For Security Professionals

FSAM Overview for Security Professionals

Applying the principles and concepts used in FSAM provides a disciplined, structured, systems engineering-based approach to achieving consolidation, simplification, and optimization of the information technology infrastructure and the information systems that operate within that infrastructure. It is imperative to foster an organizational climate where the risk from information systems is considered within the context of the segment architecture development process. The FSAM has been designed with appropriate touch points to NIST security and risk documentation to ensure that architects and security personnel can stay aligned and that risks are appropriately analyzed and solutions are appropriately architected.

Why should Security Professionals use the FSAM?

The primary stakeholders for segment architectures are mission/business owners and managers. In addition to these critical stakeholders, the FSAM was developed with security professionals in mind. Throughout the FSAM, information security requirements from the FISMA legislation and associated NIST security standards and guidelines can be incorporated into the segment architecture to provide appropriate levels of protection for the organization's mission and business processes. Integrated into the FSAM guidance are touch points that reference specific steps within two security documents: NIST 800-39: Managing Risk from Information Systems: An Organizational Perspective; and NIST 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories.

What information is relevant?

Security professionals historically have not had an active role during the development of segment architectures. This deficiency can be resolved by active participation of security professionals throughout the FSAM at key review points and, when appropriate, as aids to the core team. Active involvement of security professionals throughout the FSAM process will ensure that FSAM outputs are of immediate and future value to security professionals in their own planning and operations responsibilities. Specifically, the FSAM helps architects and security personnel understand the risks associated with the current segment environment, the risks associated with moving to the target environment, and the strategic improvement opportunities within the segment that might be security and risk related.

Many of the outputs from FSAM are either core or support existing mandatory requirements and management processes. Listed below are the FSAM outputs that are core to security and privacy processes and the FSAM outputs that support these processes. These specific outputs will be valuable for security professionals as they strive to ensure that appropriate security controls are in place for the segment.

FSAM Outputs that are core to Security/Privacy:

  • Target Business Function Model — Activity 3.3 (core FSAM output)
  • Target Conceptual Data Model — Activity 3.3 (core FSAM output)
  • Target Data Steward Assignments — Activity 3.3 (core FSAM output)
  • As-Is Conceptual Solution Architecture — Activity 4.1 (core FSAM output)
  • Target Conceptual Solution Architecture — Activity 4.2 (core FSAM output)
  • Target Service Component Architecture — Activity 4.2 (core FSAM output)
  • Target Technical Architecture — Activity 4.2 (core FSAM output)
  • Strategic Systems Migration / Sequencing Overview — Activity 5.2 (core FSAM output)
  • Transition Plan Milestones — Activity 5.2 (core FSAM output)

FSAM Outputs that support Security/Privacy:

  • Risks and Impacts — Activity 2.2
  • Performance Gaps — Activity 2.2 (core FSAM output)
  • Strategic improvement opportunities — Activity 2.2 (core FSAM output)
  • Segment Performance Goals and Objectives — Activity 2.3 (core FSAM output)
  • Performance Scorecard — Activity 2.3 (core FSAM output)
  • As-Is Business Value Chain — Activity 3.1
  • As-Is Business Function Model — Activity 3. 1 (core FSAM output)
  • As-Is Key Business Process Model — Activity 3. 1
  • As-Is Business Process Swim Lane Diagram— Activity 3. 1
  • As-Is Key Information Sources and Qualitative Assessment — Activity 3. 1
  • Business and Data Architecture Adjustment Profiles — Activity 3.2
  • Target Business Value Chain Diagram — Activity 3.3
  • Target Key Business Process Model — Activity 3.3
  • Target Business Process Swim Lane Diagram— Activity 3.3
  • Target Information Flow Diagram, — Activity 3.3 (core FSAM output)
  • Target Business Data Mapped to Key Business Processes (CRUD) — Activity 3.3
  • Target Information Sharing Matrix — Activity 3.3
  • As-Is System and Services Scoring — Activity 4.1
  • Integrated Service Component and Technology Model — Activity 4.2
  • Transition Recommendation Profile — Activity 4.3
  • Transition Recommendation Sequencing Diagram — Activity 4.3
  • Analysis of Cost, Value and Risk for Transition Options — Activity 5.1
  • Proposed Implementation Recommendations — Activity 5.1
  • Recommendation Implementation Sequencing Plan — Activity 5.2

NIST 800-39 Touch Points:
FSAM Step.Activity.Task NIST Section Description
2.2.3 - Identify segment risks and impacts NIST 800-39, Sec. 3.2 The first step in building and effective organization-wide information security program m is to conduct a thorough analysis of the organization's mission and business process informed by the organization's enterprise architecture, identifying the types of information that will be processed, stored, and transmitted by the information systems supporting those processes.
3.1.4 - Analyze processes and determine high-level information requirements, including organizational relationships NIST 800-30, Sec. 3.2 Conducting the security categorization processes as an organization-wide exercise helps ensure that the process accurately reflects the criticality, sensitivity, and priority of the information and information systems that are supporting organizational mission/business processes and is consistent with the organization's enterprise architecture.
4.1.4 - Determine adjustments necessary to the as-is conceptual solution architecture NIST 800-39, Sec. 3.3 Security controls should be reflected in the FEA solution architectures and should be traceable to security requirements allocated to mission/business processes defined in the FEA segment architectures.Certain security controls (e.g., common security controls) may be provided by cross-federal information security initiatives, supporting infrastructure, other shared security services or solutions, or cross agency, segment, or bureau initiatives.Note: The selection of security controls is based on NIST 800-53 in accordance with FIPS 199 impact levels determined during the security categorization process and the minimum security requirement defined in FIPS 200.

NIST 800-60 Touch Points
FSAM Step.Activity.Task NIST Section Description
2.2.3 - Identify segment risks and impacts NIST 800-60, Sec. 2.0 Security categorization provides a vital step in integrating security into the government agency's business and information technology management functions and establishes the foundation for security standardization amongst their information systems.Security categorization starts with the identification of what information supports which government lines of business, as defined by the Federal Enterprise Architecture (FEA).Subsequent steps focus on the evaluation of the need for security in terms of confidentiality, integrity, and availability.The result is strong linkages between missions, information, and information systems with cost effective information security.


Graphic showing where security/privacy professionals are involved in the five FSAM process steps.