1) Need a one page Executive Summary suitable for posting on ...Document Transcript
With more than $1 billion in information technology investments annually, the Commonwealth of Pennsylvania
has evolved into the equivalent of a Fortune 20 organization, providing a diverse cross section of IT services
and solutions to its 12.3 million citizens and business customers worldwide. The Commonwealth’s ongoing
technology success rests with its ability to leverage the strengths and assets of the entire enterprise to attain
solutions and deliver services in the most cost-effective and efficient manner.
The Commonwealth’s Bureau of Enterprise Architecture (EA) has design and governance responsibility for
information technology solutions and standards utilized by agencies under the governor’s jurisdiction. The goal
of Enterprise Architecture is to support the governor’s office by providing enterprise-wide technology policies
and standards. Partnering with agencies, the goal is achieved by understanding key business drivers,
leveraging appropriate, existing technology, sharing IT resources across the Commonwealth, and making sound
Enterprise Architecture leverages the NASCIO framework and has established a collaborative governance
structure that leverages the skills and experiences of the Office for Information Technology (OIT) as well as key
resources in various Commonwealth agencies. The Enterprise Governance Council (EGC) and the Enterprise
Architecture Standards Committee (EASC), both comprised of senior agency directors and CIOs, provide
leadership, prioritization of initiatives, and recommendations of standards. Domain teams, comprised of agency
technologists, architects, and thought-leaders, realize these initiatives and create Commonwealth standards, IT
policies, and Enterprise Architecture models.
Over the past year focus areas and accomplishments of EA include:
Baseline and Target Model Specification. The Commonwealth’s Target Architecture has continued to
evolve in response to business drivers prioritized by the IT governance structure. Key Target
Architecture specifications include the creation of a common Citizen Information Model, establishment of
a common portal architecture, expansion of the Business Solutions Center of Excellence (BSCoE), and
the creation of a Grants Management Architecture. The Baseline Architecture has been elaborated to
map existing applications to the key functions realized in the Business Architecture. This mapping is
used to identify where redundant services are being provided and serve as input for business
streamlining and technical consolidation.
Specification Enterprise Security Architecture and Policies. The Commonwealth, through
Enterprise Architecture, has developed a baseline security architecture that includes all aspects of cyber
security and identity protection and access management. Enterprise Architecture is responsible for
several far-reaching, critical security initiatives that specify standard security approaches and blueprints
for all aspects of cyber security, monitoring, escalation, and identity protection and access management.
Security assessments have to be put in place to identify threats, vulnerabilities and risks to
Commonwealth IT resources. Additionally, the Commonwealth’s Chief Information Security Officer
(CISO) has implemented several security awareness and communication initiatives including a CISO
Roundtable to provide agency security officers multi-directional information sharing among agencies
and a Pennsylvania Information Sharing and Analysis Center (PA-ISAC) to disseminate warnings and
share information among the state and different levels of local government.
Architecture Compliance Process. A Technical Architecture Review (TAR) Board has been
established and is fully operational. The TAR regularly reviews key agency initiatives, to assess
compliance with Enterprise Architecture and standards and to grant waivers based on business
justification. The TAR has been active, reviewing over 100 projects in the first five months of 2006.
Enterprise Architecture has brought many advantages, both tangible and intangible, to the Commonwealth of
Pennsylvania. It is now an institutionalized agent for innovation and standardization across the Commonwealth
and has also evolved into a communication clearinghouse for sharing information about key agency technology
initiatives. Significant cost savings have been achieved through enterprise purchasing agreements for product
standards. The Domain Teams and other collaborative EA mechanisms have begun to foster an attitude and
mindset of cooperation, communication, and sharing throughout Commonwealth agencies.
8/28/2006 1 EA NASCIO
Description of Project
Enterprise Architecture (EA) was formally introduced in to the Commonwealth of Pennsylvania in late 2003.
Previously the Commonwealth had centralized several key architecture components: email, telecom services,
desktop operating systems, PCs, and SAP as the back office system. It is upon this infrastructure that EA
initiatives were built, and with this foundation, have constructed a collaborative approach to EA governance and
The EA governance structure is part of a broader IT governance model that reports to the IT Governance Board.
The purpose of the IT Governance Board is to oversee the investment and performance of information solutions
across Commonwealth's agencies and to advise and counsel the governor on the development, operation, and
management of the Commonwealth's IT investments, resources and systems.
Governance continues to be an important part of Commonwealth initiatives. The Enterprise Governance
Council (EGC) and the Enterprise Architecture Standards Committee (EASC), both comprised of senior agency
Directors and CIOs, provide leadership, prioritization of initiatives and recommendations of standards. Domain
teams, comprised of agency technologists, architects, and thought-leaders, realize these initiatives by creating
Commonwealth standards, establishing IT policies, and specifying Enterprise Architecture models and
This governance structure ensures support and the rapid adoption of enterprise strategic initiatives that meet the
diverse needs of Commonwealth agencies. Additionally, with the establishment of ten domain teams (see
diagram below), participation has been solicited from all agencies and levels of staff. This has established a new
way of doing business for the Commonwealth. Enterprise Architecture is now an institutionalized agent for both
innovation and standardization across the Commonwealth.
The Enterprise Architecture Governance Model was formed using the NASCIO framework for Enterprise
8/28/2006 2 EA NASCIO
Enterprise Architecture communicates its standards and policies through Information Technology Bulletins
(ITBs). ITBs provide a consistent format for standards and are published in a common location that is publicly
available for agency use. Before an ITB is published, it undergoes several types of review. After the
organizations in the governance structure have reviewed an ITB, it is subject to a broader agency review before
publication. Standard, broadcast communication channels are in place to keep agencies educated of new or
changing standards. A feedback and query mechanism is in place, enabling agency personnel to ask questions
or comment on published EA standards. Additionally, EA members attend agency or Community of Practice
meetings and share information on EA standards and plans on a regular basis.
During the past year, EA has been actively advancing Enterprise Architecture Blueprints and Processes
throughout the Commonwealth. Key focus areas and accomplishments of EA include: continued evolution and
documentation of the baseline and target models, specification of comprehensive security architecture and
processes, and roll-out of an architecture compliance process. Each is described below.
Baseline and Target Model Specification
The Commonwealth’s Target Architecture has continued to evolve in response to business drivers prioritized by
the EA Governance structure. Key aspects of the target architecture specified recently include:
• Creation of a Citizen Information Model. A conceptual citizen information model has been created and
promulgated providing standards to Commonwealth agencies pertaining to citizen-related entities and
data elements. This common citizen model is a critical step towards implementing integrated processes
and shared information repositories. It has improved communication among agencies by establishing a
common language related to the citizen and is enabling a key Commonwealth objective of providing
improved services to citizens by promoting a higher quality of information.
• Establishment of a Common Portal Architecture. The Commonwealth has adopted a single, standard
portal platform for both internally and externally facing web-sites. The common portal architecture
provides a consistent look and feel for citizens and Commonwealth users alike. Additionally,
implementing the common portal architecture improves the interoperability of agency applications via
portlet technology and, in conjunction with the Enterprise Security Architecture, provides a consistent,
robust web access and authentication vehicle across the Commonwealth.
• Continued expansion of the BSCoE frameworks. Enterprise Architecture initially conceived and served
as an incubator for the Business Solutions Center of Excellence (BSCoE). BSCOE consists of
standardized software engineering processes, service components, and application framework
components. It promotes cross agency development efforts and fosters a common approach to training
and education for all development teams. It provides uniformity of approach, process and results,
allowing projects to leverage the broad pool of resources and assets that currently exist within the
Commonwealth. BSCoE has emerged during the last year and EA remains an important member of the
BSCoE governance structure – helping to guide its ongoing roll-out and evolution.
• Creation of a Grants Management Architecture. Building on both the Common Portal Architecture and
BSCoE, a Commonwealth-wide grants management architecture has been created. This architecture
simplifies and automates the funding process associated with over $17 billion in federal and state
grants. The architecture streamlines the underlying business process pertaining to grants processing,
establishes a centralized portal to allow grant recipients to find and apply for grant opportunities in the
Commonwealth, and establishes an enterprise business intelligence engine that support the reporting
needs of the governor’s office and federal and state agencies.
8/28/2006 3 EA NASCIO
Additionally, key aspects of the baseline architecture continue to be elaborated. During the past year, the
Commonwealth has expanded the specification of the existing Business Architecture. Utilizing the Federal
Enterprise Architecture (FEA) Business Reference Model (BRM), the Commonwealth has mapped agencies and
applications to their relevant lines of businesses and sub-functions in the Services for Citizens Business Area.
This mapping is used to identify where redundant services are being provided across agencies and applications
to serve as input for business streamlining and technical consolidation.
Specification Enterprise Security Architecture and Policies.
One of the most important Commonwealth initiatives is security. Enterprise Architecture is responsible for
several far-reaching, critical security initiatives. These initiatives specify standard security approaches and
blueprints for many aspects of cyber security and identity protection and access management. Each is
• Identity Protection and Access Management (IPAM). An interagency Identity Management initiative was
launched to establish the Commonwealth approach and architecture pertaining to identity management
and to align with federal and industry standards such as the Federal Information Processing Standard
(FIPS) and Security Assertion Markup Language (SAML). IPAM is a comprehensive effort that covers
many aspects of identity management including:
• Enterprise Directory Services – Provides for consolidation, synchronization and aggregation of
shared identity information for retrieval and user authentication;
• Access Management and Control – Provides standards and policies for accessing
Commonwealth facilities and information systems;
• Enrollment, Identity Proofing and Vetting – Outlines the processes for validating and verifying an
individual’s identity for the purpose of establishing credentials, such as log-in identifications and
• Identity Card Production, Personalization and Issuance – Outlines the standards for creating,
delivering and activating an individual’s unique identity card;
• Enterprise Public Key Infrastructure (PKI) – Outlines the standards for use of secure
mechanisms (cryptography) to verify established identities, support digital signatures and
encrypt sensitive data.
• Specification for a Commonwealth Personal Identification Verification (PIV) Card – Provides the
physical and logical layout for the components of the Commonwealth PIV card, (e.g. magnetic
strip, smart chip, photograph).
During the past year, the IPAM Initiative has made significant progress towards a Commonwealth-wide,
identity management architecture and process. Some key accomplishments include:
• Specification of the Enterprise Directory Blueprint;
• Creation of a standard Web Access and Authentication architecture;
• Creation of a FIPS-compliant, Personal Identification Verification (PIV) card specification;
• Creation of a Commonwealth Digital Certificate Policy; and
• Selection of a Commonwealth-wide Digital Certificate Provider.
• Operation Secure Enterprise (OSE). OSE addresses the increasing security risks associated with
technology based delivery of business services. OSE, led by the newly appointed EA Chief Information
Security Officer (CISO), creates enterprise plans, approaches, and architectural blueprints to provide
enhanced cyber security to the Commonwealth. OSE has established enterprise technology standards
for critical areas of cyber security, including network intrusion detection and protection systems and
Internet access control and content filtering. A consolidated Security Information Management solution
has been established to provide an enterprise level view regarding the condition of security in the
Commonwealth’s IT environment. Additionally, security assessments have been put in place to identify
threats, vulnerabilities and risks to Commonwealth IT resources.
8/28/2006 4 EA NASCIO
• Security Awareness and Information Sharing. An organization depends on more than technology for
implementing IT Security. Raising awareness of security and communications are equally as important.
EA has implemented a security architecture communication process to address awareness and
communication. In addition to standardized security awareness training, the Commonwealth has
established a CISO roundtable. The CISO roundtable is comprised of agency CISOs and professionals
and is chaired by the EA Commonwealth CISO. This provides a forum for multi-directional information
sharing among agencies. Additionally, a Pennsylvania Information Sharing and Analysis Center (PA-
ISAC) has been established to disseminate warnings and share information with state and various
levels of local government.
Roll-out of an Architecture Compliance Process
As the Commonwealth’s Enterprise Architecture grows and involves, it is vital that a process be established and
executed to assess agency projects’ compliance with Enterprise Architecture standards. A Technical
Architecture Review (TAR) Board has been established and is fully operational. The TAR is comprised of
Enterprise Architecture resources as well as members from other cross-cutting, technology organizations within
the Commonwealth. The TAR reviews select agency initiatives, based on objective criteria, to ascertain
compliance with established enterprise architecture standards and to grant waivers based on business
justification. The TAR has dramatically increased Enterprise Architecture visibility and compliance among
Commonwealth agencies and has been extremely active, reviewing over 100 projects in the first five months of
Significance to the improvement of the Operation of Government
Enterprise Architecture has improved the Commonwealth’s ability to interact with other government agencies
and positions the Commonwealth to align with federal recommendations while also championing interstate
communications. This is possible due to the implementation of standard technology solutions, a focus on
standards-based solutions, and communication of the role that EA plays across all agencies. Vendor interaction
has also improved as a result of identifying one group responsible for establishing enterprise-wide standards.
The Commonwealth can now negotiate lower costs across the enterprise by implementing common technology
solutions, leveraging its purchasing power.
Enterprise Architecture is serving as a communication vehicle for technology initiatives within the
Commonwealth. Through the TAR Board and the various groups in the governance structure (EGC, EASC and
domain teams), agencies constantly interact in ways and at levels they previously did not. This has resulted in
greater awareness of technology initiatives among the agencies.
Another key change within the Commonwealth is a shifting from an agency-centric thought process to one that
is Commonwealth-wide. EA serves as the focal point for defining and communicating a shared Commonwealth
vision. As enterprise standards become more prevalent, agencies within the Commonwealth have realized the
benefit of shared architecture and standards. The EA governance structure now relies heavily upon the EA
organization to set standards and policies in technology areas. In the past, each agency would perform their
own research and establish their own standards and policies. This change in thinking is particularly evident in
the realm of security where consolidated Security Information Management and the CISO roundtable have led
to holistic, enterprise security planning, monitoring, and cooperation. Additionally, with the expanded baseline
architecture model that has been created, it is much more straightforward to identify improvements and
streamlining opportunities for the target architecture.
8/28/2006 5 EA NASCIO
Enterprise Architecture has brought many advantages, both tangible and intangible, to the Commonwealth of
Pennsylvania. The Commonwealth has taken an enterprise approach to standardization, working
collaboratively with agencies via the EA domain teams. Ten domain teams were formed using the NASCIO
framework for Enterprise Architecture. This has provided many benefits to the Commonwealth including the
ability to share assets thus increasing their utilization and driving the use of common tool sets. In turn, this
lowers the overall costs by better leveraging people and processes to provide training. We have fostered an
enterprise approach to new initiatives, seeking out commonality and the strategic importance in each.
With the focus and attention on cyber security and identity protection at a Commonwealth level, the
Commonwealth’s infrastructure and information is more secure. This increased security benefits taxpayers by
making their sensitive data increasingly safer.
With the adoption of a common citizen information model, a common language related to the citizen has been
established. This in turn promotes a higher quality of citizen information, enabling a key Commonwealth
objective of providing improved services to citizens.
Return on investment
Enterprise Architecture does materially impact the Commonwealth via monetary savings in enterprise license
agreements. Over the past year, Enterprise Architecture has named several technology solutions as
Commonwealth standards. Consequently, significant license and maintenance fee cost savings (over $34
million) have been realized through enterprise license agreements. This saving alone recoups the investment
by the Commonwealth in EA several times over.
Another key projected area for savings is in the area of grants management. Upon rollout of the common
Grants Management Architecture and Processes, the Commonwealth is projected to achieve $1 million per year
in cost savings due to a 25% reduction time for every grant application processed.
8/28/2006 6 EA NASCIO