Homeland Security tackles enterprise architecture

The U.S. Department of Homeland Security (DHS) plans to complete an initial inventory of its entire IT infrastructure by June — a critical step toward the ultimate creation of a nationwide architecture for homeland security, said Steve Cooper, the department’s chief information officer.

The new department has already identified more than 2,500 “mission-critical applications or automated solution sets” and more than 50,000 “items” that make up its IT infrastructure, said Cooper, speaking yesterday at the Secure E-Business Executive Summit in Arlington, Va. However, the process of taking an initial inventory is only 40 percent to 50 percent complete, he said.

The DHS includes 22 formerly independent federal agencies, and the Office of Management and Budget began working on the Federal Enterprise Architecture Framework in February 2002. The goal is to leverage IT to simplify processes and unify work across agencies and throughout federal business processes.

The challenge for homeland security, however, is to devise an architecture that is secure and aids rapid information-sharing and collaboration at all levels of government and the private sector.

“The national enterprise architecture is not just federal,” said Cooper. “We’ve reached out to state and local environments, and we are reaching out [to the private sector]. But we haven’t figured out the optimal way to reach out to the private sector.”

The department has started an aggressive outreach effort that’s being led by a series of independent task forces hoping to identify business processes common to the department’s five directorates. Meanwhile, two separate task forces have been studying infrastructure and application security. And a third task force is studying security from a physical and business-process standpoint, he said.

The challenge of creating a robust enterprise architecture that is both open and secure has been one of the key topics during the many town hall meetings held during the past year by the President’s Critical Infrastructure Protection Board. The two goals “seem to be in conflict with each other, but I would submit that they are not,” said Howard Schmidt, chairman-elect of the board.

“We have to rethink the way we [create architectures],” said Schmidt. “We used to look at what we can do with it, as opposed to what [an adversary] can do against it.” In addition, he said, the introduction of new technologies is forcing officials to “redefine what it means to have a secure architecture.

“Now, the end point, the handheld, the wireless phone are part of your architecture,” said Schmidt. “And that architecture and the thought process has to change. When we start adopting IPV6 [Internet Protocol Version 6], and everything is connected and everything has an IP address, that’s going to be a different architecture.”

“We’ll never get away from needing multiple layers of defense,” said Dan Mehan, CIO at the Federal Aviation Administration. The FAA has taken a first step toward making security a core component of its enterprise architecture by integrating its information systems security with the overall National Airspace System (NAS) architecture, said Mehan.

“We’re now looking at the administrative and mission-support areas and harmonizing those,” said Mehan. The FAA has discovered, somewhat to its surprise, that by putting its IS security architecture on top of the NAS architecture — and integrating the two — it added constraints on the IS security architecture that would not have been there if the IS security architecture had been developed separately.

“We’re using the enterprise architecture work we’re doing now to step back a little bit and see if perhaps we constrained the information systems security architecture inadvertently,” he said.

Van Hitch, CIO at the U.S. Department of Justice, questioned the appropriateness of “lumping” all business processes under one enterprise architecture umbrella. “What we’re really dealing with is a whole classified element of critical infrastructure that has one set of risks” and various other open and public processes, he said.

For now, however, the challenge for the DHS is to set up something that can help officials make critical decisions at a time of war, said Cooper. As a result, people should be prepared for the architecture to change over time.

“At the same time that we have true operational capability that we have to sustain, we have to make sure that it works right now,” he said. “We’re fighting a war in Iraq and a war on terrorism, and there are absolutely real things that we have to do right now that we honestly don’t have the luxury of fully architecting before we put solutions in place. We fully recognize that some of that will have to be reshaped or replaced somewhat down the road. We accept that.”

Cooper warned that the department wouldn’t get it perfect the first time. “There’s a huge difference between perfection and good enough,” he said. “We have to be good enough to make decisions and move forward.”