AMS Lifecycle Phase: Solution Implementation

Description

Certification is an official signed statement by the Information System Security Certifier (ISSC) attesting to Agency management and Congress that the following conditions have been satisfied:

• The system has been evaluated in accordance with FAA Order 1370.82, and
• The system, as defined in the accompanying Certification and Authorization (C&A) package, is operating securely, or
• The system is safe to continue operations pending implementation of the identified risk mitigation activities

Authorization is an official signed statement by the Designate Approving Authority (DAA) attesting to Agency management and Congress that:

• In accordance with the system Certification, the system is authorized to operate in the National Airspace System (NAS), and
• The system, as defined in the accompanying C&A package, is operating securely and safely as mitigated with the identified residual risk, or
• The system is safe to continue operations pending implementation of the identified risk mitigation activities

Review the document, "Information Systems Security Program Implementation Guide (SCAPs)" for overview of the Air Traffic Organization's (ATOs) system Security Certification and Authorization package (SCAP) documentation development process and related processes.

The documentation required for the FAA for final C&A is defined based on the System Certification and Authorization Package (SCAP) prepared for the system. The ATO Information Systems Security Program office provides the templates for producing the documentation required by SCAP level of effort (LOE) currently applied to the FAA systems. The SCAP template may change depending on the ISS program office decisions. Review the document, "Information Systems Security Program Implementation Guide (SCAPs)" for the following lists of the applicable SCAP documents. Go to the ATO Information Systems Security Program website for the latest downloadable SCAP templates.

The SCAP LOE is based on mandated annual assessment or the full assessment. The certain LOE indicates a more complete and effective security program. In general, the LOE SCAP required depends on the complexity of the system, operational criticality and the level of impact to the system.

Note that special handling procedures apply to SCAP documentation:

• Transmission is from FAA to FAA
• All SCAP documentation is controlled
• Distributed with document tracking forms
• Transmitted via hard copy only
• Not made available via the Web (Internet, Intranet, or Extranet)
• Distribution beyond the SCPA review/approval chain requires prior approval from the system owner, Directorate Security Program Office and designated ISSM.

Tasks

• Prepare Plan of Action and Milestones (POA&M), including estimated length of approval cycle
• Meet with Line of Business (LOB) Information Systems Security Manager (ISSM) to verify level of effort SCAP to be prepared and review POA&M
• Identify key C&A approval personnel with ISSM
• Identify required resources, document authors and production schedule
• Identify test schedule and other supporting milestones

Resources

• NIST Special Publication (SP) 800-53 Rev.1, Recommended Security Controls for Federal Information Systems
• NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• FAA ISSA Handbook
• ATO — Information Systems Security Program Implementation Guide (SCAPs)