CIO Council releases info-sharing guide

"Federal Enterprise Architecture Security and Privacy Profile"

Federal managers received new policy guidelines this week to help them minimize risks when sharing sensitive information online.

The guidelines, issued by the federal Chief Information Officers Council, are supposed to help federal decision-makers balance the often-conflicting demands to guarantee information security and privacy and against demands to carry out their agencies' missions.

Members of the council developed the business-oriented guidelines with help from officials at the National Institute of Standards and Technology, the Office of Management and Budget and from several industry groups. Information sharing among agencies increasingly puts government officials at risk of data security and privacy violations, according to the groups' security experts.

For federal managers who are developing new information systems, the guidelines urge thinking about data privacy and data security as early as possible and at the highest levels possible. In an era of extensive information sharing, "information assurance specialists by themselves can no longer be charged to protect enterprise resources," the guidelines state.

If agency managers follow the guidelines, they will find security and privacy controls affecting all aspects of information systems development and operations, including how they measure their systems performance, engineer workflow, design directory information, achieve interoperability and exchange data.

"It's a good tool to help people think about security and privacy," said Venkatapathi Puvvada, chief technology officer at Unisys' Global Public Sector division and chairman of the Industry Advisory Council's Enterprise Architecture Shared Interest Group (SIG), which helped create the new guidelines.

Puvvada said the guidelines provide a business context for systems-level security standards that NIST officials have developed.

In graphic terms, the Federal Enterprise Architecture Security and Privacy Profile described in the guidelines is a layer that touches all five reference models in the Federal Enterprise Architecture, a document that federal officials throughout the government use to coordinate their information technology decisions and promote information sharing.

Among other things, the guidelines offer definitions of electronic privacy and other frequently misunderstood concepts.

Members of several organizations worked on the profile, among them officials from OMB, NIST, the consulting company Booz Allen Hamilton Inc., the Industry Advisory Council Security Committee and Mitre Corp., a nonprofit systems engineering research group.