Integrating the Information Systems Security (ISS) engineering process with the SE elements is essential. During the Initial Investment Analysis (IIA), ISSE develops and documents the need for security in the CONOPS and the initial security requirements for the Preliminary Requirements document (pPR). The Investment Analysis (IA) team uses the system program CONOPS and the security requirements to evaluate the system alternatives. The security engineers in the product team conduct a preliminary vulnerability and security risk assessment using updated threat and vulnerability data to determine the specific risks that must be controlled or mitigated. The security trade studies are performed to evaluate the system alternatives and to assess the security risk controls/mitigation measures related to the system alternatives. Also, the security trade studies identify the native, existing system, and/or network features that reduces the likelihood of the system threats successfully exploiting a vulnerability. These trade studies compare the costs and benefits of the system features/security controls in terms of risk reduction. Trade studies may evaluate the cost-effectiveness of different controls for a given risk or set of risks. Also, system alternatives may require different types of controls to balance the system performance and security requirements against the security risks/costs of the different alternatives. The different system alternatives may have significantly different physical and/or system architectures that would require different security controls that may lead to different security costs and effectiveness.

During the final stage of the IA phase, the ISS engineering refines and updates the preliminary vulnerability and security risk assessment. Updated threat and vulnerability data is applied, analyzing the costs and effectiveness of system features and security controls that are associated with each of the final system alternatives. ISS engineering provides the final security requirements for the final Program Requirements document (fPR) and the system specification, as well as special requirements for the Solicitation Information Request (SIR) and contract Statement of Work (SOW). In developing the final system requirements, ISS engineering analyzes and establishes the appropriate assurance level to be proven during system implementation. The assurance in this context addresses the required level of confidence in the security function, performance and ensures that the security controls function in an integrated fashion. The assurance can be gained through many techniques, including conformance testing, independent verification testing, and employing diverse and/or redundant capability.

The ISS engineering shall support a documented agreement among the FAA stakeholders regarding the necessity and sufficiency of the security requirements. It should clearly document the agreement to the security requirements before the investment decision becomes the foundation for the Security Certification and Authorization Package (SCAP), which shall be completed before the In-Service Decision (ISD). During the IA, ISS engineering identifies the technically qualified, senior FAA official who shall certify that the system security controls meet the minimum FAA/NAS ISS requirements (see DAA discussion in SEM section: 4.8.6). The ISSP, which was based on the NIST SP 800-18 and was a conceptual draft during the Mission Analysis of the AMS phase, is updated to become an initial draft.

The ISS engineering products from this phase include the updated preliminary and vulnerability security risk assessment, final security program requirements, security trade studies to support cost-benefit/investment analysis of security controls, and input to the SIR, SOW, system specification, and Contract Data Requirements List (CDRL) for systems to be acquired. These products support the AMS milestone decision for transition into the Solution Implementation phase.