Security Reference Model (SRM)
Security is integral to all architectural domains and at all levels of an organization. As a result, the Security Reference Model (SRM) must be woven into all of the sub-architectures of the overarching EA across all the other reference models and it must be considered up and down the different levels of the Enterprise. Enterprise Architecture Governance is the perfect place for security standards, policies, and norms to be developed and followed, since it is an enforcement point for Information Technology investments. The SRM allows architects to classify or categorize security architecture at all scope levels of the Federal Architecture: International, National, Federal, Sector, Agency, Segment, System and Application. At the highest levels, the SRM is used to transform federal laws, regulations, and publications into specific policies. At the segment level, the SRM is used to transform department specific policies into security controls and measurements. At the system level, it is used to transform segment controls into system specific designs or requirements. Each level of the SRM is critical to the overall security posture and health of an organization and/or system.
The Federal Security Reference Model (SRM) has three areas: Purpose, Risk, and Controls; these are divided into six total subareas (see figure below). Each one of these subareas must be addressed at the enterprise, agency, and system level. The SRM uses the information from the purpose and risk at each level of the enterprise to find and classify the correct controls to secure the environment.
source: The EA Pad