FEA security, privacy profile issued

The Office of Management and Budget today gave agencies a how-to guide to make sure security and privacy are incorporated across all lines of business.

The administration released the Federal Enterprise Architecture Security and Privacy Profile as 'guidance on designing and deploying measures that ensure the protection of information resources.'

The guide provides a process that will help agencies balance the need for information sharing with the application of security and privacy policies, OMB said in the document.

OMB has been working on this profile for almost a year and, at one time, considered developing a separate FEA layer for security and privacy. OMB also had hoped to release the Data Reference Model'the final one'in July, but it is now more than a month late.

Agencies can apply the security profile to each line of business and each of the five layers of the FEA'business, service component, performance, technical and data reference models. The profile will help agencies:

  • Identify security and privacy needs and link them to the guidance from the National Institute of Standards and Technology

  • Translate procedural security and privacy requirements found at the business level into the technical controls necessary at the systems level

  • Promote early identification of security and privacy issues

  • Disclose possible risk exposure, types of controls needed to manage or mitigate the risk and potential costs for the controls.

  • The profile outlines a set of questions for agencies to answer for each reference model to determine the security and privacy needs of the line of business.

    The resulting answers, the guidance said, should be 'reviewed, validated, and in many cases, measured using performance metrics' by the participating agencies in that line of business.

    Agencies then should use NIST guidances FIPS 199 and SP 800-53 to determine system security categorization and conduct an alternative analysis.

    'This analysis will enable [the agencies] to define the final set of security controls that might be needed by the business processes and supporting systems,' the guidance said.

    OMB is accepting comments on the profile, which will be included in phase 2 of the document. Phase 2 will include a better integration between the FEA and NIST and detailed implementation scenarios for agencies to use a reference.


    • 2020 Government Innovation Awards
      Government Innovation Awards - https://governmentinnovationawards.com

      21 Public Sector Innovation award winners

      These projects at the federal, state and local levels show just how transformative government IT can be.

    • Federal 100 Awards
      cheering federal workers

      Nominations for the 2021 Fed 100 are now being accepted

      The deadline for submissions is Dec. 31.

    Stay Connected