Zachman vs FEAF, DoDAF and SABSA: Framework Comparison

The Zachman Framework is so foundational that it has become the basis for multiple specialised frameworks. FEAF (Federal Enterprise Architecture Framework), DoDAF (Department of Defense Architecture Framework), and SABSA (Sherwood Applied Business Security Architecture) all derive from or build upon Zachman's core concepts.

Understanding these frameworks and how they relate to Zachman is critical for architects working in government, defence, or security-focused organisations.

Overview: The Framework Family Tree

text

Zachman Framework (1987)
├── FEAF (Federal EA Framework, 2001)
├── DoDAF (Defence Architecture Framework, 2003)
└── Zachman + Security → SABSA (1990s-2000s evolution)

All three frameworks are either direct adaptations of Zachman or explicitly incorporate Zachman principles. Understanding the source (Zachman) makes understanding the variants easier.

FEAF: Federal Enterprise Architecture Framework

What is FEAF?

FEAF is the enterprise architecture framework adopted by the US federal government. It is used by all federal agencies (State Department, Treasury, Health and Human Services, Social Security Administration, Veterans Affairs, etc.) when designing information systems that must comply with federal standards.

FEAF's Relationship to Zachman

FEAF is essentially a government-specific adaptation of the Zachman Framework. Key points:

Based on Zachman: FEAF's core structure mirrors Zachman's 6x6 matrix concept.
Added government specificity: FEAF adds federal regulatory and compliance requirements (OMB circular, FISMA, etc.).
Mandated by law: Federal agencies are required to comply with FEAF via OMB (Office of Management and Budget) circulars.
Integrated with TOGAF: Modern FEAF recommendations often suggest using TOGAF ADM alongside FEAF's Zachman-based structure.

FEAF Structure vs Zachman

Aspect	Zachman	FEAF
Matrix cells	36 (6x6)	Similar to Zachman, with government-specific refinements
Interrogatives	What, How, Where, Who, When, Why	Same, plus government-specific contexts
Perspectives	Planner, Owner, Designer, Builder, Sub-Contractor, Enterprise	Same, with federal roles (CIO, Chief Architect, EA Board)
Compliance focus	None (universal)	FISMA (Federal Information Security Management Act), OMB compliance
Tool support	General EA tools	Specialized federal EA tools (DoDAF Studio, etc.)
Certification	ZCEA	Federal-specific certifications (less formal than ZCEA)

When to Use FEAF

If your organisation is a US federal agency or contractor to federal agencies.
If you must comply with OMB guidance and FISMA requirements.
If you are building a system of record for the federal government.
If you need to integrate with other federal systems (e.g., Treasury's enterprise architecture, VA systems).

DoDAF: Department of Defense Architecture Framework

What is DoDAF?

DoDAF is the enterprise architecture framework mandated for US Department of Defense (DoD) and defence contractor systems. It is used across military branches, defence agencies, and defence contractors when designing weapons systems, logistics networks, command and control systems, and other defence applications.

DoDAF's Relationship to Zachman

DoDAF has a more complex relationship to Zachman than FEAF:

Zachman-inspired (not direct adaptation): DoDAF was influenced by Zachman's ontological approach but has evolved its own structure.
Added defence specificity: DoDAF emphasises operational roles, threat models, and security criticality.
Integrated with systems engineering: DoDAF aligns with defence systems engineering standards (MIL-STD-499, IEEE 1220, etc.).
Mandated by law: DoD acquisition regulations (DFARS - Defense Federal Acquisition Regulation Supplement) require DoDAF compliance for certain weapon systems.

DoDAF Structure vs Zachman

DoDAF uses a different structural approach than Zachman:

Eight viewpoints rather than a 6x6 matrix: Operational Viewpoint, Systems Viewpoint, Technical Standards Viewpoint, All Viewpoint, Data and Information Viewpoint, Services Viewpoint, Standards Viewpoint, and System-Of-Systems Viewpoint.
Emphasis on data exchanges and operational flows rather than just static models.
Strong security and threat orientation: Each viewpoint includes security context.

Aspect	Zachman	DoDAF
Structure	6x6 matrix (36 cells)	8 viewpoints + 50+ data elements
Primary focus	Organisational knowledge classification	Operational and systems design
Stakeholders	All levels (planner to operator)	Military and defence-specific roles
Security focus	Optional (one cell in Zachman)	Mandatory across all viewpoints
Operational context	Generic	Defence operations and warfare
Complexity	Moderate	High
Certification	ZCEA (though DoDAF-specific certs exist)	DoDAF Certified Practitioner, various defence certs

When to Use DoDAF

If you are designing defence systems for the US Department of Defense.
If your organisation is a defence contractor subject to DFARS compliance.
If you are designing weapons systems, command and control systems, or intelligence systems.
If you need to integrate with other DoD systems.
If security and threat models are critical to your architecture.

SABSA: Sherwood Applied Business Security Architecture

What is SABSA?

SABSA is an enterprise security architecture framework that applies Zachman-like ontological thinking specifically to security. Rather than describing an entire enterprise (business + data + application + technology), SABSA focuses on describing security architecture across similar dimensions.

SABSA's Relationship to Zachman

SABSA explicitly models itself on Zachman but applies it to security:

Zachman for Security: SABSA is often described as "applying Zachman's ontological approach to enterprise security."
6 Layers x 6 Attributes: SABSA uses a similar matrix structure but adapted for security concerns.
Complementary to Zachman: SABSA is not a replacement for Zachman; it is a security lens applied within a broader Zachman enterprise architecture.

SABSA Structure vs Zachman

Aspect	Zachman (General EA)	SABSA (Security EA)
Focus	All enterprise dimensions	Security only
Matrix dimensions	6 perspectives x 6 interrogatives	6 layers x 6 attributes
Perspectives/Layers	Planner to Enterprise	Business layer down to component security
Interrogatives/Attributes	What, How, Where, Who, When, Why	Adapted for security (confidentiality, integrity, availability, etc.)
Use case	Holistic enterprise architecture	Security architecture integrated within EA
Relationship	Standalone framework	Complements broader frameworks (Zachman, TOGAF)

When to Use SABSA

If you need to design and govern security architecture.
If your organisation requires security to be as carefully architected as business and technology.
If you are building a security program aligned with enterprise architecture.
If you need to communicate security architecture to executives and technical teams (SABSA provides the "Zachman-like" structure to make it clear).
If you are in a regulated industry (finance, healthcare, government) where security governance is mandated.

Practical Comparison: When to Use Which

For Federal Agencies and Contractors

Use FEAF if you must comply with federal OMB guidance and FISMA. But understand that FEAF is Zachman-based, so knowing Zachman gives you a head start.

Optional: Pair with TOGAF for process guidance (FEAF defines "what," TOGAF defines "how").

For Department of Defense

Use DoDAF if you are designing defence systems or weapon systems subject to DFARS compliance.

Know that DoDAF shares Zachman's ontological spirit but has evolved differently. Understanding Zachman does not directly translate to DoDAF competency, but the conceptual approach is similar.

For Security-Centric Architectures

Use SABSA to structure security architecture within your broader enterprise architecture (whether Zachman, TOGAF, or other).

Combine with Zachman/TOGAF: SABSA is not standalone; it enriches the Why column and other security-relevant cells of a broader Zachman matrix.

For Commercial (Non-Government)

Use Zachman + TOGAF without FEAF or DoDAF (unless you are a government contractor).

SABSA is optional depending on your security governance needs.

Key Differences and Relationships: A Summary

Framework	Basis	Primary Use	Regulatory?	Complexity
Zachman	Original ontology	Universal, all industries	No	Moderate
FEAF	Zachman adaptation	Federal government	Yes (OMB)	Moderate-High
DoDAF	Zachman-inspired, custom	Defence/Military systems	Yes (DFARS)	High
SABSA	Zachman applied to security	Security architecture	No (optional)	Moderate

Career Implications: Which Should You Know?

If You Work in Federal Government

Must know: FEAF and Zachman (FEAF is based on it)
Should know: TOGAF, SABSA
Optional: DoDAF (only if defence-adjacent)
Certification to pursue: Federal-specific certs, ZCEA, TOGAF Foundation

If You Work in Defence/DoD Contractor

Must know: DoDAF
Should know: Zachman (to understand DoDAF's conceptual basis), SABSA
Optional: FEAF, TOGAF
Certification to pursue: DoDAF Certified Practitioner, SABSA credentials

If You Work in Finance, Healthcare, or Large Commercial Enterprise

Must know: Zachman, TOGAF, SABSA
Should know: FEAF and DoDAF (as background knowledge)
Optional: Unless you support government, federal agencies, or defence
Certification to pursue: ZCEA, TOGAF Foundation, SABSA credentials

The Convergence: Common Ground

Despite their differences, all four frameworks share common DNA:

Ontological approach (shared from Zachman): Defining what aspects of the enterprise or domain must be understood.
Multiple perspectives or viewpoints: Recognising that different stakeholders have different views of the same system.
Structured models and artefacts: Each framework produces a set of defined outputs that populate the structure.
Compliance and governance: All modern variants include governance and compliance aspects.

Practical Scenario: Where Each Framework Applies

Scenario 1: Financial Services Firm (Commercial, Not Government)

Primary: Zachman + TOGAF
Secondary: SABSA for security architecture
Not needed: FEAF, DoDAF
Certification: ZCEA, TOGAF Certified, SABSA

Scenario 2: Federal Treasury Agency

Primary: FEAF + TOGAF
Secondary: SABSA for security
Not needed: DoDAF (unless defence-adjacent)
Certification: Federal certs, ZCEA, TOGAF

Scenario 3: Defence Contractor (Weapon System)

Primary: DoDAF
Secondary: SABSA, Zachman (as conceptual base)
Not needed: FEAF (unless also supporting federal civilian agencies)
Certification: DoDAF Certified Practitioner, SABSA

Scenario 4: Large Healthcare System

Primary: Zachman + TOGAF
Secondary: SABSA for security and compliance
Not needed: FEAF, DoDAF
Certification: ZCEA, TOGAF, SABSA

Key Takeaways

FEAF is Zachman for federal government: If you understand Zachman, FEAF is a straightforward adaptation.
DoDAF is Zachman-inspired but distinct: It shares the ontological philosophy but has evolved a different structure suited to defence operations.
SABSA is Zachman applied to security: It is not a replacement for Zachman, but a security-specific lens within a broader architecture.
All share a common philosophical approach: They all recognise that complete architecture requires multiple perspectives and structured description.
Your context determines which to use: Commercial → Zachman + TOGAF; Federal → FEAF + TOGAF; Defence → DoDAF; Security-focused → SABSA.

Next Steps

Explore the Six Interrogatives and Six Perspectives to deepen your understanding of Zachman (the source for FEAF and inspiration for DoDAF).
If you work in government, read the Practical Application in Government Agencies guide.
If security is your focus, explore Security Architecture with SABSA.
Consider pursuing relevant certifications for your industry context.

Understanding Zachman gives you a foundation to quickly adopt FEAF or understand DoDAF's conceptual basis. That is the power of learning the source framework first.

Meta Keywords: FEAF framework, DoDAF framework, SABSA security architecture, Zachman variants, government EA frameworks, defence architecture, federal architecture standards, security architecture ontology, EA framework comparison.