Federal Enterprise Architecture
Harvey Newstrom was hired by SAIC to develop an agency architecture following FEA standards for the National Archives and Records Administration (NARA). The architecture had to comply with both classified and unclassified requirements as well as individual requirements for every agency and type of data records archived by NARA. SAIC later won contracts to implement similar agency architectures for US Forest Service and then other agencies.
- He authored the first federal security architecture that combined INFOSEC, TCSEC, DCID, ISO, and NIST criteria into a single unified security framework to protect both classified and unclassified data.
- His security architecture was cited by OMB auditors as “the best” of any agency.
- His work was requisitioned by Dr. Ron Ross for inclusion into
NIST SP 800-53,
NIST SP 800-53A, and
NIST SP 800-53B
standards to protect all unclassified federal data.
- These standards were later approved by the Joint Task Force to protect all DoD, Intelligence Community, and National Security classified data as well.
- These standards are now required for civilian cloud services, telecommunications, and critical infrastructure.
Each federal architecture implementation was tailored for each agency’s unique needs. However, they all complied with Federal Enterprise Architecture standards and NIST requirements, producing a similar hierarchical structure including the following volumes.
View
Agency Security Architecture
· Cybersecurity Overview
· Cybersecurity Risk Analysis
· Cybersecurity Domain Model
· Cybersecurity Policies
· Cybersecurity Requirements
· Cybersecurity Mechanisms
· Cybersecurity Specifications
· Cybersecurity Engineering
· Cybersecurity Operations
· Cybersecurity Methodologies
· Cybersecurity Processes
· Cybersecurity Procedures
FEA Reference Models
· Performance Ref. Model
· Business Ref. Model
· Data Ref. Model
· App/Component Ref. Model
· Infrastructure Ref. Model
· Security Ref. Model
Risk Management Framework
· Prepare
· Categorize
· Select
· Implement
· Assess
· Authorize
· Monitor
Cybersecurity Framework
· Identify: Asset Management
· Identify: Business Environment
· Identify: Governance
· Identify: Risk Assessment
· Identify: Risk Management
· Identify: Supply Chain Risk
Management
· Protect: Identity Management,
Authentication, Access Control
· Protect: Awareness and Training
· Protect: Data Security
· Protect: Information Protection
Processes and Procedures
· Protect: Maintenance
· Protect: Protective Technology
· Detect: Anomalies and Events
· Detect: Continuous Monitoring
· Detect: Processes
· Response: Planning
· Response: Communications
· Response: Analysis
· Response: Mitigation
· Response: Improvements
· Recover: Planning
· Recover: Improvements
· Recover: Communications
Cybersecurity Controls
· Access Control
· Audit and Accountability
· Awareness and Training
· Configuration Management
· Contingency Planning
· Identification and
Authentication
· Incident Response
· Individual Participation
· Maintenance
· Media Protection
· Personnel Security
· Privacy Authorization
· Physical/Environmental
Protection
· Planning
· Program Management
· Risk Assessment
· Assessment, Authorization,
Monitoring
· System/Communications
Protection
· System/Information Integrity
· System/Services Acquisition
· (policies for each above)
· (procedures for each above)