FAA - FAA Information Systems Security (ISS) Engineering Process

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information FAA Information Systems Security (ISS) Engineering Process faa.gov Tools
Systems Topics
The Information Systems Security (ISS) Engineering website is a checklist that Print this page
❍ Mission Analysis guides you throughout the acquisition management systems (AMS) phases to Email this page
perform the security related activities using the ISS engineering processes.
❍ Investment Analysis

❍ Solution Implementation

❍ In Service Management

❍ Security Checklist

View: larger version of the FAA Information Systems Security (ISS) Engineering
Process.

For comments or feedback contact [email protected].

Updated: 10:33 am ET September 7, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

U.S. Department of Transportation

Federal Aviation Administration
800 Independence Avenue, SW
Washington, DC 20591
1-866-TELL-FAA (1-866-835-5322)

Readers & Viewers: PDF Reader | MS Word Viewer | MS PowerPoint Viewer | MS Excel Viewer | Zip

http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/ [1/10/2008 2:22:33 PM]

 FAA - Mission Analysis

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information Mission Analysis faa.gov Tools

Systems Topics
Note: The symbol "*" indicates that the FAA firewall access Print this page
❍ Mission Analysis is required to view this link. Email this page
■ Service Analysis (SA)
The Information
■ Concept &
Requirement
Systems Security
Definition (CRD) (ISS) engineering
process starts in the
Mission Analysis. In
❍ Investment Analysis
this phase, the ISSE
process focuses on:
❍ Solution Implementation

● the proposed
❍ In Service Management
system's operating environment
● system boundaries
❍ Security Checklist
● information assets and functions
● and the potential threat and vulnerability sources to the
system's information assets and functions.

Basic system security policy flows from FAA organizational

directives, such as FAA Order 1370.82A, "ISS Program
Policy"* as well as from FAA operating procedures and
instructions. Basic system security policy is the set of rules
governing control, access, and use of system information.
For example, a basic security policy statement may be that
only authorized FAA users shall access the system.

The ISS engineering process applies NIST Federal

Information Processing Standards (FIPS) 199, "Standards
for Security Categorization of Federal Information and
Information Systems" to categorize the information system
assets and functions. The ISSE process analyzes the NAS
system concept of operations (CONOPS) and mission need
statement (MNS) to formulate a basic security policy.

The security planning aspects of ISS engineering also

begins in this phase, following guidance of NIST Special
Publication (SP) 800-18, "Guide for Developing Security
Plans for Federal Information Systems". Security
requirements, based on security policy, are in the
Preliminary Program Requirements (pPR) document.

Updated: 10:38 am ET September 7, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

http://www.faa.gov/about/office_org/headquarters_of...ato/service_units/operations/isse/mission_analysis/ (1 of 2) [1/10/2008 2:25:27 PM]

 FAA - Investment Analysis

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information Investment Analysis faa.gov Tools

Systems Topics
Integrating the Print this page
❍ Mission Analysis Information Systems Email this page
Security (ISS)
❍ Investment Analysis engineering process
■ Initial Investment
with the SE
Analysis (IIA) elements is
essential. During the
■ Final Investment
Initial Investment
Analysis (FIA)
Analysis (IIA), ISSE
develops and documents the need for security in the
❍ Solution Implementation
CONOPS and the initial security requirements for the
Preliminary Requirements document (pPR). The Investment
❍ In Service Management Analysis (IA) team uses the system program CONOPS and
the security requirements to evaluate the system
❍ Security Checklist alternatives. The security engineers in the product team
conduct a preliminary vulnerability and security risk
assessment using updated threat and vulnerability data to
determine the specific risks that must be controlled or
mitigated. The security trade studies are performed to
evaluate the system alternatives and to assess the security
risk controls/mitigation measures related to the system
alternatives. Also, the security trade studies identify the
native, existing system, and/or network features that
reduces the likelihood of the system threats successfully
exploiting a vulnerability. These trade studies compare the
costs and benefits of the system features/security controls in
terms of risk reduction. Trade studies may evaluate the cost-
effectiveness of different controls for a given risk or set of
risks. Also, system alternatives may require different types
of controls to balance the system performance and security
requirements against the security risks/costs of the different
alternatives. The different system alternatives may have
significantly different physical and/or system architectures
that would require different security controls that may lead to
different security costs and effectiveness.

During the final stage of the IA phase, the ISS engineering

refines and updates the preliminary vulnerability and security
risk assessment. Updated threat and vulnerability data is
applied, analyzing the costs and effectiveness of system
features and security controls that are associated with each
of the final system alternatives. ISS engineering provides the
final security requirements for the final Program
Requirements document (fPR) and the system specification,
as well as special requirements for the Solicitation
Information Request (SIR) and contract Statement of Work
(SOW). In developing the final system requirements, ISS
engineering analyzes and establishes the appropriate
assurance level to be proven during system implementation.
The assurance in this context addresses the required level
of confidence in the security function, performance and
ensures that the security controls function in an integrated

http://www.faa.gov/about/office_org/headquarters_of.../ato/service_units/operations/isse/invest_analysis/ (1 of 2) [1/10/2008 2:25:59 PM]

FAA - Investment Analysis

fashion. The assurance can be gained through many

techniques, including conformance testing, independent
verification testing, and employing diverse and/or redundant
capability.

The ISS engineering shall support a documented agreement

among the FAA stakeholders regarding the necessity and
sufficiency of the security requirements. It should clearly
document the agreement to the security requirements before
the investment decision becomes the foundation for the
Security Certification and Authorization Package (SCAP),
which shall be completed before the In-Service Decision
(ISD). During the IA, ISS engineering identifies the
technically qualified, senior FAA official who shall certify that
the system security controls meet the minimum FAA/NAS
ISS requirements (see DAA discussion in SEM section:
4.8.6). The ISSP, which was based on the NIST SP 800-18
and was a conceptual draft during the Mission Analysis of
the AMS phase, is updated to become an initial draft.

The ISS engineering products from this phase include the

updated preliminary and vulnerability security risk
assessment, final security program requirements, security
trade studies to support cost-benefit/investment analysis of
security controls, and input to the SIR, SOW, system
specification, and Contract Data Requirements List (CDRL)
for systems to be acquired. These products support the
AMS milestone decision for transition into the Solution
Implementation phase.

Updated: 10:59 am ET September 4, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

U.S. Department of Transportation

Federal Aviation Administration
800 Independence Avenue, SW
Washington, DC 20591
1-866-TELL-FAA (1-866-835-5322)

Readers & Viewers: PDF Reader | MS Word Viewer | MS PowerPoint Viewer | MS Excel Viewer | Zip

http://www.faa.gov/about/office_org/headquarters_of.../ato/service_units/operations/isse/invest_analysis/ (2 of 2) [1/10/2008 2:25:59 PM]

 FAA - Solution Implementation

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information Solution Implementation faa.gov Tools

Systems Topics
The Information Print this page
❍ Mission Analysis Systems Security Email this page
(ISS) engineering
❍ Investment Analysis activities during the
earlier phases
❍ Solution provide the basis for
Implementation the updating,
■ Solution
monitoring, and
Implementation (SI)
controlling system
security risks and the respective mitigation measures or
controls that are implemented during this phase of the
❍ In Service Management
system development. A summary of ISS engineering
activities for this phase includes the following:
❍ Security Checklist

● Revise the security related statement in the CONOPS

and security requirements based on functional analysis
performed during early stages of the Solution
Implementation phase.
● Analyze the physical/system architecture, resulting in
an allocation of the security features to be implemented
in the system under development. Security trade
studies may be needed to identify the appropriate
security controls to be implemented that balance
system and security requirements.
● Integrate the security features into the security
architecture to balance them with the system
architecture and design. Security trade studies,
interface security requirements, and other Systems
Engineering (SE) outputs contribute to successful
integration of security architecture into system design.
System design reviews are key milestones for ensuring
that security controls are integrated into system
development.
● Update the ISSP, one of the SCAP documents based
on the expected ISS functional and assurance controls
derived from the system architecture and design.
Refine the system test planning and procedures to
ensure that all security requirements and controls are
addressed. The ISSP supports Validation (SEM
Section: 4.12, subsection 4.12.1) and Synthesis (SEM
Section: 4.5) to assess controls and assurance as
being cost effective and meeting the ISS requirements.
Use Risk Management (SEM Section: 4.10) and
Requirements Management (SEM Section: 4.3) to
mitigate security risk to acceptable levels. The criticality/
sensitivity of the system and its information assets
guides the type and level of controls and testing.
● Develop a user's guide, training plans, and
Contingency/Disaster Recovery Plans (C/DRP).
Security procedures, rules, training, and planning for C/
DRP operations may be integrated into the integrated
logistics support and lifecycle planning for systems.
● Conduct security testing. Security controls and

http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/solution_imp/ (1 of 2) [1/10/2008 2:46:41 PM]

FAA - Solution Implementation

mechanisms may be tested incrementally and as a part

of system development testing. For mission-critical
systems, a third party shall conduct independent testing
of system vulnerabilities.
● Create final the Security Certification and Authorization
Package (SCAP) documents. The results of ISSE
activities-including relevant results from related SE
elements such as Integrated Technical Planning (SEM
Section: 4.2), Synthesis (SEM Section: 4.5), Validation
and Verification (SEM Section: 4.12), and Lifecycle
Engineering (SEM Section: 4.13)-shall be considered
as final SCAP documents. The Air Traffic Organization
provides templates for collecting and presenting the
SCAP documentation.

Updated: 11:10 am ET September 4, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

U.S. Department of Transportation

Federal Aviation Administration
800 Independence Avenue, SW
Washington, DC 20591
1-866-TELL-FAA (1-866-835-5322)

Readers & Viewers: PDF Reader | MS Word Viewer | MS PowerPoint Viewer | MS Excel Viewer | Zip

http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/solution_imp/ (2 of 2) [1/10/2008 2:46:41 PM]

 FAA - In-Service Management

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information In-Service Management faa.gov Tools

Systems Topics
Note: The symbol "*" indicates that the FAA firewall access Print this page
❍ Mission Analysis is required to view this link. Email this page

❍ Investment Analysis Activities during this

phase include the
❍ Solution Implementation following:

❍ In Service ● Follow and

Management conform to the
■ Technology Refresh final SCAP
Assessment (TRA) template as
required for the
final SCAP documents*.
❍ Security Checklist
● Obtain the security Certification and Authorization
(C&A). Stakeholder C&A review shall ensure that the
DAA* is in a position to certify and authorize the system
as meeting the security requirements and as presenting
an acceptable risk to the FAA mission and NAS
operations.
● Conduct the performance measurement, monitoring,
and reporting of the security controls and incidents.
Ensure that the monitoring of ISS performance and
assurance for the respective NAS service/capability has
not degraded and that the new vulnerabilities have not
been introduced to the operational system.
● Update the SCAP to reflect any major configuration
changes at least every 3 years, assessing the changes
in the environment and system for previously
unforeseen risks from new threats and vulnerabilities.
Plan and take corrective action as necessary.
● For disposal of the system, the following types of
activities may be addressed in the Information System
Security Plan, and conducted at the appropriate stage
of the System Development Lifecycle
❍ Archive Information - Retain information as

necessary, keeping in mind legal requirements

and future technology changes that render the
retrieval method obsolete.
❍ Sanitize Media - Ensure data is deleted,

erased, or written over as necessary.

❍ Dispose of Hardware and Software - Dispose

of the hardware and software in accordance

with ISS policy.

Updated: 3:10 pm ET September 6, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/inserv_man/ (1 of 2) [1/10/2008 2:47:26 PM]

 FAA - DRAFT - Integrate Initial Security Needs and Threat Stipulation Into the MNS

FAA Home About FAA Jobs News Library

Pilots Travelers Mechanics More

Airports & Data & Education & Licenses & Regulations &
Aircraft Safety
Air Traffic Statistics Research Certificates Policies
Search:
Quick Find:

● AMS Information DRAFT - Integrate Initial Security Needs and Threat faa.gov Tools
Systems Topics Stipulation Into the MNS (a)
Print this page
❍ Mission Analysis Content in development Email this page

❍ Investment Analysis

❍ Solution Implementation All lettered sections are labeled

"Content in development."
❍ In Service Management

❍ Security Checklist

Updated: 11:26 am ET July 26, 2007

USA.gov | Privacy Policy | Web Policies & Notices | Site Map | Contact FAA | Frequently Asked Questions | Forms

U.S. Department of Transportation

Federal Aviation Administration
800 Independence Avenue, SW
Washington, DC 20591
1-866-TELL-FAA (1-866-835-5322)

Readers & Viewers: PDF Reader | MS Word Viewer | MS PowerPoint Viewer | MS Excel Viewer | Zip

http://www.faa.gov/about/office_org/headquarters_offi...units/operations/isse/items/a%20-%20Initial%20Sec.cfm [1/10/2008 2:23:02 PM]