Why Your Federal Enterprise Architecture Is Incomplete

Federal enterprise architecture teams are doing everything right. They're maintaining comprehensive technical reference models. They're processing thousands of technology assessments annually. They're documenting standards, evaluating emerging technologies, and ensuring IT investments align with mission objectives.

And yet, they're missing a massive portion of the actual technology landscape.

When we investigated the SaaS landscape for one of our large federal customers, we expected to find some shadow IT. What we discovered was staggering: over 1,500 distinct SaaS applications operating on their networks.

Here's what made this finding particularly concerning:

• Nearly 600 were business-critical applications that had never been formally assessed or approved

• Less than 15% were integrated with identity management systems

• Approximately 276 lacked any FedRAMP or provisional authorization

Think about what this means: while EA teams were maintaining detailed architecture documentation, technology standards, and governance processes, hundreds of applications were operating completely outside their architectural visibility.

Their EA wasn't failing at its job — it simply had no mechanism to see what it couldn't govern.

This Isn't Just About Compliance

The immediate reaction is often about compliance risk — and yes, 276 applications without FedRAMP authorization represent material non-compliance with Office of Management and Budget (OMB) M-24-15. But the implications go far deeper.

Federal agencies right now are:

• Executing multi-million dollar modernization initiatives under OMB M-23-22

• Implementing zero trust architecture under M-22-09 and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Zero Trust Maturity Model

• Meeting federal data strategy requirements for data-driven decision making

Every single one of these strategic initiatives assumes you know what you have. You can’t implement zero trust without comprehensive asset inventories. You can’t achieve centralized data governance when mission-critical data resides in undocumented repositories. You can’t execute Cloud Smart migration planning when a significant portion of your application portfolio is invisible.

When enterprise architecture documentation excludes hundreds of operational applications, these strategic initiatives fail before they begin.

Why "Just Use CASB" Doesn't Work

The standard response is usually: "We have cloud access security brokers” or "We're implementing secure access service edge — that solves this."

It doesn't.

Even agencies with mature secure access service edge (SASE) deployments face a fundamental reality: network-based controls can only govern traffic that flows through controlled infrastructure. They're blind to:

• SaaS accessed from personal devices and bring your own device (BYOD)

• Application programming interface (API) and command-line interface (CLI) access that bypasses web-based inspection

• Shadow integrations connecting approved apps to unapproved services

• Mobile applications using certificate pinning

• Pre-established accounts created outside the network perimeter

SASE is a significant advancement in cloud security architecture, but it doesn't eliminate the need for discovery-based SaaS governance — it makes it more essential.

The Process Problem That Creates the Visibility Gap

Here's the core issue: A $5,000 SaaS subscription via purchase card takes 48 hours. The same solution requiring FedRAMP authorization takes 6-9 months.

The incentive structure actively encourages non-compliance.

Enterprise architecture operates on formal intake processes that work exceptionally well for infrastructure, major systems, and enterprise platforms requiring capital investment. SaaS breaks this model entirely. A product manager signs up for a collaboration tool with a credit card. A developer adopts a continuous integration/continuous delivery (CI/CD) platform. A business unit procures analytics software. These decisions happen in days or hours, not the weeks or months traditional EA processes require.

By the time EA teams would conduct a technical assessment, the application is already in production with live data.

What Complete SaaS Governance Actually Looks Like

Effective SaaS governance doesn't replace EA — it completes it. Based on our work implementing the federal government's first-ever SaaS governance program, here's a three-step framework that actually works:

1. Discover: Deploy purpose-built discovery platforms that integrate with existing infrastructure to automatically identify SaaS consumption — providing enriched metadata including FedRAMP status, data residency, integration status, and usage patterns. Not a quarterly snapshot, but continuous visibility into the technology landscape as it actually exists.

2. Manage: Assess SaaS applications in weeks, not months, through streamlined evaluation processes — evaluating vendor attestations against federal security standards while maintaining rigor. Our rapid cloud review (RCR) methodology was codified into federal policy in June 2024 as the first centralized SaaS risk-review process.

3. Secure: Enable real-time posture management that validates ongoing compliance rather than point-in-time assessments. Technology doesn't freeze after authorization — SaaS configurations change, patches are applied, and integrations multiply. Continuous monitoring ensures that what was compliant at assessment remains compliant in production.