The Information Systems Security (ISS) engineering process starts in the Corporate Mission Analysis. In this phase, the ISSE process focuses on:

• the proposed system's operating environment
• system boundaries
• information assets and functions
• and the potential threat and vulnerability sources to the system's information assets and functions.

Basic system security policy flows from FAA organizational directives, such as FAA Order 1370.82A, "ISS Program Policy" as well as from FAA operating procedures and instructions. Basic system security policy is the set of rules governing control, access, and use of system information. For example, a basic security policy statement may be that only authorized FAA users shall access the system.

The ISS engineering process applies NIST Federal Information Processing Standards (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems" to categorize the information system assets and functions. The ISSE process analyzes the NAS system concept of operations (CONOPS) and mission need statement (MNS) to formulate a basic security policy.

The security planning aspects of ISS engineering also begins in this phase, following guidance of NIST Special Publication (SP) 800-18, "Guide for Developing Security Plans for Federal Information Systems". Security requirements, based on security policy, are in the Preliminary Program Requirements (pPR) document.