HHS IRM Policy for Directory Services Using LDAP
January 8, 2001
Table of Contents
This circular establishes the policies and responsibilities for the Implementation and Usage of the Enterprise Directory Service [which will use the Lightweight Directory Access Protocol (LDAP)] by the Department of Health and Human Services (HHS) and its Agencies.
The American public relies on the U.S. Department of Health and Human Services (HHS) to administer a broad range of approximately 300 Federal program activities. Together with its many service partners, HHS delivers $238 billion dollars of health care services annually to 62 million people through its Medicare, Medicaid and Indian Health Service Programs. HHS also plays a vital role in ensuring safety, efficacy, and appropriate use of health care products; controlling disease and promoting health; advancing biomedical research; and assisting the poor. HHS’ service partners include States, universities, contractors and not-for-profit organizations. Together these activities are vital to the health and well being of the American Public, especially the elderly, children, and the poor. Taking account of private and public spending, the health sector constitutes a significant segment of the overall U.S. economy and looks toward the HHS to lead the future direction of these vital health activities.
Presidential Decision Directive 63 (PDD 63), "Critical Infrastructure Protection" requires each Federal Agency to develop a vulnerability plan, implement an infrastructure framework solution, monitor the enterprise infrastructure for vulnerabilities and respond to threats as appropriate.
In order to become more compliant with Federal regulations, the HHS will implement an Enterprise Directory Service. The HHS centralized enterprise directory will be used to manage access rights of its internal personnel, business partners and customers.
An electronic directory server provides access to information via electronic means. This information is variable in content, however it is explicitly defined by the directory purpose. Information about people, organizations, services and network hardware are just a few examples of the data content that a directory service can provide.
Electronic mail communication benefits from the existence of a global electronic "White Pages" because these "White Pages" allow network users to retrieve address information in an intuitive fashion. Manual searching for names and addresses, specifically electronic addresses, can take a great deal of time. A "White Pages" directory service permits network users to retrieve the addresses in a user friendly way, using known variables such as common name, surname, and organization to facilitate various levels of searches.
The Enterprise Directory is a global service comprised of independently operated and distributed Directory Service Agents (DSAs) that provide information in the form of a "White Pages" Telephone Directory. An Enterprise Directory service provides a common access point for this distributed information, and is generally configured to make access to the information sought intuitive and easy.
The Enterprise Directory Model is a distributed collection of independent systems that cooperate to provide a logical database of information to provide a global Directory Service. Directory information about a particular organization is maintained locally in a DSA. This information is structured. It is possible for one organization to keep information about other organizations, and it is possible for an organization to operate independently from the global model as a stand-alone system. DSAs that operate within the global model have the ability to exchange information with other DSAs by means of a common protocol.
Lightweight Directory Access Protocol (LDAP) is a common protocol used for client-to-server communication. LDAP defines a standard method for accessing and updating information in a directory.
This policy applies to all Departmental (Operating Division and Staff Division) Directory implementation whether owned and operated by HHS, or operated on behalf of HHS.
4.1 HHS End-User Interface
4.1.1 The HHS user interface shall use Lightweight Directory Access Protocol (LDAP) for accessing on-line Directory Services.
4.1.2 LDAP shall be used as a primary standard for client-to-server communication.
4.2 HHS Enterprise Directory Architecture
4.2.1 The HHS Enterprise Directory architecture shall be that of a single logical Departmental Directory all emanating from the root domain.
4.2.2 By implementing an LDAP-enabled Directory, OPDIV’s Directory Managers shall be able to control what is shared and viewable across the global directory.
4.2.3 Security and independence of the OPDIV domains is recognized to be critical to the success of the HHS Enterprise Directory. Each OPDIV’s Directory Manager shall have the ability to update its branch or portion of the global directory. The OPDIVs shall possess read-only rights to information not under their sole-ownership. Changes to OPDIV’s information residing in the global directory shall be done only through prior approval by the OPDIV to which the information belongs. The Enterprise Directory Manager shall have the responsibility to make updates to the directory following the OPDIV’s approval.
The CIO is responsible for providing advice and assistance to the Secretary and other senior management personnel, to ensure that information technology is acquired and information resources are managed for the agency in a manner that implements the policies and procedures of the HHS Enterprise Directory.
The CIO is responsible for approving any Directory implementation by HHS OPDIVs.
5.2 The Deputy Assistant Secretary for Information Resource Management
The Deputy Assistant Secretary for Information Resources Management (DASIRM) shall assure that the HHS Enterprise Directory effectively supports mission requirements, meets strict performance criteria, and conforms to the HHS hierarchical directory architecture.
The DASIRM is responsible for defining, implementing and managing HHS directory policy decisions. The DASIRM is also responsible for certification and accreditation of the global directory implementation and has responsibility for the oversight of all directory operations. The DASIRM will provide lead support in the development and implementation of the HHS Enterprise Directory. The DASIRM is responsible for the appointment of the Enterprise Directory Manager. The DASIRM is also responsible for assuring that proper and reliable operations of the Enterprise Directory are maintained, and for seeing that proper LDAP policies and directives are in place.
5.3 THE OPDIV CIOS, and OPDIV/StaffDiv Program/Project Managers
The OPDIV CIOs shall be responsible for assuring that directory implementation is performed in accordance with the policy of the DASIRM. The OPDIV CIOs provide planning guidance to, and oversight of the directory infrastructure, and direct the activity of the OPDIV’s Directory Manager.
The OPDIV CIOs have overall responsibility for assuring that proper and reliable operations of the OPDIV Directories are maintained, and for seeing that the policies and directives of the DASIRM are carried out. They are responsible for establishing and approving detailed operating procedures. Responsibilities of the OPDIV CIOs include oversight of:
5.4 The Enterprise Directory Manager
The Enterprise Directory Manager operates the HHS Enterprise Directory on a day-to-day basis and assures that it is functioning properly, that all procedures and safeguards are being followed, and that any operational errors, anomalies, and breeches of policy and procedure are addressed promptly and properly. The Enterprise Directory Manager institutes and consistently follows operational procedures that promote reliability and trust.
The Enterprise Directory Manager is responsible for developing and maintaining plans, policies and procedures pertaining to operation of the Directory and the overall operation of the Enterprise Directory Network.
5.5 The OPDIV Directory Manager
In accordance with direction from the Enterprise Directory Manager, the OPDIV Directory Manager operates the directory on a day-to-day basis and assures that it is functioning properly, that all procedures and safeguards are being followed, and that any operational errors, anomalies, and broaches of policy and procedure are addressed promptly and properly. The OPDIV Directory Manager institutes and consistently follows operational procedures that promote reliability and trust.
The OPDIV Directory Manager is responsible for developing and maintaining plans, policies and procedures pertaining to operation of the directory and the overall operation of the Enterprise Directory Network.
The OPDIV Directory Manager shall work in coordination with the Enterprise Directory Manager.
6. Applicable Laws/Guidance
The following guidance documents are applicable:
- Open Systems Interconnect (OSI) Reference Model - ISO 7498
- Lightweight Access Protocol (LDAP) – RFC 1777
- LDAP v2 - RFC 1778, 1779, 1959, and 1960
- LDAP v3 – RFC 2251 through 2256
- The LDAP Application Program Interface – RFC-1823
- Clinger-Cohen Act of 1996;
- The Government Paperwork Elimination Act (GPEA) - October 8th 1998.
- The Presidential Decision Directive 63 (PDD 63) – "Critical Infrastructure Protection"
7. Information and Assistance
Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management, (202) 690-6162.
8. Effective Date
This policy is effective on the date it is approved.
John J. Callahan DATE
Assistant Secretary for Management and Budget
- LDAP - Lightweight Directory Access Protocol (LDAP) is a common protocol used for client-to-server communication. LDAP defines a standard method for accessing and updating information in a directory.