FEA Security and Privacy Profile, Version 2.0
Start: 2006-06-01, Publication: 2012-08-24
The Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) is a scaleable and repeatable methodology for addressing
information security and privacy from a business-centric enterprise perspective. It integrates the disparate perspectives
of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture
efforts. Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’
business and performance goals, enabling better coordination and integration of efforts and investments across organizational
or business activity stovepipes.
To support that endeavor, the FEA SPP methodology: * Promotes an understanding of an organization’s security and privacy requirements,
its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. *
Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging
standards and services that are common to the enterprise or the Federal government as appropriate. * Improves agencies’ processes
for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.
Name:Federal Enterprise Architecture Program Management Office
- Security Experts: Target Audience -- The FEA SPP is a cross-disciplinary methodology that requires support and participation of experts from
security, privacy, enterprise architecture, capital planning, and organizational business functions. It is written at a high
level to make it understandable to a wide audience. Success of the FEA SPP methodology hinges on understanding and sharing
insights across each domain. Agencies should document those insights in the enterprise architecture and use them to promote
the objectives of security and privacy across all enterprise activities and investments. The discussion in Chapter Two introduces
basic concepts to facilitate a common understanding of those functional domains.
- Privacy Experts
- Enterprise Architecture Experts
- Capital Planning Experts
- Business Function Experts
- Chief Information Officer (CIO): The CIO is responsible for information resource management and will be a natural stakeholder for the FEA SPP methodology.
- Senior Agency Official for Security: The senior agency official for security has primary responsibility for security in the agency and should be familiar with
external and internal security requirements as well as the enterprise-level capabilities currently in place to satisfy those
requirements. The senior agency official for security also contributes knowledge of the organization’s current security posture.
More than one security official may be needed to support the FEA SPP methodology in agencies where security responsibilities
- Senior Agency Official for Privacy: The senior agency official for privacy has primary responsibility for privacy in the agency and should be familiar with external
and internal privacy requirements as well as the enterprise-level capabilities currently in place to satisfy these requirements.
The senior agency official for privacy also contributes knowledge of the organization’s current privacy posture. Privacy may
have several advocates within an agency.
- Chief Enterprise Architect: The Chief Enterprise Architect has primary responsibility for developing and promoting the operationalization of the enterprise
architecture of an organization. In light of those responsibilities, the Architect may be the best person to lead FEA SPP
activities and to capture outcomes.
- Chief Financial Officer (CFO): The CFO has responsibility for planning, proposing, and monitoring major agency investments. The CFO is also often the chair
of agencies’ information technology investment review boards (ITIRB). The FEA SPP’s goal of promoting better-informed and
more strategic investment decisions makes it important that the CFO participates in this process, especially with regard to
Stage III’s activities. By following the guidance in the FEA SPP, an organization is more likely to effectively address security
and privacy requirements in Exhibit 300 and Exhibit 53 submissions.
- Program Officials: Program officials are responsible for accomplishing the business of an agency. They drive decisions about investments and
are responsible for planning and budgeting for security and privacy. While security and privacy officials will be knowledgeable
about enterprise security and privacy requirements, program officials may have unique, programmatic requirements. Also, senior
agency officials’ decisions in the course of developing the FEA SPP will impact the program-level as the program officials
will implement many of the security and privacy decisions. Including program officials in the FEA SPP activities will ensure
that decisions made will be practical and useful to everyone.