enterprise architecture: an enabler of secure e-government

DJM-

Enterprise Architecture—Enterprise Architecture—an Enabler ofan Enabler of

Secure E-GovernmentSecure E-Government

SecurE-Biz SummitApril 1-2, 2003

Federal Aviation Administration

Dan Mehan, Ph.D. Assistant Administrator for

Information Services and Chief Information Officer

4/2/03 2DJM-

FAA’s Enterprise Architecture LiftoffFAA’s Enterprise Architecture Liftoff

Enterprise Architecture

Forces of Change

Multiple Layered Protection

Information Technology Landscape

4/2/03 3DJM-

President’s Management AgendaPresident’s Management Agenda

• 1st Priority: Make Government citizen-centered

• 5 Key Components:1. Strategic Management of

Human Capital

2. Improved Financial Performance

3. Expanded Competitive Sourcing

4. Electronic Government

5. Budget and Performance

Integration

4/2/03 4DJM-

E-Government DriversE-Government Drivers

Customer Demand TechnologicalAdvances

Cost and TimePressures

StatutoryMandates

Progress

4/2/03 5DJM-

E-Government Key ComponentsE-Government Key Components

IT Program Management

Capital Planning & Investment ControlCyber Security

Web Enablement


4/2/03 6DJM-

FAA’s JobFAA’s Job

• ~ 500 FAA Managed Air Traffic Control Towers

• ~ 180 Terminal Radar Control Centers

• 20 Enroute Centers

• ~ 60 Flight Service Stations

• ~ 40,000 Radars, NAVAIDs, Radios, etc.

Manage 35,000 commercial flights to move 2,000,000 passengers safely each daySupport more than 35,000 general aviation flights on a daily basisRegulate and certify the people and aircraft that use our airspace

4/2/03 7DJM-



Forces of Change



4/2/03 8DJM-

UbiquitousAvailability of Information

EconomicConstraints

Forces of ChangeForces of Change

Information AgeTechnologyCOTS/TCP-IP

Increased ActivityFrom Organized Groups And Nation States

4/2/03 9DJM-

Security and the Evolving ThreatsSecurity and the Evolving Threats

Sophistication of Hacker Tools

Sophistication of Hacker Tools

1990199019801980

Packet Forging/ Spoofing

Packet Forging/ Spoofing

Password GuessingPassword Guessing

Self Replicating CodeSelf Replicating Code

Password CrackingPassword Cracking

Exploiting Known Vulnerabilities

Exploiting Known Vulnerabilities

Disabling AuditsDisabling Audits

Back DoorsBack DoorsHijacking SessionsHijacking Sessions

SweepersSweepersSniffersSniffers

Stealth DiagnosticsStealth Diagnostics

Hacker Technical Knowledge Required

Hacker Technical Knowledge Required

HighHigh

LowLow20002000

Internet WormsInternet Worms

4/2/03 10DJM-

Incidents ReportedIncidents Reported

22000

1100

53000

2400

82000

4100

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

2001 2002 2003

IncidentsVulnerabilities

Source: CERT/CC

4/2/03 11DJM-



Forces of Change



4/2/03 12DJM-

Protect the FAA’s information infrastructure and help the aviation industry reduce security risks through leadership in innovative information assurance initiatives

Respond Plan

Protect

CIO’s Cyber Security MissionCIO’s Cyber Security Mission

Detect

4/2/03 13DJM-

FAA’s 5 LayersFAA’s 5 Layers of System Protection of System Protection

AuthenticationAccess ControlConfidentiality

Integrity

Availability

Public Key InfrastructureBiometrics


Analytical Tool Sets

Encryption

Smart Cards

Architecture & EngineeringPersonnel

Security

Physical Security

Cyber Hardening of

System and Network

Elements

Compartmentalization

Redundancy

Certification & Authorization

Education

Incident Response Capability

Scanning for Compliance

Boundary Protection

Policy

Awareness & Execution

4/2/03 14DJM-

Securing Individual SystemsSecuring Individual SystemsNational Information AssuranceNational Information AssuranceCertification and AccreditationCertification and Accreditation

Program (NIACAP)Program (NIACAP)

NegotiationCertification ReqmtsReview

Phase 1

Mission Needs,Risks, Reqmts

Phase 2

Phase 3

Phase 4

Developer

Operator

Certifier

User Rep

Initial Certification Analysis

System Operation

Certify System &Develop Recommendation

Nationally Recognized Process

Security Requirements ReviewDuring Milestone Zero

Cradle to Grave Program

4/2/03 15DJM-

INT

ER

NE

T

FA

A In

tern

et

Ac

ces

s P

oin

ts (

8)

E-M

ail

Se

rver

sN

EX

GE

N (

12

)Agency Data Telecommunications Network

w/ IDS, Hardened RoutersFirewall &Antiviral

Firewall &Antiviral

RegionalOffice

RegionalOffice

Intrusion Detection SystemFirewall

Hardened RouterAntiviral

Access Control List AntiviralAccess Control List

Boundary ProtectionBoundary Protection

4/2/03 16DJM-

COMPUTER SECURITY INCIDENT RESPONSE CENTER (CSIRC)

Protect the information infrastructure

Detect anomalous traffic

Respond to any intrusion that threatens to impede operations

Recover and restore affected systems in a timely fashion

Detect

Protect

Recover

Respond

4/2/03 17DJM-

How to Invest Scarce ResourcesHow to Invest Scarce Resources

BoundaryProtection

Vulnerability Scanning

Insider/Outsider ThreatIntrusion Detection

SystemCertification

Transport/Application LayerVPNs

Firewalls

Anti-viral

4/2/03 18DJM-



Forces of Change



4/2/03 19DJM-

Enterprise Architecture FrameworkEnterprise Architecture Framework

BusinessArchitecture

ApplicationsArchitecture

TechnologyArchitecture

DataArchitectureN

AS

Ope

ratio

ns

Mis

sion

Sup

port

Adm

inis

trativ

eArchitectural

Segments

Standards

Transitional Processes

CurrentArchitecture

StrategicDirectionStrategicDirection

BusinessDriversDesignDrivers

BusinessDriversDesignDrivers

ArchitectureDrivers

Security

Data

Technology

InvestmentReview

Architectural ModelsMarket

ResearchAsset

Management

TargetArchitecture

4/2/03 20DJM-

• Establishes Agency-wide roadmap to achieve an efficient IT environment

• Three Segments– NAS Operations

– Mission Support

– Administrative

• Acquisition Management System

• Joint Resources Council

• Portfolio Management• Exhibit 300s


Capital Planning

&

4/2/03 21DJM-

FAA Database EvolutionFAA Database Evolution

FAA DataRegistry(FDR)Data

Standards

FAA MetadataRepository

(MDR)Legacy Metadata

ConsolidatedDatabases

Single Sourcesof Data

Multiple Sources of Data

4/2/03 22DJM-

Enterprise Architecture—Enterprise Architecture—Key to Secure E-BusinessKey to Secure E-Business

Web Enablement

ProcessImprovement

EnterpriseArchitecture

RiskManagement

Multi-LayeredDefense

SystemOptimization

IT Program Management

Capital Planning & Investment

Control

Cyber Security

Web Enablement


4/2/03 23DJM-

Major ThemesMajor Themes

• E-Government will define the way we communicate among ourselves and with others

• Technology is enabling us to enhance the way we manage and share information

• Securing the critical cyber infrastructure is a must for E-Government to flourish

• Enterprise Architecture will be a key driver and enabler to optimize FAA investment

Web Enablement

ProcessImprovement

EnterpriseArchitecture

RiskManagement

Multi-LayeredDefense

SystemOptimization

enterprise architecture: an enabler of secure e-government

Technology

enterprise architecture

information services

security risks

chief information officer

cios cyber security

faas job

egovernment key components

government citizen