New profile adds security to the enterprise mix

The CIO Council is developing a 10-step process to help agencies implement the profile, EPA's Kim Nelson says.

Henrik G. de Gyor

The Office of Management and Budget is instructing agencies to make a direct connection between the lines of business in the Federal Enterprise Architecture and security and privacy.

The security and privacy profile released this month extends across all five FEA reference models.

That means agencies now have a common starting point to discuss how to make sure security and privacy issues fit across lines of business and throughout a system's life-cycle, said Karen Evans, OMB administrator for e-government and IT.

But she cautioned: 'This is not meant to say how to set security and privacy settings. This is not the silver bullet to answer what security is needed.'

The guide, however, establishes a process to help agencies balance the need for information sharing with security and privacy policies, the document noted.

OMB has been working on this profile for almost a year and, at one time, considered developing a separate FEA layer for security and privacy. OMB also by now had hoped to release the Data Reference Model, the final one to join the Business, Technical, Service Component and Performance reference models. Originally set for a July release, it is now more than a month overdue.

Kim Nelson, CIO of the Environmental Protection Agency and co-chairwoman of the CIO Council's Architecture and Infrastructure Committee, said agencies previously looked at security and privacy 'in relation to a specific IT system.'

'Now the conversation has moved from a technical discussion of specific controls to one which supports the business owner in identifying and implementing levels of protection necessary to mitigate or manage threats, risks, exposures and vulnerabilities related to the lines of business and business process,' she said.

But Alan Paller, director of research for the SANS Institute of Bethesda, Md., said the profile needs to do more.

'I'm still waiting to see the connection between security architecture and more secure systems,' he said. 'It will take some extraordinary expertise on the part of agencies to translate this profile into actionable information.'

Evans said the profile may never include such a level of detail because that is the purpose of the Federal Information Security Management Act guidance.

The CIO Council has started to plan the second version of the profile. OMB is accepting comments on the profile for inclusion in the second phase.

The next-generation profile will improve integration between the FEA and with the National Institute of Standards and Technology's security guidelines, Nelson said. It will also include detailed implementation scenarios for agencies to use for reference.

Nelson said the CIO Council is developing a 10-step process to help agencies implement the profile. The council will issue a draft version this fall.

'It builds on processes in place to the extent possible, incorporating federal security practices from NIST,' she said.

Evans and Nelson said the profile will help agencies in four ways:
  • To identify security and privacy needs and link them to the guidance from NIST

  • To translate procedural security and privacy requirements into technical controls

  • To promote early identification of security and privacy concerns

  • To identify possible risk exposures, types of controls needed to manage or mitigate risk and potential costs for the controls.

'The profile really gives agencies the ability to talk about security and privacy within a common framework,' Evans said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above