AMS Lifecycle Phase: Solution Implementation

Description

The Computer Security Act requires federal agencies to provide for the mandatory periodic training in computer security awareness and accepted computer security practices for all employees who are involved with the management, use, or operation of a federal computer system within or under the supervision of a federal agency. This includes contractors as well as FAA employees. Each user must be versed in acceptable rules of behavior for the application before being allowed to access the system. The training program should also inform the user on how to get help when having difficulty using the system and procedures for reporting security incidents.

A system user's guide should be developed that clearly explains how to use the system. All users should be required to review the document and sign a statement that they have read and understand the guide. The guide explains how the software/hardware is to be used and formalizes security and operational procedures specific to the system. The guide should include a description of the hardware and software, as well as descriptions of user and operator procedures.

An example of the security awareness training program requirement that the FAA meets are accomplished this through the use of two tools the CSAT and SAVI.

The contingency/disaster recovery planning (C/DRP) should ensure that interfacing systems are identified and coordinated. Review the document "Information Systems Security Program Implementation Guide (SCAP)" to see what should be addressed in the C/DRP. Procedures are required that will permit the FAA to continue its essential functions if an individual system is interrupted. These procedures should include with plans for the backup, contingency, and recovery of any support systems including networks used by the application. The Product Teams must describe the procedures and coordination of to what would be followed in the event where the system is no longer operational.

Tasks

• Develop the user's guide for the system and make it available to all users
• Ensure that all users (including contractors) take the periodic security awareness training available on the FAA's intranet
• Develop a contingency and disaster recovery plan for the system
• Coordinate all contingency plans with the sites and CSIRC

Resources

• OMB Circular A-130, Appendix III
• Computer Security Act of 1987
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• NIST's Computer Security Resource Center's Incident and Emergency Response References Table
• FAA's Computer Security Awareness Tool (CSAT)
• Security Awareness Virtual Instruction (SAVI)
• FAA's ISS Handbook
• Information Systems Security Program Implementation Guide (SCAP)