FEA security, privacy profile issued
- By Jason Miller
- Sep 03, 2004
The Office of Management and Budget today gave agencies a how-to guide to make sure security and privacy are incorporated across all lines of business.
The administration released the Federal Enterprise Architecture Security and Privacy Profile
as 'guidance on designing and deploying measures that ensure the protection of information resources.'
The guide provides a process that will help agencies balance the need for information sharing with the application of security and privacy policies, OMB said in the document.
OMB has been working on this profile for almost a year and, at one time, considered developing a separate FEA layer for security and privacy. OMB also had hoped to release the Data Reference Model'the final one'in July, but it is now more than a month late.
Agencies can apply the security profile to each line of business and each of the five layers of the FEA'business, service component, performance, technical and data reference models. The profile will help agencies:Identify security and privacy needs and link them to the guidance from the National Institute of Standards and TechnologyTranslate procedural security and privacy requirements found at the business level into the technical controls necessary at the systems levelPromote early identification of security and privacy issuesDisclose possible risk exposure, types of controls needed to manage or mitigate the risk and potential costs for the controls.
The profile outlines a set of questions for agencies to answer for each reference model to determine the security and privacy needs of the line of business.
The resulting answers, the guidance said, should be 'reviewed, validated, and in many cases, measured using performance metrics' by the participating agencies in that line of business.
Agencies then should use NIST guidances FIPS 199 and SP 800-53 to determine system security categorization and conduct an alternative analysis.
'This analysis will enable [the agencies] to define the final set of security controls that might be needed by the business processes and supporting systems,' the guidance said.
OMB is accepting comments on the profile, which will be included in phase 2 of the document. Phase 2 will include a better integration between the FEA and NIST and detailed implementation scenarios for agencies to use a reference.