Note:

• This is the complete checklist throughout your ISS Engineering activities during the AMS Lifecycle phases.
• The symbol "*" indicates that the FAA firewall access is required to view this link.

Initiate

FAA Information Systems Security (ISS) Activities Process:

1. If any questions, please contact 9-ATOP-HQ-ISSE-Info@faa.gov, ATO-P Information Systems Security Chief Scientist Engineer.
2. Go to the last page of this checklist to review:
   • Appendix 1: "AMS Logo Map - FAA Lifecycle Management Process".
     • Use the map to follow the numbered AMS decision points in the process with this checklist.
   • Appendix 2: "Security Activities during AMS Phases"
     • It is a quick overview of deliverable security related products for each AMS Phases.
3. Use this checklist to map the security activities along with your appendix 1 & 2.
4. Review the lettered content of the "FAA Information Systems Security (ISS) Engineering Process".

Resources

1. The ATO ISS related websites:
   • FAA FAST AMS - Security Section
   • FAA NAS Enterprise Architecture (NASEA) - Security View (TBA - Still in the maturation process.)
   • FAA Systems Engineering Manual (SEM)
     • Section 4.8.6, Information Security Engineering
   • ATO ISS Program Library website
     • An authoritative source indicating governance of SCAP process*
   • ISS related policies*
2. SCAP Templates and FAQs

Quick Links

• Service Analysis (SA)
• Concept & Requirement Definition (CRD)
• Investment Analysis (IA)
• Final Investment Analysis (FIA)
• Solution Implementation (SI)
• In-Service Management (ISM)

Begin Service Analysis (SA) - AMS decision point: #1

(Start: Service Analysis activities for the Mission Needs Decision (MND))

Note: The symbol "*" indicates that the FAA firewall access is required to view this link.

Review

• FAA FAST AMS Lifecycle Phases and Decisions guidance website:
  • Service Analysis (SA)
  • Mission Need Decision (MND)
  • ISS policy guidance listed in the ATO ISS Program Library website.
    • FAA Orders 1370.82A, "Information Systems Security Program"*
  • ISS Engineering
    • AMS Lifecycle Management Process with ISSE related activities

Initiate

• Service Level Mission Need (SLMN) Threat Stipulation and basic security policy.
  • Integrating Initial Security Needs and Threat Stipulation into the SLMN (a)

Deliverable(s)

1. Statement of security policy and threat environment stipulation incorporated into the SLMN.

End SA for AMS decision point: #1

Begin Concept and Requirement Definition (CRD) - AMS decision point: #2

(Start: OMB Exhibit 300 Attachment 1 for the Investment Analysis Readiness Decision (IARD))

Review

• The CONOPs of the system.
• FAA FAST AMS Lifecycle Phases and Decisions guidance website:
  • Concept & Requirements Definition (CRD)
  • Investment Analysis Readiness Decision (IARD)
• FAA FAST ISS Flow Chart of the CRD section
• Security engineering activities.
  • AMS Lifecycle Management Process with ISSE related activities
• The NAS-SR1000 security requirements section.
  • To obtain the document please contact Linda Suppan (Acting Manager).

Coordinate

• Service Unit/Service Area Certification Team Lead to determine plans and strategy for SCAP activities including determining the level of effort and security activities.
  • ATO Information System Security Manager (ISSM)
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM)
  • ATO Service Unit/Service Area Certification Team Lead
  • ATO Service Unit/Service Area ISSO.
    • The individual is responsible for all the security functions for the program and is designated by the Program Manager.

Generate

• “Developing CONOPS and Preliminary Security Requirements (b)”
  • CONOPS of system.
  • ISS section of the Preliminary Requirements. (pPR document).
    • For assistance in developing security requirements contact Kenneth Kepchar, ATO-P ISS Chief Scientist System Engineer.
  • The 800-53 controls.

Deliverable(s)

1. OMB Exhibit 300, Attachment 1: Preliminary Program Requirements (pPR)
   • ISS Section of the Preliminary requirements. (pPR)

End CRD for AMS decision point: #2 & AMS Phase Mission Analysis (MA)

Begin Initial Investment Analysis (IIA) - AMS decision point: #3

(Start: OMB Exhibit 300 Attachment 2 for the Initial Investment Decision (IID))

Review

• FAA FAST AMS Lifecycle Phases and Decisions guidance website
  • Investment Analysis (IA)
  • Investment Decision (ID)
• FAA FAST ISS Flow Chart of the IIA section
• Security engineering activities
  • FAA Information Systems Security (ISS) Engineering Process

Update

• CONOPS of system.
• ISS section of the Preliminary Requirements. (pPR document).
  • Apply 800-53.
    • Tailor 800-53 security requirements to your acquisitions.

Generate

• Basis of Estimates (BOE) on security cost estimates for alternatives.
• SCAP with your Service Unit/Service Area Certification Team Lead.
• The preliminary Information System Security Plan, (ISSP).
  • "Develop the Preliminary ISSP (Including Basic Security Policy)" (c)
    • NIST SP 800-18, "Guide for Developing Security plans for Federal Information Systems" (February 2006)
• Preliminary System Characterization/Categorization.
  • Develop Systems Characterization/Categorization (d)
  • FIPS-199
  • 800-53 controls.
• Preliminary vulnerability and risk assessment.
  • Developing Preliminary Vulnerability and Risk Assessment (e)
    • NIST SP 800-30, "Risk Management Guide for Information Technology Systems"

Deliverable(s)

1. BOE on security cost estimates for alternatives.
2. OMB Exhibit 300, Attachment 2: Business Case Analysis Report (BCAR)
3. Updated OMB Exhibit 300, Attachment 1: (pPR)
   • Requirements for the ISS section of the (pPR) to include the 800-53 controls.
4. Preliminary vulnerability and risk assessment.
5. Preliminary SCAPs document
   • Preliminary ISSP with security policy statement.
   • Preliminary System Characterization/Categorization.

End IIA for AMS decision point: #3

BEGIN Final Investment Analysis (FIA) - AMS decision point: #4

(Start: OMB Exhibit 300 Attachment 3 for the Final Investment Decision (FID))

Review

• FAA FAST AMS Lifecycle Phases and Decisions guidance website:
  • Investment Analysis (IA)
  • Investment Decision (ID)
• FAA FAST ISS Flow Chart of the FIA section.

Update

• SCAP with your Service Unit/Service Area Certification Team Lead.
• CONOPS of system.
• ISS section of the Preliminary Requirements for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
• The ISSP.
• System characterization/categorization.(FIPS-199)
• Vulnerability and risk assessment.

Generate

• Initial Security Test Plan & Report.
  • Documentation should be produced only if test documents are being developed early based on approved system prototype, prior to Solution Implementation phase.
    • “Develop Security Test Plans and Procedures”(k)
• Support for system addition to the ATO Five Year SCAP Plan with your Service Unit/Service Area Certification Team Lead and ISSO.
  • Proposed schedule, security characterization/categorization (FIPS-199) and planned sites where a system would be fielded to the ISSM
• Security Information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).

Obtain

• Stakeholders’ buy-ins and signing of the final security documents.

Deliverable(s)

1. Updated OMB Exhibit 300, Attachment 1:
   • (pPR) transformed into Final Requirement Document (fPR).
2. OMB Exhibit 300, Attachment 2: Business Case Analysis Report (BCAR)
3. OMB Exhibit 300, Attachment 3: Implementation Strategy/Planning (ISP)
4. Final security vulnerability and risk assessment.
5. SCAP documents
   • ISSP with security policy statement.
   • System characterization/categorization.
   • Security Test Plan & Report (See note above.)
6. Proposal of schedule, FIPS-199, and plan toward ATO Five Year SCAP Plan for your added system.
7. The security information for SIR, SOW & CDRL.
8. Stakeholders’ signatures on all finalized security documents

End FIA for AMS decision point: #4 & Phase: IA

BEGIN Solution Implementation (SI) - AMS decision point: #5

(Re-baseline: OMB Exhibit 300, Attachment 1, 2 & 3 for the In-Service Decision (ISD))

Note: The symbol "*" indicates that the FAA firewall access is required to view this link.

Review

• FAA FAST AMS Lifecycle Phases and Decisions guidance website:
• Solution Implementation (SI)
• In-Service Decision (ISD)
• FAA FAST ISS Flow Chart of the SI section
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• Security information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
  • This is to be performed independent of the Integrated Product Team (IPT).
  • “Update Vulnerability and Risk Assessment” (f)
• CONOPS of system.
  • “Update the CONOPS and Security Requirements” (g)
  • To include ISS section to the CONOPS depending on level of impact of the NAS system.
• ISS section for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
  • “Integrate Security Requirements with System Requirements” (h)
  • “Integrate Security Architecture and Design” (i)
• The ISSP.
  • “Update the ISSP” (j)
• SCAP to reflect actual fielded systems with your Service Unit/Service Area Certification Team Lead and ISSO. Must complete the SCAP documents before operating the system.
  • Locate the “ATO ISS Implementation Guide * ” and follow the link “SCAP” for the SCAP guidance document.
  • “Create Final Security C&A Documents” (n)

Generate

• Security testing on system baseline and refine solution as needed for ISD/commissioning.
  • This is to be performed independent of the IPT.
  • “Develop Security Test Plans and Procedures” (k)
• Users guide, training plans, and contingency/disaster recovery plans.
  • “Develop User’s Guides, Training, and Contingency Plans” (l)
  • “Conduct Security Testing” (m)

Obtain

• DAA signature(s) of Certification and Authorization to connect and operate system in the NAS.
  • “Obtain Security Authorization and Accreditation” (o)
    • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. SCAP Implementation Guide (Reference: SCAP implementation guide - Section 4.1.1 *)
2. Baselined OMB Exhibit 300, Attachment 1:
   • ISS section of the Final Requirement Document (fPR).
     • Security Interfaces in the IRD.
3. Baselined OMB Exhibit 300, Attachment 2, & 3
4. The security information for SIR, SOW & CDRL.
5. DAA signature(s) of Certification and Authorization to connect and operate the system in the NAS.

End SI for AMS decision point: #5 & AMS Phase: SI

BEGIN In-Service Management (ISM) – Systems Engineering Milestones: Technology Refresh Assessment (TRA)

(Determine: To continue, update (Tech refresh, P3I) or end the Systems Development Lifecycle needs for the (ISM))

Review

• FAA FAST AMS Lifecycle Phases and Decisions guidance website:
  • In-Service Management (ISM)
• FAA FAST ISS Flow Chart of the ISM section.
• The ISSP for the system assessed.
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• ISS section of the Final Requirement Document (fPR).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
• SCAP with your Service Unit/Service Area Certification Team Lead.
  • Verify if recertification is required.

Generate

• Technology refresh and/or upgrade of the system assessed.
  • Prepare for Technology Refresh and Upgrade Planning (p)
  • NIST SP 800-64, “Security Considerations in the Information System Development Life Cycle”
• For disposal of the system.
  1. Follow ISSP
  2. Archive information
  3. Sanitize media
  4. Dispose of hardware and software.

Obtain

• DAA signature(s) of Certification and Authorization package (SCAP).
  • Service Unit/Service Area Certification Team Lead and ISSO.
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. Updated OMB Exhibit 300, Attachment 1, 2, & 3
   • ISS section of the Final Requirement Document (fPR).
2. Updated Security vulnerability and threat assessment for the SRA.
3. Updated SCAP documents.
4. DAA signature(s) of the SCAP documents.

End ISM for Systems Engineering Milestones: TRA & AMS Phase: ISM