FEA Security and Privacy Profile, Version 2.0


Start: 2006-06-01, Publication: 2012-08-24


The Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) is a scaleable and repeatable methodology for addressing information security and privacy from a business-centric enterprise perspective. It integrates the disparate perspectives of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture efforts. Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’ business and performance goals, enabling better coordination and integration of efforts and investments across organizational or business activity stovepipes.

To support that endeavor, the FEA SPP methodology: * Promotes an understanding of an organization’s security and privacy requirements, its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. * Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging standards and services that are common to the enterprise or the Federal government as appropriate. * Improves agencies’ processes for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.


Name:Owen Ambur


Name:Federal Enterprise Architecture Program Management Office



  • Security ExpertsTarget Audience -- The FEA SPP is a cross-disciplinary methodology that requires support and participation of experts from security, privacy, enterprise architecture, capital planning, and organizational business functions. It is written at a high level to make it understandable to a wide audience. Success of the FEA SPP methodology hinges on understanding and sharing insights across each domain. Agencies should document those insights in the enterprise architecture and use them to promote the objectives of security and privacy across all enterprise activities and investments. The discussion in Chapter Two introduces basic concepts to facilitate a common understanding of those functional domains.

  • Privacy Experts

  • Enterprise Architecture Experts

  • Capital Planning Experts

  • Business Function Experts

  • Chief Information Officer (CIO)The CIO is responsible for information resource management and will be a natural stakeholder for the FEA SPP methodology.

  • Senior Agency Official for SecurityThe senior agency official for security has primary responsibility for security in the agency and should be familiar with external and internal security requirements as well as the enterprise-level capabilities currently in place to satisfy those requirements. The senior agency official for security also contributes knowledge of the organization’s current security posture. More than one security official may be needed to support the FEA SPP methodology in agencies where security responsibilities are decentralized.

  • Senior Agency Official for PrivacyThe senior agency official for privacy has primary responsibility for privacy in the agency and should be familiar with external and internal privacy requirements as well as the enterprise-level capabilities currently in place to satisfy these requirements. The senior agency official for privacy also contributes knowledge of the organization’s current privacy posture. Privacy may have several advocates within an agency.

  • Chief Enterprise ArchitectThe Chief Enterprise Architect has primary responsibility for developing and promoting the operationalization of the enterprise architecture of an organization. In light of those responsibilities, the Architect may be the best person to lead FEA SPP activities and to capture outcomes.

  • Chief Financial Officer (CFO)The CFO has responsibility for planning, proposing, and monitoring major agency investments. The CFO is also often the chair of agencies’ information technology investment review boards (ITIRB). The FEA SPP’s goal of promoting better-informed and more strategic investment decisions makes it important that the CFO participates in this process, especially with regard to Stage III’s activities. By following the guidance in the FEA SPP, an organization is more likely to effectively address security and privacy requirements in Exhibit 300 and Exhibit 53 submissions.

  • Program OfficialsProgram officials are responsible for accomplishing the business of an agency. They drive decisions about investments and are responsible for planning and budgeting for security and privacy. While security and privacy officials will be knowledgeable about enterprise security and privacy requirements, program officials may have unique, programmatic requirements. Also, senior agency officials’ decisions in the course of developing the FEA SPP will impact the program-level as the program officials will implement many of the security and privacy decisions. Including program officials in the FEA SPP activities will ensure that decisions made will be practical and useful to everyone.