Homeland security's secret weapon

Enterprise architecture modeling emerges as key tool for improving readiness

Boiled down to its essence, homeland security is about protecting critical assets and sharing information within and between agencies. Simple enough, right?

Not really. First you have to know where your vulnerable assets are and where your most valuable data is. Then you have to securely share that data between organizations, which often have unique ways of doing things and incompatible systems.

But then, as people are beginning to realize, a new problem can arise as you break down the barriers between stand-alone systems. By making changes in one place without understanding the whole picture, you can produce unintended consequences.

And of course, because funding is always an issue, all this work must be done as efficiently as possible, focusing limited resources on areas that will deliver the greatest benefit.

For many government executives, the solution to all of those issues lies in information technology enterprise architecture, which is a way of describing and designing complex business and operational relationships. In fact, some claim that planning for homeland security would be impossible if agencies didn't have enterprise architectures.

"If you want to do it right, then having an enterprise architecture is clearly in the best interests of all agencies involved with homeland security," said Jim Flyzik, partner in the consulting firm of Guerra, Kiviat, Flyzik and Associates Inc. He was chief information officer at the Treasury Department and senior adviser in the Office of Homeland Security. "Without one, it's like going on a trip with both no idea of where you are going and no way of getting there."

Enterprise architecture is not a new concept, and several federal agencies have been developing architectures for years. It's only recently, however, that the approach has been more actively promoted for the entire government.

The Office of Management and Budget, for example, created the Federal Enterprise Architecture Program Management Office in 2002 to create a business-focused framework that could be used to improve government performance.

President Bush also highlighted the importance of enterprise architectures when he proposed the formation of the Homeland Security Department last year.

A unified DHS enterprise architecture would help officials fund homeland security projects based on an assessment of requirements rather than through a tendency to fund all seemingly good ideas, Bush said.

It's essential that officials view enterprise architecture as a real and effective tool and not as purely an IT

exercise, said Karen Evans, administrator of OMB's Office of E-Government and IT.

"The [enterprise architecture] has to reflect organizational decisions made by the [DHS] leadership and be owned and used by the entire department in making all resource decisions," she recently told a House Government Reform Committee panel. "Tough but necessary investment decisions must be made on which systems and processes remain, which will be consolidated and which are eliminated."

Planning investments

Officials at the Coast Guard, now a DHS agency, believe their enterprise architecture will help the Coast Guard adjust to its new hybrid character as an agency that works with both military and civilian partners.

In particular, they expect the architecture to help them enhance the Maritime Domain Awareness initiative, which allows the Coast Guard to track high-interest targets and divert assets to intercept those targets if necessary.

Those tasks require the Coast Guard to communicate real-time information to other DHS agencies and organizations such as the Navy. It's working with the first version of an enterprise transition plan that identifies the gaps and shortfalls that need to be overcome in moving from the current infrastructure to the target one.

"That will allow us to define how to pass information to the right person and that only the right people have access to it," said Capt. Dave McLeish, chief of the Coast Guard's IT enterprise architecture office. "It will also show us where best to apply resources."

For example, he said, one of the issues his team will tackle is how and where to improve connectivity on deployable assets.

"If you have a ship with 100 people on it who are sharing a 56 kilobits/sec [network] line, that obviously is something that has to be dealt with," he said.

Operational models

Officials in DHS' Bureau of Customs and Border Protection began developing their enterprise architecture five years ago under the former Customs Service, so the bureau is already fairly mature in its approach relative to other government agencies.

The bureau's enterprise architecture has been used to help design DHS'

IT architecture and should enable the department to accommodate its data-sharing requirements when they become clear, said Will Peters, chief architect at the bureau.

"I look at [an enterprise architecture] simply as proper planning," he said. "Because we've been doing this for some time, we already have a process in place to handle changes and new business requirements, and when the DHS high-level architecture comes down, we'll be able to see where we fit into that and what applications we'll need."

In many ways, the enterprise architecture process is more a matter of making data-sharing agreements between agencies than it is about technology, said Daryl Knuth, a vice president for ITS Services Inc., which has been involved with the customs effort from the beginning.

Enterprise architectures require "an understanding of the business processes of the agency and what products and processes are already in place before you can make any IT decisions," he said.

If two agencies have enterprise architectures in place, they can be used to negotiate the sharing agreements according to the business processes described by the architectures, he said.

Focus on savings

Although federal agencies have tended to use enterprise architectures to define the business processes that have to be accommodated, some state agencies have taken a slightly different approach by using the enterprise architecture to reduce redundant technology investments, according to Gerry Wethington, CIO for the state of Missouri and president of the National Association of State CIOs.

Missouri "has been pursuing putting a total [enterprise architecture] in place in order to set a target for individual agencies to aim for," Wethington said. "Now we'll be looking at the IT infrastructure to see what the level of centralization is, where the ingress and egress points are, how better to manage servers, whether to back up data in just one location or several, and so on."

However, he said, this system awareness means enterprise architectures are also useful when it comes to enabling the exchange of information between agencies, a likely future requirement of homeland security applications. Because homeland security is typically another level that can be layered on top of an architecture, he said, you don't have to wait for it to fully mature before you start using it.

In Virginia, homeland security is considered a part of the overall security domain of the state's enterprise architecture. Because implementation of security standards and controls are mandatory for all state agencies, they will help accommodate any secure data sharing that happens between agencies, said Paul Lubic, IT manager for the Virginia Information Technologies Agency.

"You could do this without having an [enterprise architecture], but there is a relationship between the security domain and other domains," he said. "You identify the requirements for those other domains and make those visible to the security domain and that defines what the various platform and standards needs are. Having an EA is a plus for all of that."

However, there's still a long way to go before the federal government and state and local governments realize the advantages of overtly linking enterprise architectures to homeland security, said Scott Bittler, vice president of enterprise planning and architecture strategies services for META Group Inc.

"It takes time to build the processes and artifacts involved with [enterprise architectures], and you are talking about significant levels of culture change that are necessary to build all of this out," he said.

Nevertheless, he is certain that they must play a role. Homeland security "is fundamentally not solvable without" an enterprise architecture, he said. l

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@

mindspring.com.

NEXT STORY: Kentucky CIO to step down