Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS IRM Policy for Active Directory

January 8, 2001


Table of Contents

  1. 1. Purpose
  2. 2. Background
  3. 3. Scope
  4. 4. Policy
  5. 5. Roles and Responsibilities
  6. 6. Applicable Laws/Guidance
  7. 7. Information and Assistance
  8. 8. Effective Date/Implementation
  9. 9. Approved
  10. 10. Glossary


1. Purpose

This circular establishes the policies and responsibilities for the installation and coordination of Active Directory throughout the Department of Health and Human Services (HHS).

2. Background

Windows 2000 networking is being installed in large parts of HHS operations as a replacement for a variety of other networking products. As this occurs the opportunity exists to dramatically facilitate communications across OPDIVs, to reduce the expenses of duplicate support activities, and to increase productivity by sharing intellectual resources. A common "forest" of Windows 2000 "domains," (i.e. sharing a single Active Directory) will accomplish this effort while also facilitating the independence, security, and operational integrity of each OPDIV. It will also increase efficiency in the management of the enterprise architecture while improving compliance with the Clinger-Cohen act of 1996.

3. Scope

This policy applies to all Departmental (Operating Division and Staff Division) system development, maintenance efforts, and infrastructure computing resources at all levels of sensitivity, whether owned and operated by HHS, or operated on behalf of HHS.

4. Policy

HHS networks using Windows 2000 shall coordinate their installation and maintenance activities with the HHS CIO such that all networked Windows 2000 computers are members of one HHS "forest." This will be accomplished through migrating from multiple "forests" to the single HHS "forest" where multiple "forests" currently exist. Where no current Windows 2000 "forest" currently exists, a single HHS "forest" shall be established. Every effort shall be made to populate an existing HHS "forest" before establishing a new "forest." Permission to establish any "forest" (except for a test "forest") must be obtained from the DASIRM prior to establishing the "forest." (See Definitions.) OPDIVs are responsible for constructing and maintaining their own domains as they see appropriate.

The Active Directory shall be constructed by an HHS Enterprise Network Team (HHSENT) led by the DASIRM and consisting of representatives from all OPDIVs with planned Windows 2000 implementations. Once the schema is agreed to it shall be modified only by agreement of the HHSENT, who will function as the Change Control Board.

Security and independence of the domains is recognized to be critical to the success of the HHS Network. It is expected that some domains will lock out all administrative access (i.e., the ability of someone outside the domain to make security changes.) As such the Enterprise Administrators group will be limited to a small number of people in the HHSENT as designated by the HHS Deputy CIO and OPDIV CIO’s. Furthermore, the ability to log into the accounts that can take over control of a domain shall be limited. [This could be accomplished by splitting the passwords to the accounts so that no one member of the team can act unilaterally, (i.e., a password will have several parts with no one person knowing the others)].

5.1 The HHS Deputy Assistant Secretary for Information Resources Management(DASIRM)

  1. The HHS Deputy Assistant Secretary for Information Resources Management (DASIRM) shall designate personnel on his/her staff to work on the HHSENT, shall assure that the team meets in a regular and effective manner to accomplish the information processing needs of the Department, shall authorize Enterprise Administrators in conjunction with OPDIV CIO’s. The DASIRM shall lead the HHSENT.

5.2 THE OPDIV CIOS, and OPDIV/StaffDiv Program/Project Managers

The OPDIV CIOs shall be responsible for:

  • providing senior technical staff and resources for participation in the HHSENT;
  • assuring that Windows 2000 plans and implementations are designed to participate in the HHS forest;
  • providing physical and software security for Active Directory servers; and
  • coordinating directory enabled applications with the HHSENT.

6. Applicable Laws/Guidance

The following public laws and Federal regulations are applicable to this policy circular:

  • Computer Security Act of 1987 (P.L. 100-235);
  • Clinger-Cohen Act of 1996;
  • Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources;
  • Presidential Decision Directive 63 (PDD-63), Critical Infrastructure Protection, May 22, 1998; and
  • HHS Automated Information Systems Security Program Handbook, May 1994

7. Information and Assistance

Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management, (202) 690-6162.

8. Effective Date

The effective date of this policy is the date the policy is approved.

9. Approved

___________/s/________________ __01/08/01____

John J. Callahan
Assistant Secretary for Management and Budget

10. Glossary

Active Directory - A structure supported by Windows® 2000 that lets any object on a network be tracked and located. Active Directory is the directory service used in Windows 2000 Server and provides the foundation for Windows 2000 distributed networks.

Domains - A single security boundary of one or more computers that form a computer network. Active Directory is made up of one or more domains. On a standalone workstation, the domain is the computer itself. A domain can span more than one physical location. Every domain has its own security policies and security relationships with other domains. When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, they constitute a domain tree. Multiple domain trees can be connected together to create a forest.

Forest - A group of one or more trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees in a forest form a hierarchy for the purposes of trust.

Trees - A set of Windows domains connected together through transitive, bidirectional trust, sharing a common schema, configuration, and global catalog.

Schema - The definition of an entire database; the universe of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what object class can be a parent of the current object base.