Why do we need the Information Systems Security Plan (ISSP):
FISMA requires the FAA to have ISSP for the information security programs to assure the adequate information security for networks, facilities, information systems or groups of information systems, as appropriate. The ISSP is required for every FAA NAS or non-NAS system. The preparation of ISSP for an information system ensures that the required security controls (planned or in place) are fully documented. The key attachments may include the references to documents supporting the FAA's information security program within the System Certification and Authorizations Package (SCAP).
What does the ISSP do:
The ISSP identifies the information system components; operational environment; sensitivity and risks; and detailed, cost-effective measures to protect a system or group of systems. The ISSP objective is to fulfill one of the final components of the SCAP document required within the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, and by the Computer Security Act of 1987 (Public Law 100-235). The existence of, and adherence to, an ISSP is one of the fundamental requirements for the SCAP.
What is the content of the ISSP:
The following FAA documents, Systems Engineering Manual (SEM) Section 4.8, ISS Handbook, and Information Systems Security Program Implementation Guide to review the detailed information toward the preparation of ISSP. Also check for latest updates of what the contents should include. The structure is based on the National Institute of Standards and Technology (NIST) Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.
Consider including these following information to the ISSP:
- System Identification
- System Environment
- Sensitivity of Information Handled
- Management Controls (Risk Assessment, Review of Security Controls, Rules of Behavior, Life Cycle Security Planning, Accreditation/Authorization)
- Operational Controls (Personnel, Physical, Hardware and Software Maintenance Controls, Integrity Controls, Documentation, Security Awareness and Training, Incident Response Capability)
- Technical Controls
ISSP Maintenance requirements:
The ISSP must be maintained throughout the entire system life cycle. It is considered complete when the selected controls are tested and the designated authorized FAA official signs the final SCAP. The ISSP is routinely updated on annual or every three years as part of the SCAP process or earlier to reflect significant changes that may impact the systems security posture. A recertification of the SCAP documents may be required depending on the level of impact to the FAA NAS or non-NAS systems.
- Finalize the determination of whether it is for the NAS or non-NAS system
- Determine the update requirements based on the level of impact to the NAS or non-NAS system; annual, once every three years or recertification
- OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources
- 44 USC 35, Subchapter II, Federal Information Security Management Act (FISMA)
- Public Law 106-398, Government Information Security Reform Act of 2000 (GISRA)
- NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
- NIST Special Publication 800-27, Engineering Principles for IT Security
- NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- FAA's ISS Handbook
- FAA - Systems Engineering Manual (SEM)
- ATO Information Systems Security Program Implementation Guide (SCAPs)