FEA security layer due this summer

The Office of Management and Budget by the end of the summer will release a security layer for the Federal Enterprise Architecture.Environmental Protection Agency CIO Kim Nelson, the co-chairwoman of the CIO Council’s Architecture and Infrastructure Committee, told lawmakers yesterday that committee members are reviewing CIO comments on the plan and will release it soon to be used by agencies.“This will provide the opportunity for agencies to start thinking about security and privacy on Day One [of an IT project] versus thinking about it once you are into the later design phases,” Nelson said during a hearing on the progress of the FEA held by the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.OMB decided to make security a layer that cuts across all the FEA reference models, instead of separate reference model, because of its importance to every aspect of the IT planning, design and implementation processes, said Karen Evans, OMB administrator for e-government and IT.“There was a lot of discussion going forward and as vice chairwoman of the CIO Council when these efforts were going on, we specifically asked OMB not to have a specific security reference model because we didn’t want to have security segregated from all the models,” Evans said. “We wanted to ensure that cybersecurity and overall risk is looked at as each investment goes forward and how you manage your program overall. We had concern in the council that if we had a separate model that we may start down the path again of separating it without always thinking about it as we go forward.”Randolph Hite, the General Accounting Office’s director of IT architecture and systems, said the CIO Council should look at the lessons learned from the IRS’ experience of extracting security as a separate view into the architecture.“Security cannot be something that is done after the fact and laid on top,” Hite said. “It is something that is done in concert with the lines of business, the technical and data elements of the architecture.”Rep. Adam Putnam (R-Fla.), chairman of the subcommittee, also pressed witnesses including Transportation Department CIO Dan Matthews about the progress of agency enterprise architectures, after GAO reported agencies spent almost $600 million on developing their modernization blueprints.“With the vast majority of government agencies’ EA maturity assessed at the Stage 1 level, we still have a long way to go before we fully realize the benefits of effective EA management,” Putnam said. “You can say the trend is not hot. That is the overarching lesson here.”Evans said OMB is using GAO’s assessment as well as their own assessment methodology to evaluate agency progress.Matthews told Putnam that while the assessments measure whether certain criteria are met, the better measurement is how many of those criteria are met year-to-year.And Nelson added many agencies, such as EPA, have met many of the criteria in stages 4 and 5, but are rated in Stage 1 because they did not complete one task to move out of the initial stage.“We never had a formal written policy before and now we will when EPA Administrator [Mike] Leavitt signs it in the next few weeks,” Nelson said. “A lot of agencies have similar issues where they were doing certain EA processes, but never a formal written policy so GAO rated them in a lower stage.”