Why do we need the Information Systems Security Plan (ISSP):
FISMA requires the FAA to have ISSP for the information security programs to assure the adequate information security for networks, facilities, information systems or groups of information systems, as appropriate. The ISSP is required for every FAA NAS or non-NAS system. The preparation of ISSP for an information system ensures that the required security controls (planned or in place) are fully documented. The key attachments may include the references to documents supporting the FAA's information security program within the System Certification and Authorizations Package (SCAP).
What does the ISSP do:
The ISSP identifies the information system components; operational environment; sensitivity and risks; and detailed, cost-effective measures to protect a system or group of systems. The ISSP objective is to fulfill one of the final components of the SCAP document required within the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, and by the Computer Security Act of 1987 (Public Law 100-235). The existence of, and adherence to, an ISSP is one of the fundamental requirements for the SCAP.
What is the content of the ISSP:
The following FAA documents, Systems Engineering Manual (SEM) Section 4.8, �ISS Handbook�, and �Information Systems Security Program Implementation Guide� to review the detailed information toward the preparation of ISSP. Also check for latest updates of what the contents should include. The structure is based on the National Institute of Standards and Technology (NIST) Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.
Consider including these following information to the ISSP:
ISSP Maintenance requirements:
The ISSP must be maintained throughout the entire system life cycle. It is considered complete when the selected controls are tested and the designated authorized FAA official signs the final SCAP. The ISSP is routinely updated on annual or every three years as part of the SCAP process or earlier to reflect significant changes that may impact the system�s security posture. A recertification of the SCAP documents may be required depending on the level of impact to the FAA NAS or non-NAS systems.
Page Last Modified: 09/11/08 10:00 EDT
This page can be viewed online at: http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/items/j-Update-ISSP.cfm