HRPAY 19-13, Secure File Transfer Protocol (SFTP) Process

Published: December 11, 2019
Effective: Pay Period 20, 2019

Summary

In accordance with the Secure File Transfer Protocol (SFTP) requirements mandated by the United States Department of Agriculture (USDA), all file transmissions currently conducted via File Transfer Protocol (FTP), and any new file transmissions, must utilize the SFTP method.

Agencies and the National Finance Center (NFC) will continue to establish a project team, considering roles, responsibilities, and skill sets required. Agencies will identify Points of Contact (POCs) and vendor/contract support and communicate the roles and responsibilities to their project team.

Agencies must submit their SFTP requirements to NFC via Form AD-3003, Software Change Request (SCR). In addition, Form AD-3113, Secure File Transfer Protocol (SFTP) File Transmission Request, must be completed to provide all file-related information. The NFC-assigned project number must be included in all subsequent correspondence related to the project. Once NFC receives forms from the Agency, NFC will schedule a meeting to review the request with the Agency technical team. If an outside contractor or servicing Agency manages the actual FTP process, they must participate as well.

Implementation

For each project, the process below will be followed from initiation through implementation.

To Establish Project Team:

Each project team should include the POCs listed below.

• Agency Network POC. The Agency Network POC will work with NFC network personnel to:
  • Determine whether your server supports SFTP.
  • Determine whether your server has Pretty Good Privacy (PGP) key capability.
  • Configure servers.
  • Set up firewall rules.
  • Establish connections between the NFC server and the Agency server.
  • Exchange IP addresses.
  • Test network traffic between end points.
  • Provide server file names.

• Agency Security POC. The Agency Security POC will work with NFC security personnel to:
  • Download recommended free security software.
  • Exchange PGP keys with NFC.

• Agency Testing POC. The Agency Testing POC will work with NFC network and development personnel to:
  • Troubleshoot and test connectivity.
  • Troubleshoot and test file data.

• Agency Interconnection Security Agreement (ISA) POC. The ISA POC will work with NFC ISA personnel to:
  • Review the existing ISA to identify changes needed to network architecture or establish a new ISA, if none exists.

    Note: If connectivity to the vendor is required, the ISA must be completed by the vendor.

After the project teams have been established, they will follow the process below.

To Establish Project:

1. Agency submits the completed Form AD-3003 and Form AD-3113 to NFC.GESDREQUEST@usda.gov.
2. NFC requirements analyst contacts Agency within 15 days to acknowledge receipt of the request.
3. NFC requirements branch prepares a Functional Requirements Document (FRD) due date based on project complexity and/or Agency priority (e.g., 30 days for a small project, 60 days for a medium project, and 90-120 days for a large project).
4. NFC requirements branch requests an Interim Interagency Agreement (IIA) to fund requirements, if applicable.

   Note: No IIA is needed unless files are being added; file formats are being modified to add, modify, or delete data elements; or files are being deleted.

5. NFC Project Control Office (PCO) sends the IIA to Agency, if applicable.
6. Agency returns the signed IIA, if applicable, within 14 days.

To Define Requirements:

1. NFC requirements analyst conducts meetings with the project team to further define and clarify requirements.
2. NFC requirements analyst completes the FRD and submits to Agency.
3. Agency returns the signed FRD within 14 days.
4. Agency reviews, updates, and returns the ISA to NFC.

   Note: No updates to the ISA are required unless more than 3 years have passed since it was last updated, or the project requires changes in network architecture (e.g., IP Address).

5. NFC prepares cost estimate, if applicable.
6. NFC submits the final Interagency Agreement (IA) package, including the signed FRD and cost estimate, to the Agency, if applicable.
7. Agency returns the signed IA package within 14 days, if applicable.

To Implement Changes:

1. NFC builds workflow process, account profile, firewall rules, PGP encryption keys, and establishes server connectivity.
2. Agency or vendor loads PGP encryption keys, modifies firewall rules, and establishes server connectivity.
3. NFC and Agency or vendor test server connectivity.
4. NFC development staff writes code to create requested data file changes.
5. NFC schedules project for implementation.
6. NFC migrates software code.
7. NFC closes project 2 weeks after successful implementation.

Resources

For more information, refer to the Secure File Transfer Process (SFTP) Process information on NFC's Web site.

Inquiries

For questions about NFC processing, authorized Servicing Personnel Office representatives should contact the NFC Contact Center at 1-855-NFC-4GOV (1-855-632-4468) or via the customer service portal.