and Enterprise Virtual Private Network management are all part of the service.

Enterprise Messaging System Cloud Services (EMSCS)

EMSCS is an information technology communication service used by all USDA organizations. EMSCS is managed by OCIO and the service is provided by Microsoft Corporation.

  • Outlook/Exchange: Standard email and calendar support provides 50 GB storage per end user mailbox. Attachments up to 50mb in size are supported. Also provided is the Skype/Lync client for instant messaging and presence, archiving, spam and virus filtering, the USDA Global Address List, distribution lists, resource accounts, and test accounts ( test accounts may not be logged-into or they will then incur charges). Outlook Web access is available on internal USDA networks. Quantities are determined by reporting from Active Directory. Exchange Online Archiving (EOA) is available to all users and ProofPoint is available in read only mode for email after USDA’s move to the Government Community Cloud. ProofPoint can be access from ProofPoint Access Link to retrieve all sent and received messages that may have been deleted and/or lost from that user’s mailbox only since the user was migrated to EMSCS. All users who participate in EMS-CS are automatically granted access to EOA and Proofpoint. EOA is available from within your Outlook folder list. When a user account is deleted from Active Directory, all email sent or received by the user remains in EOA and Proofpoint. USDA management has not set a maximum period of time for the retention of e-mail in the USDA Archive. The retention time may change in the future. CTS will continue to support EMS eRecovery efforts from EOA and ProofPoint, or on legacy data for the SCA.
    • Skype for Business: Skype for Business provides web and video conferencing with up to 250 end users. Skype for Business is available for use by USDA and additional licenses can be procured through the USDA volume licensing agreement.
    • SharePoint Service: Cloud based SharePoint services is designed for internal USDA end users and has a 7GB per user storage limit. Included are:
    • Service Desk Support: USDA provides a Tier 2 service desk with 24x7 availability. In the event that the Tier-2 service desk is unable to resolve the customer reported problem, Microsoft provides a Tier-3 Service Desk with 24x7 availability. Both service desks provide assistance for all of the above listed services.
    • Tier 3 help is provided to the first time cloud customer to enroll/use the SharePoint. CTS provides triage and an escalation point between the customer and the Microsoft EMS-CS support service. Migration service provided by CTS, is purchased separately via Collaboration SharePoint Support Services
      • Initial Assessment - CTS provides a professional service that includes the gathering of requirements and providing information about available features/functions from different SharePoint environments. CTS will then meet with the customers to review the findings and recommend the best collaboration option to meet business needs.
      • The service includes helping the first time cloud customers to start the on-boarding process. This includes verification of connectivity, such as sync connection, network DNS, routing, AD authentication, and the creation of initial customer site collection. Existing customers also can request additional site collections and more.
      • Customer service includes describing the services and features that are included with SharePoint Online dedicated plans. This also includes the plan for customers that require an International Traffic in Arms Regulations (ITAR-support) operational environment. Service is not intended to help support upgrade decisions for current SharePoint 2013 dedicated or ITAR-support customers. For additional Office 365 SharePoint service information and what features pertain to USDA in the tables, view the SharePoint Online Standalone (Plan 2D) column and the SharePoint Online dedicated ITAR-support column, within the following guide:
    • SharePoint Legacy Dedicated Services Document
    • Information Discovery and Litigation Support (IDLS): OCIO will support IDLS and other types of official requests for electronically stored information within EMS-CS such as searches or preservation. OGC will determine USDA EMS-CS data retention requirements. Fulfillment of IDLS requests may require additional customer fees. IDLS support activities are only for electronically stored information. Customer organizations are responsible for any maintenance associated with their legacy data. Customer organizations are responsible for making IDLS requests through OCIO eComply and are ultimately responsible for such activities.

Back to Top

Enterprise Office 365

The O365 E3 license currently provides the Department with Exchange Online Archiving, Data Loss Prevention, and O365 ProPlus (Office apps) for desktop, mobile and home use. Customers will be migrated to the O365 G3 license throughout the fiscal year and will retain all functionality currently available with the E3 license shown below.

  • Exchange Online Archiving (EOA)
    • EOA is an online archival tool that allows users a way to store and retrieve old and/or deleted email.
    • The inbox of the Online Archive mailbox will automatically capture and store all email from the main user mailbox that is older than 2 years. This includes mail that has been moved to personal folders created by the user.
    • All email is retained for eDiscovery/Legal hold capabilities.
    • Each user is provided a 100GB archive. At this time, there is not an option to increase this quota within our E3 license with Microsoft.
    • Quick Tip location: ProofPoint Quick tip Exchange
  • Data Loss Prevention (DLP)
    • Office 365 (O365) Data Loss Prevention services (DLP) is the protection of sensitive information throughout the Department through deep content analysis. DLP covers two types of data in transit across the USDA O365 email system (Exchange).
    • Personally Identifiable Information (PII)
      • PII data (e.g. social security numbers, employer identity numbers, tax-payer Identity numbers, and credit card numbers) utilize templates contained in the DLP product’s default configuration.
    • Intellectual Property (IP).
      • IP data, data owners must define the information which they determine to be sensitive, such as CUI (Controlled Unclassified Information) or FOUO (For Official Use Only) classifications.
  • O365 ProPlus (OPP)
    • Listing of applications available through OPP is located here: OPP Applications Listing. USDA should review the column heading Office 365 ProPlus (not the E3 column). Examples of applications included in OPP include Word, Excel, and Access.
    • Licensing will be available to those users in the Enterprise Active Directory (EAD) and will include 1 (one) license each for mobile, tablet and desktop.
    • Home use will be limited to LincPass authentication only. Users will need a PIV card reader for home use.
    • Single sign-on will be available to support users who are temporarily without a LincPass.

Back to Top

Enterprise Active Directory (EAD)

EAD is a consolidated directory service built on Microsoft’s Active Directory Services and lightweight directory access protocol database technologies. It is a reference system with attribute information about end user accounts and networked devices and also provides policy enforcement for securing and managing client and server systems across the enterprise. The service will eventually be used by all USDA organizations and is managed by OCIO. The core administration and support are provided by CTS and several optional services are available. Optional image management services are available to deploy workstations with customized software installations above the standard core applications common to all agencies that saves many person hours of effort through automation. Also available are professional services to support agencies in completing the tasks necessary for migration into the EAD, and to perform the actual migration including contract support for the Enterprise Messaging System – Cloud Services (Office 365) integration that must be accomplished after migration to the EAD.

  • Active Directory Infrastructure: The server infrastructure needed to support the Enterprise Active Directory.
  • Authentication Services: Kerberos V5 authentication services for Windows and domain joined Macintosh, Linux, and Unix computers.
  • System Updates and Patches: Maintenance of current system updates and patches to ensure the environment remains current and secure.
  • System Redundancy: Multiple domain controllers will exist throughout the domain providing active redundancy throughout the enterprise.
  • System Backup/Restore: Routine backup of AD configurations and data to ensure timely restore in the event of a critical system failure.
  • Internal Public Key Infrastructure (PKI) Services: EAD provides machine, Encrypting File System (EFS), SSL and code signing certificates.
  • Other Infrastructure Services: Bit locker administration and monitoring supports disk encryption for computers, rights management for securing Office documents, and communications, Microsoft Key Management services for enterprise licensed products, and Live Meeting Portal services.
  • Tier-3 Support: Tier-3 support is provided by the EAD staff under this agreement to agency IT staff.
  • Identity and Credential Access Management services include: A core connection to Enterprise Entitlements Management Service (EEMS) is provided to allow automated provisioning and de-provisioning.
  • Standardized Platform: The EAD provides a standardized platform for delivery of enterprise services such as cloud computing. This will significantly reduce the effort and cost of implementing future enterprise services.
  • US Government Configuration Baseline (USGCB): All USGCB settings come from the group policies that get applied to the computer after the computer has been joined to the Enterprise Active Directory (EAD) and placed in the appropriate Organizational Unit (OU). USGCB settings are not applied as part of the image management services.

Enterprise Virtual Private Network (eVPN)

The eVPN service provides a secure telecommunication connection back to the USDA network for remote users from the internet. The ‘virtual network’ established for end user workstations via this service is commonly used by teleworkers. This system provides USDA users improved endpoint security through the use of machine health checks to validate government furnished equipment as well as up to date anti-virus and machine patch levels. The system also provides for two-factor authentication using USDA PIV (LincPass). The solution also provides support for standard Windows machines, but also Apple MAC platforms.

  • The Enterprise Virtual Private Network (EVPN) provides a secure connection for users to access their agency and individual resources remotely. Through validation of the user and device, the EVPN system protects the integrity of the USDA network. This solution validates users through two layers of authentication: user credentials through agency systems and the USDA-issued LincPass certificate. This centralized remote access VPN solution is for all USDA agencies and is identified as the Enterprise Remote Access Control & Network Admission Control (AC/NAC) solution. This system significantly improves endpoint security through the use of machine health checks and incorporates the two-factor authentication for all remote access clients accessing the USDA network. The new Enterprise Active Directory (EAD) structure provides the backend technology for the two-factor authentication.
    • Secure eVirtual Private Network (VPN) support with full network access.
    • Enterprise VPN solution and two-factor authentication.

Back to Top

Enterprise Video Teleconferencing

CTS provides a fully managed VTC service that is: affordable, interoperable with existing customer-owned endpoints (multi-vendor, multi-device), easy-to-use, scalable (multi-party), and secure.

Enterprise VTC provides back office infrastructure that allows for visual and audio communication between compatible customer-owned devices. Tier-1 (help desk call center) and Tier-2 (on-site or subject expert support) is typically provided by the customer (for some full service customers, CTS also provides Tier-1 and Tier-2 services as described separately in this catalog). Enterprise VTC service provides Tier-3 support for server infrastructure, network troubleshooting*, and performance analysis of related compatible hardware or peripheral devices. The service includes interaction with vendor resources as needed (* an upgrade of bandwidth may be required based on network analysis).

Enterprise VTC can be combined with UC-Voice to create a complete Unified Communications solution, see Unified Communications as a Service for complete details.

Enterprise VTC service includes:

  • Tier-3 Support for server infrastructure, network troubleshooting*, and performance analysis of related compatible hardware or peripheral devices. The service includes interaction with vendor resources as needed (* an upgrade of bandwidth may be required based on network analysis).
  • Fully-managed centralized hardware and software infrastructure.
  • Tier-3 support for technical connectivity issues.
  • Centralized scheduling of video calls upon request.

The cost for service is based on number of customer endpoint devices integrated into the solution.

Customer responsibilities include:

  • Fully operable and compatible VTC endpoints
  • Adequate network bandwidth
  • Tier-1 and Tier-2 support as necessary

Customers are responsible for the purchase of additional network bandwidth where needed (a data circuit is often needed), and responsible for endpoint acquisition and maintenance.

Back to Top

Enterprise Mobility Management

The CTS Enterprise Mobility Management Solution provides centralized service management for mobile devices including smartphones and tablets. The mobility infrastructure provides the customer with a single console view to provision and manage government issued and/or BOYD devices securely. CTS provides components to create a total mobility portfolio of services supporting the customer.

  • Mobile Device Manager (MDM): Centralized device management of mobile devices including enforcement of defined security policy requirements, over the air administration, logging and tracking, and inventory management.
  • Mobile Application Management (MAM): Custom Internal Apps Store to host both in-house and commercially developed applications (iOS, Android and Windows mobile applications); offering of mobile application certification lifecycle to test, scan, and deploy mobile application securely onto the custom apps store. Policies provide the ability to control who can view/download the published mobile applications.
  • Secure Container: Management of a secure container on each device to provide security and control of government information. This feature ensures that all USDA data is secured within encrypted boundaries and synchronized with USDA servers. Data resides within the secure container and can be removed remotely in the event of a lost, stolen or compromised device. This includes an Office Productivity Suite (compatible with Microsoft® Word/Excel/PowerPoint and Adobe PDF files); a SharePoint-compatible application (drop-box style solution); internal home or shared drives mapping to mobile devices; and a web browser for internet/intranet browsing.

CTS Enterprise Mobility Management is offered as an infrastructure providing flexible mobility features allowing agency IT staff to manage and secure smartphones/tablet devices through a single management console. The following summarizes the component services included as part of the offering to the agencies:

  • Secure Management Console (SMC) – This allows the customer to view/manage agency specific devices including provisioning, enrolling, and troubleshooting.
  • Agency-Controller Policy Enforcement and Feature Controls – This allows each agency to manage their own specific mobile policy or features without impacting other agencies in the environment.
  • Tier-3 Support/Escalation/Communication – The customer can access the Access Mobility Support site for FAQ/Support documentation; Tier-3 escalation for any infrastructure or device requests; and incident management for outages and maintenance notifications.
  • User Support (Self Service Portal) – The service includes a self-service portal allowing end user access to common requests such as password reset and device basic information to help reduce support calls.
  • Device Support – The mobility solution covers a wide range of devices with the following minimum device software version requirements:
    • iOS: Phones and Tablets (version 8.0 and above)
    • Android: Phones and Tablets (version 4.4 and above)
    • Windows 8.1: Phones (no support for version 8.x tablets)
    • Windows 10: Phones and Tablets

To ensure the customer selects the best option to meet the mobility needs of the agency, CTS is prepared to work with each customer to solidify requirements, provide recommendations, and plan for an implementation that best meet the customer needs. This will allow the most cost effective and efficient service provisioning for each customer part of an overall mobile services package.

Back to Top

Enterprise Image Management

Management and deployment of the operating system and customizable task sequences for application deployment and configuration of the latest Microsoft® Windows client and server operating systems. This service is built on the System Center Configuration Manager (SCCM) services provided with Enterprise Active Directory and results in a fully patched and configured USDA standard image delivered for each new or replacement Windows system in participating USDA agencies. Utilizing the USDA Enterprise Active Directory (EAD), CTS Image Management Service follows the industry best practice model for deploying a thin image, adding just the required drivers and applications, and managing security and user settings through enforceable group policies.

Computer models are supported as they are added to the USDA BPA. In addition, for those agencies that purchase Image Management Services as described below there is an option to add up to four different non-BPA system model images per fiscal year if 25 or more of that system model is purchased. Support for reimaging older models of computers is removed when less than 50 models of a computer are in production across the USDA enterprise or when they are older than 3 years. This support model ensures drivers maintenance is efficient and reduces the network, storage and delivery requirements to support standard imaging across the USDA. The list of supported models are published at: Computer Model Support List

The following summarizes the component services included as part of the Image Management offering to the agencies:

Imaging Management:

  • Management and deployment of OS deployment task sequences for the latest Microsoft Windows client and server operating systems to deliver a standard image to customer systems.
  • Integration and management of the “thin” (base) image for the latest Microsoft Windows client and server operating systems, to include patching to the latest quarter’s updates. Base configuration design matched to USDA Hardware Blanket Purchase Agreement (BPA) systems.

Imaging Management with Application Management:

  • Management and deployment of OS deployment task sequences for the latest Microsoft Windows client and server operating systems to deliver a standard image to customer systems.
  • Integration and management of the “thin” (base) image for the latest Microsoft Windows client and server operating systems, to include patching to the latest quarter’s updates. Base configuration design matched to USDA Hardware Blanket Purchase Agreement (BPA) systems.
  • Integration and management of “Base” or “Above Base” applications specific to the image. Customers are responsible for rigorous testing and certification, such as would be done in a certification lab environment.

Back to Top

How We Charge

Enterprise Services Measurement Description

Product/Service Offering Unit of Measure Description
Enterprise Messaging System – Cloud Services EMS/CS Measured by the number of billable mailboxes unless the agency has an approved waiver for exclusion from the enterprise product/service offering.
Enterprise Office 365 Measured by the number of billable mailboxes unless the agency has an approved waiver for exclusion from the enterprise product/service offering.
Enterprise Active Directory Measured by the number of billable mailboxes unless the agency has an approved waiver for exclusion from the enterprise product/service offering.
Enterprise Virtual Private Network Measured by the number of billable mailboxes unless the agency has an approved waiver for exclusion from the enterprise product/service offering.
Enterprise Video Teleconferencing Endpoints Measured by the number of endpoint devices integrated into the solution.
Enterprise Mobility Management

Measured by the number of devices enrolled.
Enterprise Image Management Measured by the number of deployed workstations compiled from Remedy.

Enterprise Mobility Management: CTS charges mobility through a unit cost per-device. The following are the different pricing models allowing each customer to select the most appropriate solution for their agency.

Option 1 – Mobile Device Management only

Option 2 – (Total Solution) Mobile Device Management + Office container + Mobile Application Management

Option 3 – Mobile Device Management + Mobile Application Management

Option 4 – Secure Container only
Add-ins (must be purchase with at least one of the options listed above)

  • iOS and Android Touchdown (email software)
  • Wrappers (allowing wrapping of individual mobile application securely)

The cost for Enterprise Video Teleconferencing service is based on number of customer endpoint devices integrated into the solution.
Customer responsibilities include:

  • Fully operable and compatible VTC endpoints
  • Adequate network bandwidth
  • Tier-1 and Tier-2 support as necessary

Customers are responsible for the purchase of additional network bandwidth where needed (a data circuit is often needed), and endpoint acquisition and maintenance.

Back to Top

Service Level Metrics

Enterprise Messaging System - Cloud Services (EMS-CS)  Performance Measures

Performance Performance Measure Performance Targets
Exchange (Cloud) Percentage of hours of email infrastructure server service. Sun-Sat, 0000-2359 99.9%
Live Meeting Availability (Cloud) Percentage of hours of Live Meeting infrastructure server service. Sun-Sat, 0000-2359 99.9%
Skype/Lync Availability (Cloud) Percentage of hours of Skype/Lync infrastructure server service. Sun-Sat, 0000-2359 99.9%
SharePoint Availability (Cloud) Percentage of hours of SharePoint infrastructure server service. Sun-Sat, 0000-2359 99.9%

Measurement Tool - Microsoft Reporting

Back to Top

Enterprise Office 365 Performance Measures

Performance Performance Measure Performance Targets
Office 365 Availability
 		 99.9%

Measurement Tool - Microsoft Reporting

Enterprise Active Directory (EAD) Performance Measures

Performance Performance Measure Performance Targets
Enterprise Active Directory Service Availability
Sun-Sat, 0000-2359		 99.9%

Measurement Tool - System Center Operation Manager (SCOM)

Enterprise Virtual Private Network (eVPN) Performance Measures

Performance Performance Measure Performance Targets
Enterprise VPN Availability (does not include scheduled maintenance windows) 99.99%

Measurement Tool - System Center Operation Manager

Back to Top

Enterprise Video Teleconferencing Performance Measures

Performance Performance Measure Performance Targets
EVTC System Monitoring 24 x 7 99.9%
EVTC Tier-3 Support Request – Critical Normal business hours – Immediate to less than one (1) hour Non-business hours – Immediate to less than four (4) hours 99.9%
EVTC Tier-3 Support Request – High/Service Degraded Normal business hours – Immediate to less than two (2) hours Non-business hours – Immediate to less than six (6) hour 99.9%
EVTC Tier-3 Support Request – Medium One business day 99.9%
EVTC Tier-3 Support Request – Low Two business days 99.9%

Measurement Tool - Telepresence Manager

*For EVTC, CTS reserves the option to schedule routine infrastructure maintenance activities on Sundays between 1800 to 2400 hours Central Time.

NOTE: CTS utilizes the USDA Universal Telecommunication Network (UTN) for Wide Area Network services. The UTN is contractually guaranteed to be 99.9% available but has historically delivered 99.997% availability.

Enterprise Mobility Management Performance Measures

Performance Performance Measure Performance Targets
Mobility Infrastucture Availability 99%

Measurement Tool - MDM (units retrieved using MobileIron)

Enterprise Image Performance Measures

Performance Performance Measure Performance Targets
Image Management Availability SCCM OSD System Availability (not including maintenance windows) 99%

Measurement Tool - Remedy

Back to Top

Cost Saving Tips

  • Utilization of EAD services save costs and human resources for deploying, management, monitoring, upgrade, and replacement hardware and of managing common directory and infrastructure services.
  • Use of Live Communication Service can reduce the need for travel expenditures.
  • Use resource accounts and shared account features of Enterprise Messaging System – Cloud Services to enable better office collaboration and coordination.
  • Consistent message retention and discovery is provided at the department level.
  • Personal archives can help keep mailbox sizes low.
  • Enterprise Messaging System – Cloud Services as improved document storage and greater security.
  • Use Fax2Mail with Enterprise Messaging System – Cloud Services to reduce the cost of maintaining stand-alone fax hardware and telecommunication lines.
  • Utilize USDA BPAs for workstation and server hardware and software. Reduce deployment labor costs, reduce duplication of effort and allow support staff to focus on supporting end users.
  • EAD Imaging Management Services:
    • Cost savings result from not developing and maintaining a custom image for deployment to agency Windows systems.
    • Security is enhanced by deploying fully patched operating systems with the current approved applications and versions.
    • The deployed image is built on the USDA standard so consistent group policies can be utilized across the enterprise.
    • The System Center Client is deployed with the image so new or replacement systems report in and are fully manageable through System Center Configuration Manager.