HHS IRM Policy for Directory Services Using LDAP
January 8, 2001
HHS-IRM-2000-0012
Table of Contents
- Purpose
- Background
- Scope
- Policy
- 4.1 HHS End-User Interface
- 4.2 HHS Enterprise Directory Architecture
- Roles and Responsibilities
- 5.1 The HHS Chief Information Officer (CIO)
- 5.2 The Deputy Assistant Secretary for Information Resource Management
- 5.3 THE OPDIV CIOS, and OPDIV/StaffDiv Program/Project Managers
- 5.4 The Enterprise Directory Manager
- 5.5 The OPDIV Directory Manager
- Applicable Laws/Guidance
- Information and Assistance
- Effective Date
- Approved
- Glossary
1. Purpose
This circular establishes the policies and responsibilities for the Implementation
and Usage of the Enterprise Directory Service [which will use the Lightweight
Directory Access Protocol (LDAP)] by the Department of Health and Human
Services (HHS) and its Agencies.
2. Background
The American public relies on the U.S. Department of Health and Human Services
(HHS) to administer a broad range of approximately 300 Federal program activities.
Together with its many service partners, HHS delivers $238 billion dollars
of health care services annually to 62 million people through its Medicare,
Medicaid and Indian Health Service Programs. HHS also plays a vital role
in ensuring safety, efficacy, and appropriate use of health care products;
controlling disease and promoting health; advancing biomedical research;
and assisting the poor. HHS’ service partners include States, universities,
contractors and not-for-profit organizations. Together these activities
are vital to the health and well being of the American Public, especially
the elderly, children, and the poor. Taking account of private and public
spending, the health sector constitutes a significant segment of the overall
U.S. economy and looks toward the HHS to lead the future direction of these
vital health activities.
Presidential Decision Directive 63 (PDD 63), "Critical Infrastructure
Protection" requires each Federal Agency to develop a vulnerability
plan, implement an infrastructure framework solution, monitor the enterprise
infrastructure for vulnerabilities and respond to threats as appropriate.
In order to become more compliant with Federal regulations, the HHS will
implement an Enterprise Directory Service. The HHS centralized enterprise
directory will be used to manage access rights of its internal personnel,
business partners and customers.
An electronic directory server provides access to information via electronic
means. This information is variable in content, however it is explicitly
defined by the directory purpose. Information about people, organizations,
services and network hardware are just a few examples of the data content
that a directory service can provide.
Electronic mail communication benefits from the existence of a global electronic
"White Pages" because these "White Pages" allow network
users to retrieve address information in an intuitive fashion. Manual searching
for names and addresses, specifically electronic addresses, can take a great
deal of time. A "White Pages" directory service permits network
users to retrieve the addresses in a user friendly way, using known variables
such as common name, surname, and organization to facilitate various levels
of searches.
The Enterprise Directory is a global service comprised of independently
operated and distributed Directory Service Agents (DSAs) that provide information
in the form of a "White Pages" Telephone Directory. An Enterprise
Directory service provides a common access point for this distributed information,
and is generally configured to make access to the information sought intuitive
and easy.
The Enterprise Directory Model is a distributed collection of independent
systems that cooperate to provide a logical database of information to provide
a global Directory Service. Directory information about a particular organization
is maintained locally in a DSA. This information is structured. It is possible
for one organization to keep information about other organizations, and
it is possible for an organization to operate independently from the global
model as a stand-alone system. DSAs that operate within the global model
have the ability to exchange information with other DSAs by means of a common
protocol.
Lightweight Directory Access Protocol (LDAP) is a common protocol used
for client-to-server communication. LDAP defines a standard method for accessing
and updating information in a directory.
3. Scope
This policy applies to all Departmental (Operating Division and Staff Division)
Directory implementation whether owned and operated by HHS, or operated
on behalf of HHS.
4. Policy
4.1 HHS End-User Interface
4.1.1 The HHS user interface shall
use Lightweight Directory Access Protocol (LDAP) for accessing on-line Directory
Services.
4.1.2 LDAP shall be used as a primary standard for client-to-server
communication.
4.2 HHS Enterprise Directory Architecture
4.2.1 The HHS Enterprise Directory
architecture shall be that of a single logical Departmental Directory all
emanating from the root domain.
4.2.2 By implementing an LDAP-enabled
Directory, OPDIV’s Directory Managers shall be able to control what is shared
and viewable across the global directory.
4.2.3 Security and independence of
the OPDIV domains is recognized to be critical to the success of the HHS
Enterprise Directory. Each OPDIV’s Directory Manager shall have the ability
to update its branch or portion of the global directory. The OPDIVs shall
possess read-only rights to information not under their sole-ownership.
Changes to OPDIV’s information residing in the global directory shall be
done only through prior approval by the OPDIV to which the information belongs.
The Enterprise Directory Manager shall have the responsibility to make updates
to the directory following the OPDIV’s approval.
5. Roles and Responsibilities
5.1 The HHS Chief Information Officer (CIO)
The CIO is responsible for providing advice and assistance to the Secretary
and other senior management personnel, to ensure that information technology
is acquired and information resources are managed for the agency in a manner
that implements the policies and procedures of the HHS Enterprise Directory.
The CIO is responsible for approving any Directory implementation by HHS
OPDIVs.
5.2 The Deputy Assistant Secretary for Information
Resource Management
The Deputy Assistant Secretary for Information Resources Management (DASIRM)
shall assure that the HHS Enterprise Directory effectively supports mission
requirements, meets strict performance criteria, and conforms to the HHS
hierarchical directory architecture.
The DASIRM is responsible for defining, implementing and managing HHS directory
policy decisions. The DASIRM is also responsible for certification and accreditation
of the global directory implementation and has responsibility for the oversight
of all directory operations. The DASIRM will provide lead support in the
development and implementation of the HHS Enterprise Directory. The DASIRM
is responsible for the appointment of the Enterprise Directory Manager.
The DASIRM is also responsible for assuring that proper and reliable operations
of the Enterprise Directory are maintained, and for seeing that proper LDAP
policies and directives are in place.
5.3 THE OPDIV CIOS, and OPDIV/StaffDiv Program/Project
Managers
The OPDIV CIOs shall be responsible for assuring that directory implementation
is performed in accordance with the policy of the DASIRM. The OPDIV CIOs
provide planning guidance to, and oversight of the directory infrastructure,
and direct the activity of the OPDIV’s Directory Manager.
The OPDIV CIOs have overall responsibility for assuring that proper and
reliable operations of the OPDIV Directories are maintained, and for seeing
that the policies and directives of the DASIRM are carried out. They are
responsible for establishing and approving detailed operating procedures.
Responsibilities of the OPDIV CIOs include oversight of:
- Developing, maintaining currency, and publication of the Directory
Policy
- Establishing and monitoring security procedures.
- Directory operations
- Identifying and investigating areas for directory improvement.
- All technical, hardware and software aspects of the directory.
5.4 The Enterprise Directory Manager
The Enterprise Directory Manager operates the HHS Enterprise Directory on a day-to-day basis and assures that it is functioning properly, that
all procedures and safeguards are being followed, and that any operational
errors, anomalies, and breeches of policy and procedure are addressed promptly
and properly. The Enterprise Directory Manager institutes and consistently
follows operational procedures that promote reliability and trust.
The Enterprise Directory Manager is responsible for developing and maintaining
plans, policies and procedures pertaining to operation of the Directory
and the overall operation of the Enterprise Directory Network.
5.5 The OPDIV Directory Manager
In accordance with direction from the Enterprise Directory Manager, the
OPDIV Directory Manager operates the directory on a day-to-day basis and
assures that it is functioning properly, that all procedures and safeguards
are being followed, and that any operational errors, anomalies, and broaches
of policy and procedure are addressed promptly and properly. The OPDIV Directory
Manager institutes and consistently follows operational procedures that
promote reliability and trust.
The OPDIV Directory Manager is responsible for developing and maintaining
plans, policies and procedures pertaining to operation of the directory
and the overall operation of the Enterprise Directory Network.
The OPDIV Directory Manager shall work in coordination with the Enterprise
Directory Manager.
6. Applicable Laws/Guidance
The following guidance documents are applicable:
- Open Systems Interconnect (OSI) Reference Model - ISO 7498
- Lightweight Access Protocol (LDAP) – RFC 1777
- LDAP v2 - RFC 1778, 1779, 1959, and 1960
- LDAP v3 – RFC 2251 through 2256
- The LDAP Application Program Interface – RFC-1823
- Clinger-Cohen Act of 1996;
- The Government Paperwork Elimination Act (GPEA) - October 8th
1998.
- The Presidential Decision Directive 63 (PDD 63) – "Critical Infrastructure
Protection"
7. Information and Assistance
Direct questions, comments, suggestions or requests for further information
to the Deputy Assistant Secretary for Information Resources Management,
(202) 690-6162.
8. Effective Date
This policy is effective on the date it is approved.
9. Approved
_____/s/____________________________ _01/08/01__
John J. Callahan DATE
Assistant Secretary for Management and Budget
Glossary
LDAP - Lightweight Directory Access Protocol (LDAP) is a common
protocol used for client-to-server communication. LDAP defines a standard
method for accessing and updating information in a directory.
|