AMS Lifecycle Phase: Solution Implementation

Description

Security Authorization ensures that the security controls are effectively implemented through established verification techniques and procedures and gives FAA officials confidence that the appropriate safeguards and countermeasures are in place to protect the FAA's information system.

Security Accreditation provides the necessary assurance that an information system can securely process, store, or transmit information that is required. This accreditation is granted by a senior official (DAA) and is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to FAA assets or operations.

FISMA requires periodic testing and evaluation of the security controls in an information system to ensure that the controls are effectively implemented. The comprehensive evaluation of security control effectiveness through established verification techniques and procedures (also known as security certification) is a critical activity conducted by the agency or by an independent third party on behalf of the agency to give agency officials confidence that the appropriate safeguards and countermeasures are in place to protect the agency's information system. In addition to security control effectiveness, security certification also uncovers and describes the actual vulnerabilities in the information system. The determination of security control effectiveness and information system vulnerabilities provides essential information to authorizing officials to facilitate credible, risk-based, security accreditation decisions.

OMB Circular A-130 requires the security authorization of an information system to process, store or transmit information. This authorization, granted by a senior agency official, is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to agency assets or operations (including mission, functions, image, or reputation). The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. An authorizing official relies primarily on:

• The completed Information Systems Security Plan (ISSP)
• The Security Test Plan and Test Results Report
• The Plan of Action and Milestones (POAM) for reducing or eliminating the information system vulnerabilities

In making the security accreditation decision on whether to authorize operation of the information system and to explicitly accept the residual risk to agency assets or operations.

Tasks

• Submit the SCAP to the ISSM, ISSC, ISSCA, and the DAA for review
• Update the SCAP based on comments received from the certification officials' reviews
• Resubmit SCAP to ISSM, ISSC, ISSCA, and/or DAA for review
• After DAA approval, the system is able to go operational in the field

Resources

• NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• FAA's ISS Handbook
• ATO — Information Systems Security Program Implementation Guide (SCAPs)