AMS Lifecycle Phase: Solution Implementation

Description

After the risk and vulnerability assessment has been updated, it is time to update the CONOPS and more specifically define the security requirements. There is no such single security CONOPS document. The CONOPS document is written to communicate the overall quantitative and qualitative system characteristics to the stakeholders (user, buyer, developer, and other organizational elements). Therefore, as new risks and vulnerabilities are defined for the system, the CONOPS needs to be updated so all of the stakeholders are aware of the new issues. The CONOPS aids in the requirements capturing and communicates the need to the developing program office. Since the high level requirements (including security) are also part of the CONOPS, the security requirements needs to be updated to reflect the issues addressed in the updated Risk and Vulnerability Assessment.

The CONOPS describes the user's operational needs without delving into technical details. It provides a mechanism for expressing ideas and concerns on possible solution strategies and builds consensus among user groups, acquisition organizations, and developers.

The CONOPS document is a means of bringing together people, policy, and technology.

Tasks

• Review the updated Risk and Vulnerability Assessment report in the SCAP
• Ensure that the CONOPS and Security Requirements reflect the results of the Risk and Vulnerability Assessment
• Update the CONOPS and Security Requirements and forward the updates to the requirements team

Resources

• NIST Special Publication 800-64, Security Considerations in the Information System Development Lifecycle
• FAA System Engineering Manual
• NAS SR-1000, security section