FEA security, privacy profile issued

The Office of Management and Budget today gave agencies a how-to guide to make sure security and privacy are incorporated across all lines of business.

The administration released the Federal Enterprise Architecture Security and Privacy Profile as 'guidance on designing and deploying measures that ensure the protection of information resources.'

The guide provides a process that will help agencies balance the need for information sharing with the application of security and privacy policies, OMB said in the document.

OMB has been working on this profile for almost a year and, at one time, considered developing a separate FEA layer for security and privacy. OMB also had hoped to release the Data Reference Model'the final one'in July, but it is now more than a month late.

Agencies can apply the security profile to each line of business and each of the five layers of the FEA'business, service component, performance, technical and data reference models. The profile will help agencies:

  • Identify security and privacy needs and link them to the guidance from the National Institute of Standards and Technology

  • Translate procedural security and privacy requirements found at the business level into the technical controls necessary at the systems level

  • Promote early identification of security and privacy issues

  • Disclose possible risk exposure, types of controls needed to manage or mitigate the risk and potential costs for the controls.

  • The profile outlines a set of questions for agencies to answer for each reference model to determine the security and privacy needs of the line of business.

    The resulting answers, the guidance said, should be 'reviewed, validated, and in many cases, measured using performance metrics' by the participating agencies in that line of business.

    Agencies then should use NIST guidances FIPS 199 and SP 800-53 to determine system security categorization and conduct an alternative analysis.

    'This analysis will enable [the agencies] to define the final set of security controls that might be needed by the business processes and supporting systems,' the guidance said.

    OMB is accepting comments on the profile, which will be included in phase 2 of the document. Phase 2 will include a better integration between the FEA and NIST and detailed implementation scenarios for agencies to use a reference.


    • Records management: Look beyond the NARA mandates

      Pandemic tests electronic records management

      Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

    • boy learning at home (Travelpixs/Shutterstock.com)

      Tucson’s community wireless bridges the digital divide

      The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

    Stay Connected