Vijay Rachamadugu and David Snyder September 7, 2006 MITRE’s 1st Federal Enterprise Architecture (FEA) TEM Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) Vijay Rachamadugu and David Snyder September 7, 2006
Outline Program Background FEA SPP Challenges Overview of the FEA SPP FEA SPP Methodology Review of the validation effort Questions
FEA SPP Background
Federal CIO Council Architecture and Infrastructure Committee (AIC) Early 2003, called for the development of an “Information Security Architecture” OBJECTIVE: Overlay the existing reference models Provide managers and systems architects with guidelines regarding the design and deployment of appropriate measures to ensure protection of information and information resources. Develop an Information Security Architecture Profile that will become a part of the FEA. APPROACH: Assemble a suitable set of architectural principles and guidelines Based on existing FEA reference models, legislation, government agencies, as well as private companies Quickly produce an initial version of an Information Security Architecture Profile that will be available for use by Federal agencies and used to guide future updates to the FEA reference models. PARTICIPATION: Industry Advisory Council (IAC) Security Committee and industry organizations as appropriate Provide information security and privacy architecture experts to review, refine and expand the Phase I product. RESOURCES: Sponsoring government and industry organizations will provide the necessary resources to complete this effort. From Federal CIO Council Architecture and Infrastructure Committee Terms of Reference
Background John Gilligan, Former Air Force CIO, develops statement of need for security guidance in the FEA Phase 1: (August – September 2003) A small working group is formed to define the content of an FEA “Security Profile” Output shared with the Industry Advisory Council and government for review and comment Phase 2: (June – December 2004) FEA Security Profile under development based on the ideas and feedback from phase 1. Phase 3: (October 2005 – April 2006) FEA SPP Validation & Draft
FEA SPP Timeline
Security Implementation MITRE R&D Results: Roadmap of Information Security Across the Enterprise (RISE) Mission Develop/ Acquire Test & Evaluate Authorize & Deploy Business Strategy Security Strategy Security Implementation & Management Business Drivers Legislative Governance / Standards Personnel / Training Operations / Processes Environment / Infrastructure Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target Architecture with Integrated Throughout Gap Analysis Prioritization Sequencing Plan Security Management
RISE Relationship to EA Components Mission Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target EA with Integrated Architecture Gap Analysis Prioritization Sequencing Plan As-Is EA Security As Enablers Target Goals and Req’ments Akin to FIPS 199 Data Arch Business Arch Infrastructure Arch Trade-offs “SLAs” Information Security Control Selection Executive Decisions Release Planning Develop/ Acquire Test & Evaluate Authorize & Deploy
FEA SPP Challenges
FEA SPP Challenges Address security and privacy at the enterprise level Ensure that security and privacy are considered in the earliest stages of an initiative Support project planning Costing Exhibit 300 and 53 development Integrate security and privacy across the entire EA Address requirements of the FEA Reference Models Development of guidance relevant and applicable to agencies with widely varying levels of EA maturity Integrate planning across cultures and domains EA folks Financial folks Business domain folks Security folks Integrate best practices and avoid creating new work!
FEA SPP Overview
What is the FEA SPP A scaleable and repeatable methodology for addressing information security and privacy from a business-centric enterprise perspective. Integrates the disparate perspectives of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture efforts. Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’ business and performance goals, enabling better coordination and integration of efforts and investments across organizational or business activity stovepipes
What is the FEA SPP (cont’d) Evaluates enterprise-level security and privacy in the context of the Federal Enterprise Architecture (FEA) FEA focused on analyzing operations from common business, performance, services, technologies, and data views. EA enables enterprise change management by describing how an organization operates today, intends to operate in the future, and intends to invest in technology to transition to that future state.
Overview of the Relationship of the FEA SPP to NIST Guidance … the FEA SPP methodology focuses on enterprise-level decisions at the front end of the development life cycle as a program is initiated, providing a bridge to NIST’s system development and risk mitigation guidance.
FEA SPP Value Proposition Promotes an understanding of an organization’s security and privacy requirements, its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging standards and services that are common to the enterprise or the Federal government as appropriate. Improves agencies’ processes for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.
FEA SPP Methodology
FEA SPP Methodology Overview Consists of 3 stages Stage 1: Identification Stage 2: Analysis Stage 3: Selection Each stage consists of a set of standard questions
FEA SPP Methodology Overview (cont’d) Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government. Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives. Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.
Stage 1 - Identification Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government.
Stage 1 - Identification
Stage 1 – Identification Objectives Identify and understand security and privacy drivers, and ensure that they are documented in the agency EA. Drivers include: Legal requirements Business requirements Organizational commitments Identify currently deployed security and privacy-supportive processes and technologies (components), and ensure that they are documented in the agency EA. Match drivers to components, and ensure that the connections are documented in the agency EA. Assess risks associated with unmatched drivers to determine which driver will require a component in the next zero to five years.
Stage 2 – Analysis Overview Outcomes of Stage Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives.
Stage 2 – Analysis Overview
Stage 2 – Analysis Overview (cont’d)
Stage 2 – Analysis Objectives Identify gaps between requirements and current or planned capabilities Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives
Stage 3 – Selection Overview Outcomes of Stage Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.
Stage 3 – Selection Overview …an enterprise evaluation of the solutions proposed in Stage II and the selection of major investments. In Stage III the FEA SPP implementation team works with the CFO and ITIRB to integrate outputs from previous stages into the agency wide CPIC process.
Stage 3 – Selection Objectives Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.
FEA SPP Validation Effort
Review of the Validation Effort Validation exercises were conducted at the Department of Housing and Urban Development (HUD)(11/05), and the Department of Justice (DOJ) (1/06). The assumptions for each validation effort were: An enterprise architecture compliant with or with mappings to the FEA. A governance process that requires the use of the EA in the IT Investment Review process. An existing security program that has responded to FISMA reporting requirements and a designated CISO (or equivalent). An existing privacy program and a designated Chief Privacy Officer (or equivalent). Willingness of the agency to share security and privacy policies, risk assessments, plans, controls, and budget information. Agencies gained increased awareness of their security and privacy risks and support infrastructure. This will support improved processes for managing security and privacy risks, and investment processes. Validation staff observed validation activities to gather frank and constructive feedback on the utility and adequacy of the FEA SPP methodology. June 2006, FEA Version 2.0 was approved by the CIO Council and released to the public.
FEA SPP Questions
FEA SPP Backup Slides
Steps Applied During Stage 1 – Identification
Steps Applied During Stage 1 – Identification (cont’d)
Steps Applied During Stage 1 – Identification (cont’d)
Steps Applied During Stage 1 – Identification (cont’d)
Steps Applied During Stage 2 – Analysis
Steps Applied During Stage 2 – Analysis (cont’d)
Steps Applied During Stage 2 – Analysis (cont’d)
Steps Applied During Stage 2 – Analysis (cont’d)
Steps Applied During Stage 2 – Analysis (cont’d)
Steps Applied During Stage 2 – Analysis (cont’d)
Steps Applied During Stage 2 – Analysis (cont’d)
Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP
Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP
Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP
Steps Applied During Stage 3 – Selection
Steps Applied During Stage 3 – Selection (cont’d)
Steps Applied During Stage 3 – Selection (cont’d)
Steps Applied During Stage 3 – Selection (cont’d)
Steps Applied During Stage 3 – Selection (cont’d)
Steps Applied During Stage 3 – Selection (cont’d)