FEA security layer due this summer

The Office of Management and Budget by the end of the summer will release a security layer for the Federal Enterprise Architecture.

Environmental Protection Agency CIO Kim Nelson, the co-chairwoman of the CIO Council’s Architecture and Infrastructure Committee, told lawmakers yesterday that committee members are reviewing CIO comments on the plan and will release it soon to be used by agencies.

“This will provide the opportunity for agencies to start thinking about security and privacy on Day One [of an IT project] versus thinking about it once you are into the later design phases,” Nelson said during a hearing on the progress of the FEA held by the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

OMB decided to make security a layer that cuts across all the FEA reference models, instead of separate reference model, because of its importance to every aspect of the IT planning, design and implementation processes, said Karen Evans, OMB administrator for e-government and IT.

“There was a lot of discussion going forward and as vice chairwoman of the CIO Council when these efforts were going on, we specifically asked OMB not to have a specific security reference model because we didn’t want to have security segregated from all the models,” Evans said. “We wanted to ensure that cybersecurity and overall risk is looked at as each investment goes forward and how you manage your program overall. We had concern in the council that if we had a separate model that we may start down the path again of separating it without always thinking about it as we go forward.”

Randolph Hite, the General Accounting Office’s director of IT architecture and systems, said the CIO Council should look at the lessons learned from the IRS’ experience of extracting security as a separate view into the architecture.

“Security cannot be something that is done after the fact and laid on top,” Hite said. “It is something that is done in concert with the lines of business, the technical and data elements of the architecture.”

Rep. Adam Putnam (R-Fla.), chairman of the subcommittee, also pressed witnesses including Transportation Department CIO Dan Matthews about the progress of agency enterprise architectures, after GAO reported agencies spent almost $600 million on developing their modernization blueprints.

“With the vast majority of government agencies’ EA maturity assessed at the Stage 1 level, we still have a long way to go before we fully realize the benefits of effective EA management,” Putnam said. “You can say the trend is not hot. That is the overarching lesson here.”

Evans said OMB is using GAO’s assessment as well as their own assessment methodology to evaluate agency progress.

Matthews told Putnam that while the assessments measure whether certain criteria are met, the better measurement is how many of those criteria are met year-to-year.

And Nelson added many agencies, such as EPA, have met many of the criteria in stages 4 and 5, but are rated in Stage 1 because they did not complete one task to move out of the initial stage.

“We never had a formal written policy before and now we will when EPA Administrator [Mike] Leavitt signs it in the next few weeks,” Nelson said. “A lot of agencies have similar issues where they were doing certain EA processes, but never a formal written policy so GAO rated them in a lower stage.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected