Attachment #5
National Computer Center
Operations Plan FY2010 - FY2012
Empowering environmental awareness and protection
through innovative, world-class IT solutions
OFFICE OF
ENVIRONMENTAL
INFORMATION
October 2009
-------�
This page intentionally left blank
-------�
Table of Contents
Executive Summary 1
1 Introduction 3
1.1 Purpose 3
1.2 Drivers for Change 3
1.3 The NCC Services Delivery Framework 4
2 Target State 7
2.1 Improved Customer Services 7
2.2 Streamlined Service Delivery Processes 9
2.3 REENGINEERED INFRASTRUCTURE OPERATIONS 10
2.4 Enhanced Service Tracking 14
3 Transition Plan 16
List of Appendices
Appendix A: NCC Hosting Framework A-l
Appendix B: Managed Development Services B-l
Appendix C: Security C-l
Appendix D: Failover and Disaster Recovery D-l
Appendix E: Communications E-l
Appendix F: Internal NCC Operations Transition Timeline Detail FY2010-FY2011 F-l
Appendix G: Acronyms G-l
National Computer Center
Operations Plan FY2010 - FY2012
ii
October 2009
-------�
List of Figures
Figure 1-1: NCC Services Delivery Framework 5
Figure 3-1: NCC Operations Planning Timeline FY 2010-2012—Customer Services 16
Figure 3-2: NCC Operations Planning Timeline FY 2010-2012—Internal Infrastructure and Process
Changes 167
Figure A-l: NCC Hosting Framework A-l
Figure C-l: Conceptual Architecture of the Proposed NCC Virtual Environment C-2
List of Tables
Table 1-1: The NCC SWOT Analysis 4
Table F-l NCC Operations Transition Timeline Detail FY2010-FY2011 F-l
National Computer Center October 2009
Operations Plan FY2010 - FY2012 Hi
-------�
Executive Summary
The U.S. Environmental Protection Agency's (EPA) Office of Environmental Information (OEI) is
leveraging technology to ensure the availability of environmental information for collaboration and
informed decision-making. Due to significant advances in collaboration technologies, EPA is poised to
provide unparalleled access to and analysis of environmental data from an array of sources to enhance
public empowerment. Key factors for managing emerging information technologies (IT) are agility, the
ability to quickly deliver technologies, and security, the ability to protect the integrity of data.
The EPA's Office of Technology Operations and Planning's (OTOP) National Computer Center (NCC)
developed the National Computer Center Operational Plan FY2010 - 2012 to address the changing IT
landscape and the use of IT to advance collaboration and access to environmental information. The Plan
aligns the NCC's solutions and services to meet customer needs efficiently and effectively, facilitating the
use of IT to advance EPA's mission.
The Plan provides for adjustments to the NCC's operations that will yield several benefits:
¦ Position the NCC to become a more agile, efficient and cost-competitive organization.
¦ Streamline the NCC's business processes to ensure transparency to customers and employees.
¦ Position the NCC to serve as a technology leader within the Agency and the federal sector.
¦ Improve communications and build on relationships with customers to better support the
Agency's mission.
¦ Implement energy efficient, green IT practices to demonstrate comprehensive cost savings.
The Plan is aligned to four objectives, which are outlined below.
Improved Customer Services: Reengineer and improve existing customer services to meet customer
needs.
¦ Provide a range of Hosting Services that utilize virtual technology solutions to provide customers
with cost-effective options that meet their application hosting needs.
¦ Evaluate competitive hosting services offered by external providers and broker partnerships
where they are deemed to be the most effective solution.
¦ Offer Managed Development Services that provide customers with an application development
environment and support the development and testing of specialized and emerging technologies.
¦ Continue to provide a wide range of consulting and technical support services.
Streamlined Service Delivery Process: Simplify, streamline and integrate the NCC's service delivery
processes.
¦ Reengineer the NCC's service delivery process to provide customers with improved and
expanded self-service options, transparent service delivery monitoring and timely service
delivery.
¦ Develop a self-service ordering tool to allow customers to request services efficiently.
Reengineered Infrastructure Operations: Reengineer the NCC's infrastructure to leverage
virtualization technologies that enable faster and more flexible delivery of the NCC's services.
¦ Implement virtual server environments to enable more efficient use of the server infrastructure,
allow faster server deployment, and offer an agile hosting service at a competitive cost.
¦ Use a tiered storage model to keep pace with growing demands for storage while lowering costs.
National Computer Center
Operations Plan FY2010 - FY2012
1
October 2009
-------�
¦ Continue to support and implement green IT initiatives and obtain ENERGY STAR data center
certification.
¦ Standardize the wide area network (WAN) environment and its associated processes, procedures
and practices to ensure EPA customers receive consistent network performance.
¦ Implement automated tools to monitor performance and improve processes for capacity planning.
¦ Deliver a more mature security architecture that creates zones based on data sensitivity, system
and application functionality, and acceptability of risk as determined by the data or application
owners.
¦ Provide a comprehensive set of virtual services to support and deliver continuity of operations
(COOP), disaster recovery (DR) and failover services to the Agency more cost effectively.
Enhanced Service Tracking: Implement service delivery tracking and performance dashboards that
enable customer visibility and transparency into the NCC service objectives and delivery practices.
¦ Provide customers with a service request tracking dashboard with information on service level
objectives, metrics and transparency into the service delivery process.
¦ Provide customers with real-time monitoring of application performance.
This Plan will be implemented over the next three years by the NCC's dedicated and technically-
proficient employees and contractors who are motivated to realize the objectives of this Plan and the
success of the organization's efforts to support EPA's mission. The NCC will ensure that the objectives
described in this Plan are incorporated into recently awarded and upcoming contract bids. The ability to
introduce the Plan's requirements in a competitive arena will give the NCC the opportunity to obtain
diverse technical and operational solutions at a competitive price. This Plan will position the NCC and its
employees as the technology provider of choice and as a leader in providing agile and cost-competitive
services for EPA Programs and other federal agencies.
National Computer Center
Operations Plan FY2010 - FY2012
2
October 2009
-------�
1 Introduction
1.1 Purpose
The U.S. Environmental Protection Agency's (EPA's) National Computer Center (NCC) provides large-
scale computing services for EPA offices nationwide. The NCC enables environmental progress through
partnerships with its customers and an understanding of their information technology (IT) needs to
support the achievement of their goals and the mission of the Agency.
In May 2009, the NCC formed a team of internal managers and senior experts to align the NCC's
technology, processes and service offerings with the changing landscape of IT and service delivery. The
National Computer Center Operations Plan FY2010 - 2012 documents the NCC team's vision for
reengineering the NCC products, services and solutions to meet its customers' emerging development,
hosting and data integrity needs.
The objective of the Plan is to align the NCC's solutions and services with its customer needs to ensure its
solutions and services efficiently and effectively enable and facilitate EPA programs' use of IT to
advance EPA's mission. This objective closely aligns with the Office of Environmental Information's
(OEI) FY 2009 National Program Manager Priorities, Goal #3: Maintain an agile and secure
infrastructure.
The NCC Plan provides for adjustments to the NCC's operations that will yield several benefits:
¦ Position the NCC to become a more agile, efficient and cost-competitive organization.
¦ Streamline the NCC's business processes to ensure transparency to customers and employees.
¦ Position the NCC to serve as a technology leader within the Agency and the federal sector.
¦ Improve communications and build on relationships with customers to better support the
Agency's mission.
¦ Implement energy efficient, green IT practices to demonstrate comprehensive cost savings
through their implementation.
1.2 Drivers for Change
The Plan outlines a three-year initiative to enhance, evolve and align the NCC's technology, processes
and service offerings with commercial, federal and EPA initiatives. The following provides an
explanation of these internal and external initiatives as drivers for change.
¦ The Administration's focus on data transparency and citizen access to data has brought a new
vision for the expansion of data sharing across government agencies. Many federal initiatives are
underway to meet this challenge.
¦ The widespread and accelerated use of Web 2.0 technologies has enabled the empowerment of
interested communities to affect change. The uses of mobile computing and the integration of
mobile devices are also advancing rapidly.
¦ Virtualization technology has enabled organizations to employ low-cost hardware to deliver
significantly more computing power and improve the agility and speed of delivering hosting
services to customers.
¦ Cloud computing, an emerging technology, will deliver large amounts of computing power and
storage to customers virtually at a more cost-effective price by leveraging virtualization
technologies and Web 2.0 tools.
National Computer Center
Operations Plan FY2010 - FY2012
3
October 2009
-------�
¦ EPA's Computer Room Server and Storage Management (CRSSM) Initiative's architecture will
provide for an internal "cloud" IT infrastructure that can be leveraged to support other critical
Agency needs such as continuity of operations (COOP), disaster recovery (DR) and failover via a
virtual data center. The CRSSM Initiative is a multi-year project to migrate EPA's CRSSM
services for email to four data centers across EPA including EPA Headquarters (Potomac Yard
Building), Region 5 (Chicago), Region 8 (Denver) and the NCC (Research Triangle Park, NC).
¦ Executive Order: Federal Leadership in Environmental Energy, and Economic Performance
requires the implementation of best management practices for energy-efficient management of
servers and federal data centers.
1.2.1 Strengths, Weaknesses, Opportunities and Threats
The NCC conducted a strengths, weaknesses, opportunities and threats (SWOT) analysis to highlight
internal and external drivers for change. Table 1-1 provides an overview of the key areas identified in the
analysis. With this Plan, the NCC will leverage its strengths and opportunities to address and mitigate the
identified threats and weaknesses.
Table 1-1: The NCC SWOT Analysis
Strengths
Good customer relationships
Positive track record of service delivery
Strong IT expertise across staff and management
The NCC staff work effectively in teams
Services delivered meet customer timetables
Pricing worksheet and eBusiness process work well for
customers
Initiatives are underway to improve communications
Strong support for Agency's scientific computing requirements
Weaknesses
• Complex and confusing services are difficult for customers
to understand
• Processes can be daunting to customers
• Operational structure lacks clarity to NCC customers
• Core NCC operations are understaffed to support priority
projects
• Some hosting services are not priced competitively
Opportunities
Improved agility through virilization
Improved efficiency through green IT
Improved service delivery through Information Technology
Solutions (ITS)-EPAII contract and Wide Area Network (WAN)
2010 implementation
Increased collaboration with Regions and Programs
Package services into solutions
Provide leadership in utility computing
Threats
• Losing institutional knowledge due to retirement
• Unknown security implications in external hosting
• Low-cost commercial hosting providers
• Unknown scope, integration and impact of federal cloud
services
• Possible mandates for agencies to aggregate applications
and data to the "Federal Cloud"
1.3 The NCC Services Delivery Framework
Figure 7-7provides a structured view of the target state for the NCC services as proposed in this Plan.
Following the figure are descriptions of key areas depicted in the framework.
National Computer Center
Operations Plan FY2010 - FY2012
4
October 2009
-------�
Figure 1-1: NCC Services Delivery Framework
NCC SERVICES DELIVERY FRAMEWORK
%
X
Customer
Services
HOSTING
SERVICES
MANAGED
DEVELOPMENT
SERVICES
[CONSULTING &
TECHNICAL
SUPPORT
SERVICES
CO
LU
CO
cn
LU
O
o
o:
Q-
>-
CC
LU
>
-J
LU
Q
LU
U
>
K
LU
CO
INTERNAL
Infrastructure Operations
HOSTING PLATFORM
STORAGE
FACILITIES
NETWORK (WAN CONNECTIVITY)
PERFORMANCE MONITORING & CAPACITY PLANNING
>-
Dd
LU
o cc-
W n
cc. 3
Service
Tracking
¦
TREND
ANALYSIS
INCIDENT
TRACKING
SECURITY
1.3.1 Customer Services
Three key NCC customer services are addressed in this Plan—Hosting Services, Managed Development
Services and Consulting and Technical Support Services.
Hosting Services: The NCC Hosting Services provide managed infrastructure, supporting business
processes and expertise to test, deploy, host and maintain applications supporting EPA programs.
Planned improvements will allow the NCC Hosting Services to provide more agile and flexible
solutions, reduced deployment timelines and improved cost-efficiency. Section 2.1.1: Hosting
Services provides a more detailed description of this service.
Managed Development Services: The NCC Managed Development Services are new services that
enable systems development in an environment that mirrors the NCC's production hosting
environments. The NCC Managed Development Services provide a managed server environment for
evaluating emerging technologies or non-standard technologies. The objective of these services is to
provide a cost-effective alternative to program investment in contract-specific servers and software
licenses, and to streamline application transition from development to production. Section 2.1.2:
Managed Development Services provides a more detailed description of this service.
Consulting and Technical Support Services: The NCC's Consulting and Technical Support
Services provide technical expertise supporting IT project management; application development;
application hosting; network design and configuration; IT security evaluation; design and operations;
and scientific computing. Section 2.1.3: Consulting and Technical Support Services provides a more
detailed description of this service.
National Computer Center
Operations Plan FY2010 - FY2012
5
October 2009
-------�
1.3.2 Service Delivery Processes
Service delivery processes provide the mechanism by which customers request the NCC's services. In the
target state, the NCC will provide a more customer-friendly, transparent and streamlined service delivery
model. Section 2.2: Streamlined Service Delivery Processes describes the target state of the NCC's
service delivery processes.
1.3.3 The NCC Infrastructure Operations
The NCC Infrastructure Operations provides for the ongoing operations and maintenance of the technical
infrastructure supporting NCC Customer Services:
¦ Hosting infrastructure.
¦ Storage infrastructure.
¦ Network operations.
¦ Data center facilities.
¦ Performance and capacity management.
¦ Information security management.
These services are necessary to support the customer-facing services but are not seen by customers.
Section 2.3: Reengineered Infrastructure Operations highlights the target state for infrastructure
operations.
1.3.4 The NCC Service Tracking
The NCC Service Tracking provides for customer visibility into the NCC service delivery as well as the
performance and availability of the technical infrastructure. In the target state, customers will have online
access to information regarding the progress and status of their services. Section 2.4: Enhanced Service
Tracking highlights the target state for service tracking.
National Computer Center
Operations Plan FY2010 - FY2012
6
October 2009
-------�
2 Target State
The following sections provide an overview of the target state of each of the components depicted in
Figure 1-1: NCC Services Delivery Framework. The sections are organized by the NCC's objectives:
¦ Improved Customer Services: Reengineer and improve existing customer services to align with
customer needs.
¦ Streamlined Service Delivery Process: Simplify, streamline and integrate the NCC's service
delivery processes.
¦ Reengineered Infrastructure Operations: Reengineer NCC infrastructure to leverage
virtualization technologies that enable faster and more flexible delivery of the NCC Customer
Services.
¦ Enhanced Service Tracking: Implement service delivery tracking and performance dashboards
that enable customer visibility and transparency into the NCC service objectives and delivery
practices.
By meeting the objectives listed above and described in the following sections, the NCC will achieve its
goal of providing competitively priced solutions and services that are
¦ Aligned with customer needs for technology and service.
¦ Agile and flexible, accommodating rapidly evolving technologies.
¦ Easily understood, requested, tracked and monitored by customers.
2.1 Improved Customer Services
The following sections provide a description of three of the NCC's customer services in the target state—
Hosting Services, Managed Development Services and Consulting and Technical Support Services.
2.1.1 Hosting Services
The NCC currently offers three hosting
services: Shared Application Hosting,
Dedicated Server Hosting and High
Performance Computer Hosting. The current
hosting services are perceived by many to be
too costly when compared to commercial
services. In the target state, the NCC Hosting
Services will provide the application platforms,
processing, server and storage management
capacity to test, deploy and maintain applications supporting EPA Programs. Four main components of
the hosting service will be provided:
¦ Basic Hosting Service.
¦ Advanced Hosting Service.
¦ Comprehensive Hosting Service.
¦ High Performance Computing (HPC) Hosting Service.
Basic Hosting, Advanced Hosting and Comprehensive Hosting services are targeted to information
systems supporting EPA Programs. The key factors that differentiate these services are the levels of
software license and specialized labor included in the service. Each hosting service option will include
different levels of support with associated costs, allowing customers to decide which hosting service best
Hosting Services I
Features
Current
State
Target
State
Managed Application Platforms
~
~
Dedicated Server Platforms
~
~
Tiered Hosting Offerings
~
Virtual Server Platforms
~
Application Platform Support Options
~
Brokered External Services
~
National Computer Center
Operations Plan FY2010 - FY2012
1
October 2009
-------�
meets their needs and available budget. By providing different service options, the NCC will be more cost
competitive with external hosting solution providers while allowing customers to determine the hosting
service that best meets their needs.
The High Performance Computing (HPC) Hosting Service is targeted to support scientific modeling and
visualization applications.
The NCC will evaluate competitive services offered by external providers and may broker partnerships
where they are deemed to be the most effective solution. The NCC will provision and maintain the
operating infrastructure for these services using a variety of methods:
¦ Government or contractor owned infrastructure operated and maintained in the NCC.
¦ Government or contractor owned infrastructure operated and maintained in the contractor's data
center.
¦ Commercial hosting services.
¦ Federal cloud services.
Appendix A: NCC Hosting Framework provides more detail about the current and target states of the
NCC's Hosting Services.
2.1.2 Managed Development Services
The NCC currently offers a limited application
development service. In the target state, the
NCC will offer Managed Development
Services that provide a hosting environment for
the development of applications and support for
the development and testing of specialized and
emerging technologies. This service will
provide:
¦ The NCC managed development servers for Agency-approved standard technologies (e.g.,
ColdFusion, Oracle Application Server, Oracle Database, and Domino).
¦ The NCC managed virtual desktops for application development for a select suite of development
products.
The NCC will provide sufficient administrative privileges to customers, as approved, to allow them to
develop and test their applications in the NCC's environment. The NCC will provide customers access to
its development environments through multiple mechanisms provided by Agency-approved remote access
solutions. All development servers and desktops will meet Agency standard configuration requirements
and the standards will be managed by the NCC.
Appendix B: Managed Development Services contains more detail about the current and target states of
the Managed Development Service.
2.1.3 Consulting and Technical Support Services
Managed Development Services
Features
Current
State
Target
State
Application Development Support
~
~
Application Development Environment
~
Environment for Emerging
Technologies
~
Consulting and Technical Support Services
Features
Current
State
Target
State
IT Project Management
~
~
Business Application Support
~
~
Scientific Computing
~
~
Geographic Information Systems
~
~
National Computer Center
Operations Plan FY2010 - FY2012
8
October 2009
-------�
The NCC currently provides a broad range of Consulting
technical consulting and operations services to Tiered Hosting Technical Support S
support and facilitate customers" use of the
NCC solutions and services. In the target state, the NCC will continue to provide a wide range of
consulting and technical support services:
¦ IT Project Management.
¦ Business Application Support.
~ Application Development.
~ Web Site Management.
~ Application Security Assessment.
~ Application Platform Administration.
~ Application Performance Assessment.
~ Business Intelligence and Analytics Consulting.
~ Tiered Hosting Technical Support.
¦ Scientific Computing.
~ High Performance Computer Operations.
~ Environmental Modeling and Visualization.
¦ Geographic Information Systems Consulting.
These services will be aligned closely with the NCC's improved customer services, streamlined service
delivery processes and service tracking. The NCC will clearly document the level of technical support
included in service baselines so that customers have a clear understanding of the circumstances that
require technical support services and their associated fees. In addition, technical consulting skills will be
aligned with the reengineered infrastructure.
2.2 Streamlined Service Delivery Processes
Currently, the NCC's customers request
services via multiple mechanisms, and the
customers" requirements are often defined
through numerous communications between the
NCC staff and the customer. In the future, the
NCC's service delivery processes will be
reengineered, integrated and tracked in a
comprehensive manner to provide customers
with improved and expanded self-service
options and transparent service monitoring and
delivery. The result will be more timely service
delivery and lower costs.
The new service delivery model will streamline the application deployment, firewall rules and
telecommunications service requests, and provide a consistent, clear ordering process for technical
consulting. The two key areas of change include:
¦ Technical Services - An integrated and streamlined approach to ordering and delivering Hosting
and Managed Development Services, processing firewall rule requests and implementing
telecommunications service requests.
Service Delivery Processes I
Features
Current
State
Target
State
Performance metrics and service level
objectives
V
Self-service ordering process
V
Clear documentation of customer
requirements
~
V
Component-based costing information
(e.g., a la carte ordering)
~
National Computer Center
Operations Plan FY2010 - FY2012
9
October 2009
-------�
¦ Technical Consulting - Provide a clear, consistent and automated approach to ordering and
delivering technical consulting services.
By simplifying and streamlining the business and service delivery processes, the NCC will provide its
services to the customer in an integrated and consistent manner. Several improvements will be
implemented:
¦ Provide customers with easy to use, one-stop, self-service option for requesting and tracking
service delivery.
¦ Be responsive to customers" needs with clear performance metrics and service level objectives.
¦ Support multiple hosting options through the application deployment process.
¦ Establish and communicate the documentation requirements of the application deployment
process.
¦ Establish and communicate clear documentation requirements for firewall rule requests.
¦ Establish clear documentation requirements for telecommunications service requests.
¦ Collapse redundant technical consulting services where appropriate.
¦ Provide a consistent, documented approach to the delivery of technical consulting services.
A key component to improved technical service delivery is drafting clear processes and associated
documentation for service delivery. The customer will know upfront the service requirements and
materials the NCC will need to process their service request. This structured process will result in the
customer's clear understanding of the requirements and a consistent approach to ordering and delivering
services.
2.3 Reengineered Infrastructure Operations
The following sections describe the target state for the NCC's infrastructure operations, including the
hosting platform, storage, facilities, network, performance monitoring and capacity management, security,
and DR and failover.
2.3.1 Hosting Platform
Hosting platforms provide the server context
for hosted applications. While the NCC's
current hosting platforms leverage extensive
virtualization for databases, the majority of the
NCC's servers are traditional physical servers.
Traditional physical server environments are
more costly and less flexible than virtual server
environments, which allow many logical
servers to share a single physical server. Virtual
server environments enable more efficient use of server infrastructure, allow faster server deployment,
and simplify options fault tolerance and disaster recovery. These features are critical to the NCC's goal of
providing an agile hosting service and faster service delivery at competitive costs.
In the target state, the NCC will extend virtualization beyond the database platforms so that virtual servers
are used whenever practical. To achieve the target state the NCC must
¦ Establish a virtual server infrastructure.
¦ Reengineer server operations and resource accounting processes.
Hosting Platform I
Features
Current
State
Target
State
Mainframe
~
(phased
out by
2012)
Virtualized server environment
•/
Automatic scaling and deployment of
virtual servers
~
National Computer Center
Operations Plan FY2010 - FY2012
10
October 2009
-------�
¦ Migrate over 200 physical servers to the virtual infrastructure.
¦ Align the NCC hosting and development service delivery to leverage the virtual infrastructure.
2.3.2 Storage
Storage and backup management are integral
components of the NCC infrastructure services
and include the design, provisioning,
installation, operation and maintenance of
storage systems to support hosted servers and
applications. The NCC currently leverages
storage visualization to simplify storage
management and maximize efficient use of the
infrastructure.
In the target state, the NCC will implement tiered storage to improve cost efficiency and expand the
implementation features that support improved services for data security, backup, DR and COOP. Tiered
storage will be delivered in two tiers:
¦ Tier 1 - High to moderate performance primarily for high transaction volume.
¦ Tier 2 - Moderate to low performance primarily for read access for files.
In addition, the NCC will offer new or expanded features:
¦ Full encryption to provide additional security for stored data.
¦ Data de-duplication to reduce system and file backup and recovery times.
¦ Long distance data replication to support failover and DR pairing with other EPA data centers.
2.3.3 Facilities
The NCC data center facilities are currently
housed in a Leadership in Energy and
Environmental Design (LEED) Silver certified
facility commissioned in 2001. The NCC
power and cooling infrastructure was
engineered to support mainframe, scientific
computing and high-end mid-range servers of
that period. Since that time, the platform mix has changed substantially, which has resulted in significant
reductions in power and cooling demand. The NCC benefits from both surplus power and cooling
capacity. While this is an advantage for growth potential, some reconfiguration and tuning is necessary to
optimize power, cooling and infrastructure provisioning.
The NCC has collaborated with the Department of Energy and EPA's ENERGY STAR program since
2008, as they develop requirements for ENERGY STAR data center certification. Once the requirements
are finalized, the NCC will begin implementing improvements to receive the certification.
The NCC target state for facilities is a data center configuration that maximizes power and cooling
efficiency and improves hosting agility by minimizing the time and effort required to bring new servers
and storage online. The following key issues will be addressed in the future.
Environmental Controls
¦ Reengineer the physical layout of the data center to optimize use of power, cooling and network
infrastructure.
Storage
Features
Current
State
Target
State
Storage Area Network (SAN) storage
architecture
~
V
Storage virtualization
~
~
Scalable tiered storage environment
V
Data de-duplication
V
Storage encryption
V
Facilities
Features
Current
State
Target
State
LEED certified
~
~
ENERGY STAR certified
~
Automated power management
~
Pre-action fire suppression system
~
National Computer Center
Operations Plan FY2010 - FY2012
11
October 2009
-------�
¦ Standardize server racks to improve airflow and cooling efficiency.
¦ Enable automatic light diming in unused areas.
Power Infrastructure
¦ Reconfigure power distribution layout to reduce single points of failure and simplify provisioning
of new servers and storage.
¦ Implement automated power management for servers and storage systems.
¦ Analyze generator options and consider moving from diesel to natural gas.
Data center Network
¦ Evaluate, procure and implement next generation data center communications network.
¦ Evaluate, procure and implement next generation data center storage network.
Facility Upgrades
¦ Replace wet-pipe fire-suppression system with a pre-action system.
¦ Add smoke detectors/sensors on the data center floor.
Off-Site Backup Facility
¦ Evaluate alternatives for leased off-site backup facility.
2.3.4 Network
EPA's WAN connects approximately 110 EPA
offices to each other and to the NCC, and
provides enterprise computing services and access
to the Internet. Today, EPA's network design
does not provide the performance and scalability
required to meet the growing demands of EPA's
business. Through the EPA's WAN 2010
Initiative, the NCC will standardize the WAN environment and its associated processes, procedures and
practices to ensure EPA's customers receive consistent network performance. The NCC will implement
the WAN 2010 Initiative with several objectives:
¦ Availability: A solution that minimizes outages, as much as possible.
¦ Scalability and Adaptability: A network that can readily adapt to changing requirements.
¦ Security: A network managed and operated in compliance with federal security standards.
¦ Transparent Performance Metrics: Agency network managers will have access to tools that
will give visibility into network performance data.
¦ Affordability: A network that continually meets EPA's objectives and represents the best value.
The NCC expects to complete the transition to WAN 2010 in spring 2010.
2.3.5 Performance Monitoring and Capacity Planning
Performance Monitoring and Capacity Planning
Features
Current
State
Target
State
Network
Features
Current
State
Target
State
Readily available network
performance data
~
Secure, reliable network
~
~
A scalable and adaptable network
~
National Computer Center
Operations Plan FY2010 - FY2012
12
October 2009
-------�
The NCC's current performance monitoring
and capacity planning capabilities rely on labor
intensive, platform-specific tools that are
limited in their ability to provide a
comprehensive view of infrastructure capacity
utilization and application or platform
performance.
The target state of the NCC performance monitoring and capacity planning provides several tools:
¦ Automated tools for monitoring performance and capacity consumption.
¦ Integrated, internal dashboards for detailed infrastructure monitoring and operational awareness.
¦ Integrated customer dashboards to provide customer visibility into application performance and
service availability (refer to Section 2.4: Enhanced Service Tracking for more information).
¦ Improved processes for issue escalation and capacity planning.
2.3.6 Security
The NCC effectively delivers IT security to
mitigate risks and ensure compliance with
applicable federal guidance and regulations.
This function is currently performed at the
system level and, as a result, is not optimized
for cost or service delivery efficiencies.
The target state of IT security focuses on
delivering a more mature security architecture that creates zones based on data sensitivity, system and
application functionality, and acceptability of risk as determined by the data owners. Each of these
defined zones will have authorized ports, protocols and services that are considered normal and necessary
for standard communications within and outside the zone.
The NCC will apply security controls (i.e., protection, monitoring and oversight) to each zone that are
commensurate with the accepted level of risk. Customer requests for exceptions within a zone will be
formally documented, reviewed and applied at the system level once approved. The NCC will reduce time
for system deployment by managing at the zone level rather than managing individual systems. This
approach will increase the NCC's capability for quickly accommodating customer needs without
sacrificing EPA's current security posture.
The NCC's redesigned IT security architecture will utilize the benefits of virtualization technology.
Appendix C: Security provides more information about the target state for security and a depiction of the
architectural framework necessary for delivering the NCC's enhanced security services (see Figure C-1:
Conceptual Architecture of the Proposed NCC Virtual Environment).
Active capacity and performance
monitoring and analysis
~
Dashboards for detailed infrastructure
monitoring
~
Proactive capacity planning to
anticipate and address growth trends
~
Security
Features
Current
State
Target
State
A secure data center environment
~
~
Security zoning
~
Security architecture based on data
sensitivity
~
National Computer Center
Operations Plan FY2010 - FY2012
13
October 2009
-------�
2.3.7 Continuity of Operations, Disaster Recovery and Faiiover
The NCC will provide a comprehensive set of virtual services to more cost effectively support and
deliver COOP, DR and faiiover services to the Agency. Although each of these services has a specific set
of requirements, together they are part of a continuum of critical services that provide for the operational
and data integrity of core assets under adverse circumstances and conditions.
2.3.7.1 Continuity of Operations
IT support requirements for COOP include telecommunication, email, geographic information system
(GIS) and access to other critical data services required to sustain business operations in the event of a
disaster or pandemic event. The NCC will provide the necessary data telecommunications access needs
including alternate routes and technologies, should the normal circuits become impaired. Email and
BlackBerry services will be continuously available through EPA's internal (CRSSM) "cloud"
infrastructure. GIS and other critical data services will be securely hosted at the NCC and will be
provided virtually from users" desktops.
2.3.7.2 Disaster Recovery
Should the NCC experience a systematic buildin
failure or a catastrophic application outage in
which hosting and data services at the NCC are
lost, subscribers to the NCC's DR service will
have fully restored application functionality and
data availability within a 24-48 hour window.
Over the next two years, the NCC will offer
improved DR performance at a lower cost by
moving from an outsourced service to an internal, virtualized DR model. The NCC will leverage the
CRSSM internal "cloud" infrastructure to support virtual instances of applications that require DR
service. This is a fundamental shift in DR in which the application can be dynamically re-provisioned
across the WAN to another functional site, thus making it easier and more cost effective to deliver DR
services.
2.3.7.3 Faiiover
For applications that require 24x7 uptime, the NCC will support a faiiover service by leveraging the
virtualized infrastructure and load balancing features to provide continuous service. This service will be
priced at a premium because of the redundant infrastructure and administration necessary to assure
uninterrupted application availability.
2.4 Enhanced Service Tracking
Service tracking is the NCC's solution to
provide customers with insight into various
aspects of internal operational and service
delivery processes. The NCC currently
performs application performance tracking on
an ad hoc basis to satisfy specific customer
requirements. Service tracking will be included
as a basic, self-service option allowing the
NCC customers to check on the status of their requests for service or to monitor application performance
for hosted systems. The NCC will provide a dashboard tool for this service and provide two basic
services:
Disaster Recovery and Faiiover
Features
Current
State
Target
State
A full-scale DR service for customers
~
~
Virtualized DR model
~
Flexible DR and faiiover options for
customers
~
Service Trackir
ig
Features
Current
State
Target
State
Application performance tracking
~
~
Customer dashboard to track
application performance
~
Ability for customers to track order
status and progress
~
National Computer Center
Operations Plan FY2010 - FY2012
14
October 2009
-------�
¦ Service Request Tracking.
¦ Application Performance Tracking.
The NCC will offer an optional, more in-depth service tracking service under the Consulting and
Technical Support Service for an additional fee.
2.4.1 Service Request Tracking
The NCC will implement service request tracking to enable the NCC customers to verify the status of
their specific service request. The benefits of service request tracking are twofold:
1. Customers requesting services from the NCC will be able to verify the status of their request
easily.
2. The processes for service fulfillment will be documented with the criteria for moving from one
phase of the process to another.
The service request tracking dashboard will provide service level objectives, metrics and transparency
into the service delivery process. The enhanced service delivery processes and the dashboard will ensure
that the NCC management is able to readily identify and resolve workflow issues.
2.4.2 Application Performance Tracking
The NCC will procure and implement an application performance tracking tool that will provide real-time
monitoring of an application's performance. The tool will analyze network traffic, pinpoint application
bottlenecks and graphically display the information. The NCC and customers will be able to use the tool
to optimize applications.
National Computer Center
Operations Plan FY2010 - FY2012
15
October 2009
-------�
3 Transition Plan
The NCC must implement a number of activities and tasks to ensure its goals of improving customer
services, streamlining service delivery processes, reengineering infrastructure operations, and enhancing
service tracking are realized. Figures 3-1 and 3-2 outline the key activities the NCC will implement for
the external customer services and internal NCC infrastructure areas to ensure the target state is realized.
In addition to the tasks laid out below, a number of other related pieces of work (e.g., contracting, budget
formulation. Working Capital Fund (WCF) business processes) will be aligned to the timelines to ensure
the successful completion of the activities.
Figure 3-1 depicts the activities the NCC will undertake to implement the customer-facing services.
Figure 3-1: NCC Operations Planning Timeline FY 2010-2012—Customer Services
Design plan for
hosting services
Pilot hosting
services
HOSTING SERVICES
Offer three hosting options as service
MANAGED DEVELOPMENT SERVICES
Offer sandbox
pilot for Web 2.0
Offer mgd development service to customers
Define support
services for new
hosting model
CONSULTING & TECHNICAL SUPPORT SERVICES
Analyze and define
external service offerings
Establish contracts with external partners for
specialized hosting
Define requirements
for dashboard
Procure and install
dashboard tools
Offer customer
application dashboard
FY10
FY11
FY12
SERVICE TRACKING
FY13
Figure 3-2 depicts the activities the NCC will undertake to implement the internal infrastructure and
process changes.
National Computer Center
Operations Plan FY2010 - FY2012
16
October 2009
-------�
Figure 3-2: NCC Operations Planning Timeline FY 2010-2012—Internal Infrastructure and Process
Changes
Offer ded.hosting on I Migrate shared hosting to H Offer specialized
X86 virtual infra. | virtual infrastructure | HPC hosting
STORAGE
Identify storage
requirements
Design tiered storage
Implement tiered
storage
Provide "internal cloud" storage and DR
services
Develop Green IT target
state for NCC facilities
Implement energy-efficiency plan
ENERGYSTAR
certification
FACILITIES
Refresh NCC network
infrastructure
Implement Trusted Internet Connection (TIC)
NETWORK
PERFORMANCE MONITORING & CAPACITY PLANNING
Establish operational
awareness infrastructure
Establish infrastructure
capacity planning
Implement full
performance
monitoring and
capacity planning
Expand performance
monitoring & capacity
planning to the
"internal" cloud
Redesign NCC security zones
Implement NCC security zones
Expand security architecture to include cloud
computing platforms
SECURITY
Design low-cost, streamlined DR service
DISASTER RECOVERY & FAILOVER
FY10
FY11
Implement DR service within cloud
infrastructure
FY12
FY13
National Computer Center
Operations Plan FY2010 - FY2012
17
October 2009
-------�
Appendix A: NCC Hosting Framework
Figure A-1 depicts the future the NCC Hosting Services within a uniform service delivery and technology
standards framework with clear service standard responsibilities delineated between the service provider
and customers. The Information Technology Infrastructure Library (ITIL) functions shown on the left
side of the diagram follow a set of industry best-practice processes that will be an important guide for
delivering these services.
Figure A-1: NCC Hosting Framework
ITIL Functions:
Service Operations
Business
Process
Management
Application
Management
Server
Management
Storage
Management
Network
Management
Facilities
Management
Business
Process (includes
application development
& user administration)
Application
Operations and
Maintenance
Application
Deployment
Management
Application
Platform
Management
Server OS
Management
Server
Storage &
Back-Up
Computer
Rooms
Hosting Service
Utility Compute Infrastructure
Disaster Recovery and Fail-over Infrastructure
SECURITY
The following is a description of the current and target state of the NCC's Hosting Services.
Hosting Services Current State
The NCC currently offers three hosting services: Shared Application Hosting, Dedicated Server Hosting
and High Performance Computer Hosting.
The NCC Shared Application Hosting offers a variety of managed application platforms into which
customer applications are installed and operated. Hosting capacity, operating system administration and
National Computer Center
Operations Plan FY2010 - FY2012
A-1
October 2009
-------�
application platform administration are included in fixed price service offerings specific to each
application platform. Included in the fixed price are staging or pre-production environments for
application validation and production environments. Storage is offered under a separate service at fixed
price per gigabyte month. Currently supported shared application platforms include
¦ Lotus Domino.
¦ Adobe Cold Fusion.
¦ Apache Tomcat.
¦ Oracle Enterprise Application Server.
¦ Oracle Portal.
¦ ESRI ArcIMS GIS Application Servers.
¦ Oracle Enterprise Edition Database.
Shared application platforms provide managed server and application platforms that allow customers to
leverage shared hosting capacity, license and platform maintenance costs.
Dedicated server hosting offers a dedicated hosting environment with managed operating systems and
application platforms. Customers are required to use the NCC administrative resources for both operating
system and application platform management.
Dedicated server platforms offer customers a hosting alternative to accommodate application platforms
not provided as shared platforms and dedicated application platforms for large and/or complex
applications.
Many application customers blend shared and dedicated hosting to meet their application needs. The most
common configurations pair dedicated application servers with shared platform databases.
The NCC application deployment and technical consulting services provide for the installation,
configuration and operation of customer applications within the shared and dedicated hosting platforms.
These services are paired with each of the offered hosting platforms. Deployment services are offered at
fixed prices that include initial configuration of the hosting environments and 20 hours of ad hoc
deployment coordination. Deployment activities beyond 20 hours per platform are provided as ad hoc
technical consulting services billed by the hour.
Application hosting and deployment services are delivered through the Application Deployment Checklist
(ADC) process. The checklist itself is designed to ensure each application can be hosted in the target
environments, that sufficient capacity and required configurations are in place, and that Agency required
procedures and documentation are in place. The existing ADC process relies heavily on verbal and email
communications between application developers and the hosting teams.
The current hosting services are perceived by many to be too costly when compared to commercial
services and the ADC process is perceived as too cumbersome. The target state must address these issues
by
¦ Aligning the hosting services with comparable commercial service offerings.
¦ Aligning hosting prices with comparable commercial service offerings.
¦ Optimizing the NCC business processes to enable rapid service delivery and deployment.
National Computer Center
Operations Plan FY2010 - FY2012
A-2
October 2009
-------�
Hosting Services Target State
The NCC target state hosting services will provide the application platforms, processing, server and
storage management capacity to test, deploy and maintain applications supporting EPA Programs. There
are four main components of the hosting service that will be provided:
¦ Basic Hosting Service.
¦ Advanced Hosting Service.
¦ Comprehensive Hosting Service.
¦ HPC Hosting Service.
Basic Hosting, Advanced Hosting and Comprehensive Hosting services are targeted to information
systems supporting EPA Programs. The key factors that differentiate these services are the levels of
software license and specialized labor included in the service.
The HPC Hosting service is targeted to support scientific modeling and visualization applications.
The NCC will provision and maintain the operating infrastructure for these services using a variety of
methods:
¦ Government or contractor owned infrastructure operated and maintained in the NCC.
¦ Government or contractor owned infrastructure operated and maintained in the contractor's data
center.
¦ Commercial hosting services.
¦ Federal cloud services.
NCC Basic Hosting Service
The Basic Hosting Service offers customers a managed server platform with greater control over and
responsibility for application platform configuration and operation. This service offers several key
advantages:
¦ Customers may leverage existing application expertise within their development contracts to
manage production application platforms hosted at NCC.
¦ Customers have greater freedom over the features and configuration of application platforms.
¦ Customers can host emerging or specialized application platforms that are not supported in the
shared platforms offered as shared platform under the NCC Comprehensive Hosting Service.
Basic hosting is best suited to customers with applications and access to technical expertise with
established procedures for implementing NIST 800-53 compliant controls for application platform
management. Customers without an established NIST 800-53 compliance framework should consider the
NCC Advanced or Comprehensive Hosting Services, which provide for custom application platform
configuration within the NCC's NIST 800-53 control framework.
Basic Hosting Service Description
The NCC's Basic Hosting Service will provide a dedicated server instance with managed operating
system. Customers will have sufficient administrative privilege to install and manage application
platforms and custom applications, but access to operating system configuration and control will be
restricted and require the NCC provided administration.
Basic hosting customers will have the ability to install, configure, monitor and operate application
platforms on the server. These services can be provided through customer contractors, or customer
designated staff. Administrative access to servers must be through EPA approved methods (currently
National Computer Center
Operations Plan FY2010 - FY2012
A-3
October 2009
-------�
AAA service with two factor authentication). Individuals with privileged administrative access must meet
EPA requirements for security clearance and are subject to EPA security policies, procedures and rules of
behavior.
NCC Basic Hosting will provide:
¦ A virtual or physical server platform sized to the customer's requirements, billed at a uniform
monthly rate and managed to defined service levels for availability, performance and recovery.
¦ A licensed operating system managed in compliance with EPA configuration standards and
including technical labor for installation configuration, maintenance and patching.
¦ Server deployment and operations coordination services billed at a uniform monthly rate to
support initial application deployment and change management coordination.
¦ Access to utility storage services billed at a uniform monthly rate based for requested storage
quantity and storage features (performance tier, backup type, replication, encryption).
¦ Access to optional technical consulting services for project management, coordination,
application security evaluation and integration support.
¦ Access to optional services for off-site recovery or failover.
¦ Access to a service delivery and performance management dashboard providing visibility into
service request status and server performance.
¦ 24x7 response to infrastructure or operating systems failures.
¦ Inclusion of the server in an NCC General Support System managed with NIST 800-53 compliant
controls appropriate to the customer's sensitivity classification of the application supported by the
server (low, medium, high). Controls are limited to those associated with the facility, network and
operating systems. Application platform controls are not included.
¦ Documentation describing the NIST 800-53 controls implemented for the general support system
and proof that the controls have been independently audited.
NCC Advanced Hosting Service
The NCC Advanced Hosting Services add NCC technical consulting services for configuring and
managing customer application platforms on servers operated under the Basic Hosting Service.
The Advanced Hosting Service offers customers a managed server platform and greater control over
application platform configuration without the burden and complexity of providing 7x24 operations
support or a NIST 800-53 compliant security control framework for the application platform. The key
advantages of this service are
¦ Customers have greater freedom over the features and configuration of application platforms than
available in the shared platforms offered under the Comprehensive Hosting Service.
¦ Customers can host emerging or specialized application platforms that are not supported in the
shared platforms offered as shared platform under the Comprehensive Hosting Service.
¦ Customers leverage a comprehensive NIST 800-53 compliant security control framework with
supporting documentation.
The Advanced Hosting Service is best suited to customers who need a customized application context
without assuming the burden, responsibility and risk of managing 7x24 operations and security
compliance.
National Computer Center
Operations Plan FY2010 - FY2012
A-4
October 2009
-------�
Advanced Hosting Service Description
Advanced Hosting includes all Basic Hosting Service features with application platform management
services provided through NCC's Technical Consulting Services. Customers will have the freedom to
define custom configuration requirements that will be implemented and maintained by NCC provided
services. Access to operating system and application platform configuration will be restricted to
authorized NCC systems administrators.
Application platform license and maintenance costs are not included in the service. The NCC acquisition
services are optionally available to acquire necessary license and maintenance services or customers can
provide proof of licenses purchased through other methods.
The NCC Advanced Hosting Service will provide:
¦ All the features of Basic Hosting.
¦ Custom application platforms managed in compliance with EPA configuration standards
including installation configuration, maintenance and patching.
¦ Application platform deployment and operations coordination services billed at a uniform
monthly rate to support initial application deployment and change management coordination.
¦ 7x24 response to application platform issues.
¦ When provided for NCC standard hosting platforms, inclusion of the application platform in an
NCC General Support System managed with NIST 800-53 compliant controls appropriate to the
customer's sensitivity classification of the application (low, medium, high). Controls are limited
to those associated with the Application Platform.
¦ Documentation describing the NIST 800-53 controls implemented for the general support system
and proof that the controls have been independently audited.
Comprehensive Hosting Service
The NCC Comprehensive Hosting Service provides for managed application platforms in a shared
operating environment. The following application platforms are supported under the Comprehensive
Hosting Service:
¦ Lotus Domino.
¦ Adobe Cold Fusion.
¦ Apache Tomcat.
¦ Oracle Enterprise Application Server.
¦ Oracle Portal.
¦ ESRI ArcIMS GIS Application Servers.
¦ Oracle Enterprise Edition Database.
The Comprehensive Hosting Service offers customers managed application platforms that include hosting
capacity, software license, 7x24 operations support and a NIST 800-53 compliant security control
framework for all aspects of hosting for the application platform. The key advantages of this service are:
¦ Reduced capacity and license costs compared to dedicated options.
¦ Reduced operations burden, cost and complexity because all aspects of capacity management,
application platform management, security management, release management and patching are
provided as part of the managed application platform.
National Computer Center
Operations Plan FY2010 - FY2012
A-5
October 2009
-------�
¦ Reduced application certification and accreditation costs because Comprehensive Hosting
customers leverage a NIST 800-53 compliant security control framework for all aspects of their
production application beyond controls within the application development context.
The Comprehensive Hosting Service is best suited for customers who have applications developed for
EPA standard platforms. Comprehensive Hosting provides customers with the most cost-effective and
least complex option for application hosting.
Comprehensive Hosting Service Description
¦ A shared application hosting environment providing all software license and capacity necessary
to meet defined service levels for platform availability, performance and recovery.
¦ A standardized application platform managed in compliance with EPA configuration standards
and including technical labor for installation configuration, maintenance and patching.
¦ A uniform monthly service rate for hosting services.
¦ Customer application deployment and operations coordination services billed at a uniform
monthly rate to support initial application deployment and change management coordination.
¦ Access to utility storage services billed at a uniform monthly rate based on requested storage
quantity and storage features (performance tier, backup type, replication, encryption).
¦ Access to optional technical consulting services for project management, coordination,
application security evaluation and integration support.
¦ Access to optional services for off-site recovery or failover.
¦ Access to a service delivery and performance management dashboard providing visibility into
service request status, platform and application performance.
¦ 7x24 response to infrastructure, platform or application failures.
¦ Inclusion of the server in an NCC General Support System managed with NIST 800-53 compliant
controls appropriate to the customer's sensitivity classification of the application supported by the
server (low, medium, high). Controls are provided for all aspects of production application
controls beyond controls specific to the application development context.
¦ Documentation describing the NIST 800-53 controls implemented for applicable general support
systems and proof that the controls have been independently audited.
Comprehensive Hosting Service customers will be responsible for developing and supporting custom
content or applications delivered by this hosting service as well as application-specific user
administration.
Customer application code must be reviewed for compatibility with shared platform coding standards and
certified to be free of vulnerabilities using EPA approved tools before placement in the shared
environments.
High Performance Computing Hosting
In addition to the three hosting environments described above, the NCC provides a specialized HPC
environment to support scientists and researchers who require this highly specialized compute and storage
environment to meet their research goals. As part of the future direction of the NCC, external services
will be evaluated and where cost beneficial to the Agency will be integrated into the current environment
supported by the Scientific Computing Service.
National Computer Center
Operations Plan FY2010 - FY2012
A-6
October 2009
-------�
Appendix B: Managed Development Services
The following sections provide a description of the current and target state of NCC's Managed
Development Services.
Current State of Managed Development Services
The NCC currently offers only preproduction staging environments within the NCC hosted services
context. These staging environments are limited in capacity and are designed to support application code
review and preproduction configuration only. The following issues result from this lack of the NCC
hosted development environments:
¦ Initial deployments of new applications often require significant re-work because of variations
between the contractor-hosted development environments and the NCC production environments.
¦ The NCC's current staging environments cannot duplicate the communications restrictions placed
on production applications resulting in required and/or unauthorized communications being
discovered only after deployment to production.
¦ EPA's total cost of ownership for application development platforms is higher because many
isolated development environments are provisioned at government expense within development
contractor facilities.
Target State of Managed Development Services
In the target state, the NCC will offer Managed Development Services supporting application
development that
¦ Are flexible and agile enough to accommodate the rapid pace of configuration change required
for efficient software development.
¦ Mirror the target platform configuration including server, application platform, network zoning
and firewalled communications.
¦ Support development and testing of specialized and emerging technologies.
¦ Provide sufficient access for developers to easily test applications and for application owners to
review applications in development.
¦ Deliver these services at a cost that is significantly lower than platform provisioning under the
development contract.
Some of the technologies that will be employed to develop this service are
¦ NCC managed development server for Agency-approved standard technologies (e.g., ColdFusion,
Oracle Application Server, Oracle Database, Domino).
¦ NCC managed virtual desktops for application development for a select suite of development
products.
National Computer Center
Operations Plan FY2010 - FY2012
B-1
October 2009
-------�
Appendix C: Security
Current State of Security
The NCC's current network security model focuses on the quantification and mitigation of risks
associated with a specific system or application and any potential harm it may bring to the WAN or
Local Area Network (LAN). The evaluation of risks and corresponding mitigation strategy is developed
for each system on a case-by-case basis. The security infrastructure affords general purpose protection
and more refined security protection as required by the system. This is achieved via host or application
controls, processes and system/application management functions. This methodology has been effective
in maintaining the NCC's desired security posture and adhering to federal regulations. However, it
continues to hamper the NCC's ability to deploy applications in an efficient manner
Target State of Security
The target state of security focuses on delivering an IT security architecture framework that is capable of
quickly accommodating customer needs, while maintaining EPA's current security posture. This is
accomplished through the creation and management of zones. Each zone will employ the required
security controls to provision acceptable risk for systems within the zone. Communications via standard
and normal ports, protocols and services that are required for system functionality will be applied to all
systems within the zone. Any additional communication requirements will be documented and authorized
on an exception basis and, if approved, applied to that specific system. The primary areas of focus for this
architecture are discussed below.
Figure C-1 depicts the virtual infrastructure security architecture necessary to deliver the NCC's Hosting
Services. In the target state, the NCC's hosting environment will utilize virtual technologies to the
maximum extent possible. Physical and dedicated systems will be reserved for organizations with strong
justifications.
National Computer Center
Operations Plan FY2010 - FY2012
C-1
October 2009
-------�
Figure C-1: Conceptual Architecture of the Proposed NCC Virtual Environment
Conceptual Architecture of the Proposed NCC Virtual Environment
HYPERVISOR
VIRTUAL
ENVIRONMENTS
are configured
for a specific
risk profile.
VIRTUAL SYSTEMS
(VLANs)
automatically
inherit all controls
associated with
their respective
environment.
Additional access
is provided
for a specific
system if needed.
Justification required for
direct access to Higher
Sensitivity Environment.
Higher Sensitivity
Environment may access
lower Environments
(if allowed by Egress
Access Rules).
Management and Security
Policies and Procedures
FIREWALL
RULESET
STORAGE AREA
NETWORK (SAN)
Virtual Environments
Under the new architecture, three virtual environments will be characterized by the sensitivity of the
hosted data - Virtual Environment 1 (Low Sensitivity), Virtual Environment 2 (Moderate Sensitivity),
and Virtual Environment 3 (High Sensitivity). Applications will be required to be hosted in the virtual
environment that has the level of sensitivity needed for the data hosted. A Test Virtual Environment will
also be used, which is described in more detailed below.
The target architecture will contain four Virtual Local Area Networks (VLANS) within each Virtual
Environment—Web, DMZ, Application and Database. The VLANs will automatically inherit all security
controls and firewall access rules associated with their respective environments. Additional access will be
provided for each specific system, as needed pending justification.
Under this model, predefined security plans and common configurations will be defined for each virtual
environment. Any application utilizing the standard configuration being deployed to a virtual
environment will automatically inherit the base security plan and configuration for that environment,
including firewall rules and access. Any modification to the firewall rules for a standard configuration
will require a Firewall Rule Request (FRR) addendum, assuming the configuration is standard and uses
standard ports. Custom configurations may require a full system plan and FRR.
Antivirus I Log Management I IPS I Vulnerability Management I Compliance Monitoring/Patching I Firewall I ACL
Test Virtual Environment
Sandbox I Low I Moderate I High
Web
Web Web
Web
DMZ DMZ DMZ DMZ
Application Application Application Application
Database Database Database Database
Virtual
Environment 1
(Low Sensitivity)
VLAN1
(Web)
VLAN1
(DMZ)
VLAN1
(Application)
VLAN1
(Database)
Virtual Virtual
Environment 2 Environment 3
(Moderate Sensitivity) (High Sensitivity)*
VLAN2
(Web)
VLAN2
(DMZ)
VLAN2
(Application)
VLAN2
(Database)
VLAN3
(Web)
VLAN3
(DMZ)
VLAN3
(Application)
VLAN3
(Database)
INCREASED SECURITY CONTROLS, AUDITING AND OVERSIGHT I LESS ALLOWABLE RISK
Tiered Storage
Tiered Storage
Tiered Storage
Tiered Storage
National Computer Center
Operations Plan FY2010 - FY2012
C-2
October 2009
-------�
Test Virtual Environment
The Test Virtual Environment will contain a staging environment for each production environment (Web,
DMZ, Application and Database), allowing for deployment testing that mimics the production virtual
environment in which the application will be hosted once it is deployed. Any changes to the application or
firewall access rules will be made in the testing environment before it is deployed to the production
environment.
The Test Virtual Environment also contains a "sandbox" area that can be used as a test and development
environment for specialized and emerging technologies and for applications that are being migrated from
an external environment to the NCC environment or applications that need to be tested before the security
rules are put in place in the other test environments. The "sandbox" environment will allow developers to
test applications in an environment that is less restricted internally. These applications will not be allowed
to access environments outside of the "sandbox," and outside applications will not be allowed to access
applications within the "sandbox." The applications within the "sandbox" will be able to communicate
with other applications within the "sandbox" test environments. After testing of an application within the
"sandbox," the application can be moved to the low, moderate or high test virtual environment that
corresponds with the production virtual environment in which it will be hosted after deployment.
Data Sensitivity
The NCC will obtain the level of data sensitivity during the ordering process to align the hosting solution
with the appropriate firewall zone. High data sensitivity applications will be flagged for a follow-up call
to verify the data's level of sensitivity within the system. Additionally, security and vulnerability testing
commensurate with the sensitivity level of the data will be established and performed regularly.
Communication within Environments
Figure C-1 also depicts the reduced communication access from the lower sensitivity environments to the
higher sensitivity environments. Increased sensitivity results in reduced communications and access from
lower sensitivity applications. By default, a higher sensitivity environment will have access to a lower
sensitivity environment, but a lower sensitivity environment must have firewall rules and justification in
place to communicate with a higher sensitivity environment.
Firewall
The NCC will redesign the firewall topology to utilize strengths of visualization technology and will
adopt a data-centric methodology for firewall rules and access. Zones will be aligned to correlate with the
data sensitivity of applications housed at the NCC and VLANs will be incorporated within the zones to
implement additional security measures.
Firewall Rule Request
The NCC will define industry standard ports and protocols to ensure supported application technologies
operate effectively. The NCC will maintain up-to-date, allowable ports and standard configurations by
proactively researching emerging application technologies.
Use of the FRR Lite process will be expanded to minimize the amount of information needed to open
communications for a supported application technology (e.g., source and destination IP addresses). The
NCC will also streamline the current FRR Addendum process to allow quick and efficient handling of
minor changes for standard applications.
Value-Added Security Services
The NCC will provide value-added security services as part of hosting services:
¦ Antivirus: Software to prevent, detect and remove malware including computer viruses, worms
and trojans. Such programs may also prevent and remove adware, spyware and other forms of
malware.
National Computer Center
Operations Plan FY2010 - FY2012
C-3
October 2009
-------�
¦ Log Management: The management and analysis of computer-generated log messages to ensure
security of operations and compliance with Agency standards.
¦ Intrusion Prevention System (IPS): A network security device that monitors network and/or
system activities for malicious or unwanted behavior and can react in real time to block or
prevent those activities.
¦ Vulnerability Management: The structured approach to maintaining an appropriate security
state for the hosting environment, including determining the Agency's overall risk to both internal
and external attacks and identifying exposures and risks associated with any of the organization's
network attached resources such as servers, routers switches and specialized network support
devices. Vulnerability management will also be done for the application prior to deployment or
after any major change.
¦ Compliance Monitoring/Patching: The system will be routinely scanned to verify compliance
with applicable standard configuration documentation and that the system has the minimum
required patches based on the operating system and version.
National Computer Center
Operations Plan FY2010 - FY2012
C-4
October 2009
-------�
Appendix D: Failover and Disaster Recovery
The NCC's target hosting environment will consist of virtual servers with a standard configuration. As
the CRSSM Initiative is implemented, three additional EPA computer centers will host similarly
configured virtual servers. These computer centers will also have SAN storage compatible with the NCC.
Failover and DR will be available using remote EPA computer centers as recovery sites. By backing up
application servers and application data to the remote computer centers, restoring them to operation at the
remote site will be a straightforward task. The NCC will
¦ Deliver DR/failover solutions through the CRSSM internal "cloud."
¦ Have a defined set of requirements for DR solutions to ensure EPA's information assets are
adequately protected and managed.
¦ Establish memoranda of understanding (MOU) to ensure clear communications with customers to
understand each party's responsibilities and the solutions to be delivered in the event of a disaster.
To offer DR services, the NCC will
¦ Develop the hosting and storage standards, policies and procedures described in this Plan.
¦ Develop a MOU that outlines the roles and responsibilities agreements with each EPA remote
computer center and each DR customer.
¦ Develop a DR procedure for establishing, monitoring and managing DR implementations. In
addition, develop criteria for declaring and recovering from a disaster, including periodically
testing the recovery process.
¦ Analyze the WAN impact of DR backup and determine the resources necessary to minimize
WAN traffic.
¦ Develop DR service cost model.
National Computer Center
Operations Plan FY2010 - FY2012
D-1
October 2009
-------�
Appendix E: Communications
During the implementation of the NCC's Operations Plan, the NCC will develop a communication plan
that addresses the communication needs of the NCC's internal and external audiences in the first quarter
of FY2010. The plan will address both transition communications and regular communications after the
full implementation of the Plan. In FY10, the NCC will hold a series of video conferences as one
mechanism to communicate with Program Offices and Regions to inform them about the NCC Operations
Plan and how it will benefit them.
The following sections articulate the goals and information needs for communications to internal and
external audiences.
Internal Communications with Staff and Managers
The NCC will ensure a disciplined and consistent approach to internal operational communications that
will enable its staff and management to execute the steps and activities necessary to deliver and manage
services contained in the service enhancement plan. The communications plan will address the following
goals and internal information needs.
Internal Communication Goals
The following are the internal communication goals of the NCC:
¦ Effective internal staff and management communication.
¦ Transparency into business processes.
¦ Continuity, knowledge transfer and retention among the staff and management.
¦ Ability of staff to communicate consistently and accurately with their customers.
Internal Information Needs
The following are the information needs that will be addressed in the internal communication approaches
for the NCC:
¦ Goals, objectives and future direction of the NCC.
¦ Transition timeline.
¦ Process changes.
¦ Program performance.
¦ Customer and stakeholder expectations of and satisfaction with NCC services.
¦ Scheduled activity, maintenance, changes or initiatives that may affect the normal operation of
the services.
¦ Outstanding problems or incidents and the actions taken to address them.
The communication approaches will be implemented on three levels:
¦ The program level, which addresses strategic objectives of the NCC.
¦ The service level, which addresses the communications needs of each service and cross-
functional areas.
¦ The operations and maintenance level, which covers standard operating procedures.
National Computer Center
Operations Plan FY2010 - FY2012
E-1
October 2009
-------�
External Communications with Customers and Stakeholders
Communication with customers and stakeholders is important to ensure customer satisfaction. The focus
of the communication with customers and stakeholders will highlight the NCC's actions in meeting the
external business requirements and goals.
External Communication Goals
The following are the external communication goals of the NCC:
¦ Educate key audiences about the EPA's NCC.
¦ Educate customers about the NCC's services.
¦ Setup and maintain two-way communication mechanisms to understand the NCC service needs of
customers.
External Information Needs
The following are the information needs that will be addressed in the external communication approaches
for the NCC:
¦ Goals, objectives and future direction of the NCC.
¦ Program performance.
¦ Service and ordering process changes.
¦ Incidents and their status.
¦ Scheduled activities and maintenance and how they will affect customers.
¦ Customer satisfaction and how concerns will be addressed.
External Communication Methods
The following communication methods will be used to communicate with customers and stakeholders:
¦ Briefings.
¦ Memoranda.
¦ Web conferences.
¦ Participation in customer forums (e.g., conferences, trade shows, meetings).
National Computer Center
Operations Plan FY2010 - FY2012
E-2
October 2009
-------�
Appendix F: Internal NCC Operations Transition Timeline Detail
FY2010-FY2011
The table below highlights supplemental steps and activities to support the high-level activities listed in
the transition timeline included in Section 3: Transition Plan.
Table F-1 NCC Operations Transition Timeline Detail FY2010 - FY2011
Number Activity Start Date End Date
SERVICE DELIVERY PROCESSES
1.0
Streamline ADC process
October 2009
June 2010
1.1
Identify the goals of a streamlined ADC process (metrics)
1.2
Define the current NCC/customer deployment transition points
1.3
Outline and design a revised ADC process
1.4
Implement
1.5
Measure
2.0
Offer Web-based ordering
October 2010
January 2011
2.1
Define the requirements (Relationship with eBusiness)
2.2
Design
2.3
Customer focus groups/feedback/testing
2.4
Revise the process
2.5
Test
2.6
Implement
2.7
Feedback
HOSTING PLATFORM
3.0
Offer Dedicated Hosting on X86 Virtual Infrastructure
October 2009
March 2010
3.1
Establish VM infrastructure
3.2
Develop standards for VM sizing and resource allocation
3.3
Develop methods for VM resource accounting and billing
3.4
Analyze costs and develop pricing
3.5
Offer virtualized server service (under UH)
3.6
Offer three hosting service options
4.0
Migrate shared hosting platforms to virtual infrastructure
April 2010
September
2010
4.1
Identify which shared platforms are appropriate for VM Hosting
4.2
Test platforms in the VM context
4.3
Identify VM capacity for individual platforms
4.4
Develop configuration standard for platforms on VM
National Computer Center
Operations Plan FY2010 - FY2012
F-1
October 2009
-------�
Number
Activity
Start Date
End Date
4.5
Develop a plan for migration (with customer communication and buy off)
4.6
Implement/migrate platforms
5.0
Offer Specialized HPC Hosting
October 2010
February 2011
5.1
Develop plan with goals, requirements, and options
5.2
Management approval to proceed
5.3
Presentation to WCF Board & Board approval to proceed
5.4
Implement contracts or MOUs to support services, perform outreach to potential customers, and prepare
service for FY11 implementation
6.0
Offer Application Development Environments
October 2010
November 2011
6.1
Define the requirements for application development (e.g., security, change management,
interoperability with staging and production)
6.2
Design
6.3
Implement
STORAGE
7.0
Refresh NCC Midrange Storage Infrastructure
January 2010
May 2011
7.1
Identify NCC tiers and required volumes (e.g., tiered storage performance requirements)
7.2
Design storage tiering method
7.3
Plan acquisition strategy
7.4
Implement tiered storage platforms
FACILITIES
8.0
NCC Facility Modernization
April 2010
September
2011
8.1
Implement Green IT in NCC
8.1.1
Agree on the goal of Green IT for NCC
8.1.2
Document measures to date
8.1.3
Identify path forward
8.2
Re-architect NCC power, cooling and server placement
NETWORK
9.0
Refresh NCC Network Infrastructure
April 2010
September
2010
9.1
Describe current infrastructure
9.2
Identify refresh requirements
9.3
Establish WCF funding to support refresh
9.4
Design and implement the refresh
PERFORMANCE MONITORING AND CAPACITY PLANNING
10.0
Establish operational awareness infrastructure
October 2009
April 2010
National Computer Center
Operations Plan FY2010 - FY2012
F-2
October 2009
-------�
Number
Activity
Start Date
End Date
10.1
Define the goals
10.2
Define the requirements
10.3
Evaluate options
10.4
Design
10.5
Implement
10.6
Test
10.7
Deploy
11.0
Establish infrastructure capacity planning
June 2010
November 2010
11.1
Define the goals
11.2
Define the requirements
11.3
Evaluate options
11.4
Design
11.5
Implement
11.6
Test
11.7
Deploy
SECURITY
12.0
NCC security zone re-design
October 2009
June 2010
12.1
Define NCC security zone re-design goals (e.g., streamline firewall rule documentation and
implementation process)
12.2
Analyze firewall rules
12.3
Document requirements for varying levels of protection (zone architecture)
12.4
Design rules to accommodate communication within the zones
12.5
Quality the technology and the process to Test/verify that zones are operating as designed
12.6
Establish processes for modifying/implementing rules
12.7
Obtain prerequisite approval (TISS)
DISASTER RECOVERY AND FAILOVER
13.0
Offer low-cost streamlined DR service
June 2010
August 2011
13.1
Requirements
13.2
Evaluate options
13.3
Design solutions
13.4
Implement
13.5
Measure
SERVICE TRACKING
14.0
Offer Customer Application Dashboard (performance
monitoring and tracking)
November 2009
March 2011
National Computer Center
Operations Plan FY2010 - FY2012
F-3
October 2009
-------�
Number
Activity
Start Date End Date
14.1
Define the goals
14.2
Define the requirements
14.3
Evaluate options
14.4
Design
14.5
Implement
14.6
Test
14.7
Deploy
National Computer Center
Operations Plan FY2010 - FY2012
F-4
October 2009
-------�
Appendix G: Acronyms
National Computer Center
Operations Plan FY2010 - FY2012
G-1
October 2009
-------� |