While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Richard R. Burk is the nation’s chief architect and manages the Federal Enterprise Architecture program in the Office of Management and Budget.
It’s a lofty title, but Burk wears it lightly, reserving his attention and his considerable energy for the job itself. He is an impassioned proponent of the principles of enterprise architecture — with good reason. As chief architect for the Housing and Urban Development Department, he oversaw development and delivery of that department’s EA, which, according to the current CIO, Lisa Schlosser, has saved the agency billions of dollars.
After giving a presentation on EA and the FEA at the FOSE trade show in Washington, Burk sat for an interview with FedTech writer Sami Lais.
FedTech: Can you provide a concise explanation of the Federal Enterprise Architecture?
Burk: It’s a set of reference models for creating a business-driven architecture. Let me use the analogy of a house. The architect asks the homeowner a set of questions and translates the answers into drawings. What the homeowner sees is an elevation and a simplified floor plan, because that’s all that’s needed to be able to make decisions: Do you like the layout? Will it work for the way your family lives?
But behind those drawings sit three or four additional sets of plans: for plumbing, air conditioning and heating, electrical and the contractor. And each one has reference models: diagrams and symbology. Rather than write “electrical outlet,” there’s a symbol for an electrical outlet.
That’s what we’ve developed for architecture: reference models for performance, business, systems and services, data and technology, which map to concepts that let the business owner make decisions. Do you want to collect Social Security numbers? Do you need to be in five locations? What turnaround time do you need on data to carry out your business?
FedTech: Then what?
Burk: Take single-family mortgage insurance. You, the business owner, want to get the data turnaround down from six months to 30 days so you can catch people who are illegally discriminating, giving you a bad loan portfolio or milking the institution.
You don’t need to know the technology because I’ll do that. What you need to do is make the business decision. That decision has implications for the kind of data I collect, how I tag the data, the services and abilities I put in, and the technologies we invest in. That’s a business-driven architecture.
FedTech: You said that in the first six months of the fiscal year, agency architects should be working with program managers to design segment architectures for lines of business. Can you give an example?
Burk: A segment architecture is a subset of the enterprise architecture that’s associated with a particular program. The single-family mortgage insurance is a good example of that.
FedTech: You also said that “key to the success is building a level of trust and cooperation between the architects and program officials.” How do you make these changes in a culture that typically is risk-averse and has no history of sharing?
Burk: You want to find the burning problem on a key program. Generally, you can find this out from inspector general studies, Government Accountability Office reports, Office of Management and Budget directives, or new legislation that affects performance requirements.
You look for discrepancies between where they are and where they want to be, and that’s where you start. You sit down with the business owner and you say, “Let’s talk about your business.” And the architect really has to be able to speak the language of the business.
FedTech: Working on an enterprise architecture glossary for the Data Reference Model, the Chief Architects Forum came up with four or five definitions for 120 terms, and talks were suspended in January. Where does that leave the effort?
Burk: You have to define enterprise architecture within the context of how you operate — with a segment architecture, an enterprise architecture and a cross-agency architecture.
For example, when we say “segment architecture,” do we mean a segment of an organization, or a segment of services that we’re going to provide and share across an organization?
So we’ll get back to the glossary, but after we know the context of operations within which terms must be defined.
FedTech: In January, your office released the Enterprise Assessment 2.0, which requires that agencies for the first time must show not only that they have an EA, but also that they are getting results. What specific information will OMB be looking for in the assessments?
Burk: In previous assessments, agencies established that they all have enterprise architectures and plans to develop them. Now what we’re looking for is to see how well they’re using them. About half of the assessment’s 17 criteria deal with that issue.
We’re looking to see whether they have an architecture review board. Does the board have a charter, does it meet regularly, and does it keep minutes?
We’re looking at the milestones they’ve set for themselves: “This is what we’re going to do first, second, third, and this is when we’re going to do it.”
We’ll look at how they’re progressing and whether they need our help in an area.
Going forward, I think the substance of the results in the milestones will change over time as new processes and initiatives get adopted.
FedTech: Your office’s evaluations are also being used for the President’s Management Agenda scorecard, correct?
Burk: For one of the five parts of the e-government score.
When we look at the assessments of agencies’ architectures, we’re looking at three areas: completion, use and results. That’s what the PMA is looking at, too. So for an agency to get to green, it would have to score at least a three in one of those areas. For yellow, they would have to get at least a three in completion or use.
FedTech: With so much riding on the results, isn’t having the agencies do self-assessments a little like asking the fox to guard the henhouse?
Burk: Not at all. This isn’t a traditional assessment looking at scores and totals, but more of a guidance tool to help us help the agencies succeed, to have dynamic architectures. And the only way we’re going to do that is to look at them in an organized, disciplined way to identify the strengths and weaknesses so that we can help them with the weaknesses.
To the degree that we can, that is. Because they’re the ones who need to be empowered to determine what they want to accomplish and how they can use their architecture to make a difference to the organization. If they can do that, then my job is totally simple. It’s just a matter of helping them, because it’s hard to do it all alone. They’re the ones who have to guide and reform and direct the agency, because it certainly isn’t up to OMB to do the whole thing.
FedTech: In February, agencies had to submit reports on their Internet Protocol Version 6 network backbone transition plans. Federal networks do not need to run IPv6 until June 2008. Why is the administration reviewing the status of federal efforts now?
Burk: Well, I wasn’t part of the policy-making, but the rest of the world — including China and India — is moving rapidly to IPv6, and to stay apace, we need to get on with it.
FedTech: What are the challenges facing agencies trying to implement enterprise architectures?
Burk: The toughest thing is to stop thinking in terms of individual programs and think in terms of lines of business. Agencies need to look at what they do from a functional point of view and differentiate between their core mission areas and support services or commodity items like human resources and financial management.
Those are going to be cheaper to buy. And by spending less there, they can spend more on making their core lines of business absolutely the best there are.
That’s what we’re here to do: Help them become the best in the world at what they do.
FedTech: What’s the next major enterprise architecture milestone for agencies?
Burk: They’ll submit quarterly reports on their major IT initiatives and IPv6 transition plans. The real question we want agencies to ask themselves is: How much of the cross-agency initiatives have you incorporated into your agency’s architecture?
In September, agencies must submit assessments on their IT investment portfolios. What we want to know is: How much of that is reflected in the investment portfolios?
FedTech: With all of this change going on, isn’t the June 2008 deadline for agencies to make their networks compliant with Internet Protocol Version 6 an awfully short timeframe?
Burk: Technology refreshes generally are done in three- or four-year cycles, so if you make it a part of your technology refresh, it will happen in the normal course of events.
FedTech: Are enough vendors making IPv6-compliant technology to make this an achievable goal?
Burk: Yes, we already have a fair number of them. I think the next version of Microsoft’s operating system will be IPv6-enabled. I think vendors were just waiting to make sure that the market was there. Annual federal IT expenditures are $65 billion. They’re paying attention. And that’s exactly what we wanted.
FedTech: Let me go back for a minute and look at this another way: Is there any way the FEA can help agencies make the transition?
Burk: Well, yes.
[When you’re working on your enterprise architecture,] you see that there are a fair number of cross-agency initiatives dealing with technology. We have provisions for Homeland Security Presidential Directive 12 [requiring common identification cards and credentialing systems to give workers access to government facilities and networks]. Some agencies want to adopt radio frequency identification. Certainly all of them have continuity of operations planning. They want to optimize their infrastructure, and we have a line of business that’s just been announced on optimizing infrastructure.
So why do these things as one-offs? Why not do it all at once? I look at my responsibilities for HSPD-12, my responsibilities for moving from IPv4 to IPv6, my Coop responsibilities, and I can deal with transforming my architecture and optimizing it at the same time. So let’s do it. Get on with it. Yeah.
Once you step back and approach it from the enterprise point of view, you begin to see things differently than if you were just focusing on one initiative.
FedTech: How does that work in real life?
Burk: Say you’re in the grant-making business and it’s really paper-intensive. It’s driving you nuts because you’ve got to move the paper from headquarters out to the field offices for review and then back and you’ve got 20-year retention requirements for records, and it’s a real pain. So you need a records management system or maybe to get rid of paper entirely. So you’re looking at the options, how much of a change it would entail, how disruptive it would be, how long it would take. But that’s if you’re focusing only on this initiative.
But wait, there’s this thing called a grants line of business operating. So instead you look at it to see how much of it you can leverage for your use. Now you leverage the Grants.gov Web site to post information, to get grant requesters to fill out forms. And all you need to do is get the back-end stuff to track the applications through your grant selection process.
You’re bringing together the cross-agency and the agency pieces, putting together the policies and the initiatives. And this is clearly defined, it’s not airware, not effervescence.
FedTech: Your office has developed security, privacy and records management profiles and is working on a geospatial profile. How are the FEA profiles different from the reference models?
Burk: Let’s look at the records management profile. One aspect of every business is records. You generate records, you manage records, you have to dispose of records. So how do I as the architect build records responsibility into the architecture that I’m developing for this line of business?
Well, I need a methodology to do that.
The profiles are a methodology, a set of questions I ask the business person to elicit information I can translate into the appropriate design elements.
These methodologies are built on governmentwide policies: policies on security, on privacy, on records management. The methodology leads me in an organized way through the questions to identify the policies and get to the questions I have to answer, such as, what do I have to do to ensure that this person adheres to that policy? And then I build it into the architecture.
FedTech: I can see how that would work for records management — that’s going to be similar from one agency to the next. But for geospatial, agencies use so many different kinds of data in so many different ways and in so many different applications that aren’t interoperable. How will that work?
Burk: They are different, but every agency doesn’t need every application and every database. It can be very simple, very low-level data.
At the Housing and Urban Development Department, we give out about 3,500 grants to homeless shelters, and they serve a population that’s generally sick: mentally, physically or maybe both.
So after you get a roof over their heads, the next thing you need to do is provide medical care. So what federally funded medical care is available in the area?
Wouldn’t it be great if, when HUD gave you the money for the homeless shelter, it also identified the medical facilities in your area and the services they provide that the homeless would qualify for?
We could do that. It’s a matter of information that we already collect, either at the Health and Human Services Department or some other place. We just don’t make it available through HUD to the grantees because we’re not thinking in terms of services. We think, “Well, we gave them a grant, therefore they’ve got to tell us what they did with the grant.” Wait a minute. No. This is a service. This is citizen-centered. We’re trying to give you a way that lets you leverage these grant dollars to let you provide more service.
By providing you with geospatial information that’s practically attuned to your geographic area, we can do that.
Now, I have to get that information and run it through a geolocator so it gives me the latitude and longitude of these places, but that’s not terribly sophisticated technology. Then I geolocate them on a map, and there you’ve got the HHS clinics and the services they provide in your area.
But why stop there? Let’s go to the next level and identify the job-training facilities in your area, because the goal is to get them out of the shelter and help them become functioning members of society.
I don’t have to do it, but if I’m really service oriented, this is something I’ll want to do.