Prepare for Technology Refresh and Upgrade Planning (p)

AMS Lifecycle Phase:In-Service Management >>> Technology Refresh Assessment (TRA)

Description

In this phase, systems are in place and operating, enhancements and/or modifications to the system are developed and tested and hardware and/or software is added or replaced. The system should be monitored for continued performance in accordance with user requirements, and needed system modifications are incorporated. The operational system needs to be periodically assessed to determine that the system is maintaining an acceptable level of security control. Operations can continue as long as the system can be effectively adapted to respond to the FAA's needs. Managing the configuration of the system and providing for a process of continuous monitoring are two key elements of information security at this phase.

Tasks

• Recertify the system as prescribed in the Information Systems Security Program Implementation Guide (SCAP) depending on the level of impact to the NAS or non-NAS systems
• Continue to monitor the configuration of the system
• Test new hardware and software for security vulnerabilities before inserting it into the operational system
• Review the system requirements to ensure they still meet the users' needs

Resources

• NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• ATO — Information Systems Security Program Implementation Guide (SCAP)

FAA Information Systems Security (ISS) Engineering Process

The Information Systems Security (ISS) Engineering website is a checklist that guides you throughout the acquisition management systems (AMS) phases to perform the security related activities using the ISS engineering processes.

The ISS Engineering process tasks support the phased AMS decisions, as shown in the Acquisitions Management Systems (AMS) logo above. Each Program Office or Service Organization shall tailor its ISS Engineering activities to meet its program milestones and use its System Engineering Management Plan (SEMP) to tailor its ISS Engineering activities and process tasks.

Each phase has ISS Engineering products that support the other Systems Engineering (SE) elements, consistent with contents of the Systems Engineering Manual (SEM) section 4.8.6.3, "Information Security Engineering Process Tasks." The Information System Security Plan (ISSP) is a key ISS Engineering planning document for every FAAIT program. The ISSP provides an overview of the system, presents an approach for meeting associated security requirements, and delineates responsibilities and rules for controlling access and use of information and related assets within the system. The program ISSP is a living document, prepared early in system lifecycle and updated regularly during program/system development. Above AMS logo summarizes the ISS Engineering process task alignment with the AMS phases.

For comments or feedback contact 9-atop-hq-isse-info@faa.gov.

Begin In-Service Management (ISM) for Systems Engineering Milestones: Technology Refresh Assessment (TRA)

(Determine: To continue, update (Tech refresh, P3I) or end the Systems Development Lifecycle needs for the (ISM))

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • In-Service Management (ISM)
• FAAFASTISS Flow Chart of the ISM section.
• The ISSP for the system assessed.
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• ISS section of the Final Requirement Document (fPR).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
• SCAP with your Service Unit/Service Area Certification Team Lead.
  • Verify if recertification is required.

Generate

• Technology refresh and/or upgrade of the system assessed.
  • Prepare for Technology Refresh and Upgrade Planning (p)
  • NISTSP 800-64, “Security Considerations in the Information System Development Life Cycle”
• For disposal of the system.
  1. Follow ISSP
  2. Archive information
  3. Sanitize media
  4. Dispose of hardware and software.

Obtain

• DAA signature(s) of Certification and Authorization package (SCAP).
  • Service Unit/Service Area Certification Team Lead and ISSO.
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. Updated OMB Exhibit 300, Attachment 1, 2, & 3
   • ISS section of the Final Requirement Document (fPR).
2. Updated Security vulnerability and threat assessment for the SRA.
3. Updated SCAP documents.
4. DAA signature(s) of the SCAP documents.

End ISM for Systems Engineering Milestones: TRA & AMS Phase: ISM

Obtain Security Authorization and Accreditation (o)

AMS Lifecycle Phase:Solution Implementation

Description

Security Authorization ensures that the security controls are effectively implemented through established verification techniques and procedures and gives FAA officials confidence that the appropriate safeguards and countermeasures are in place to protect the FAA's information system.

Security Accreditation provides the necessary assurance that an information system can securely process, store, or transmit information that is required. This accreditation is granted by a senior official (DAA) and is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to FAA assets or operations.

FISMA requires periodic testing and evaluation of the security controls in an information system to ensure that the controls are effectively implemented. The comprehensive evaluation of security control effectiveness through established verification techniques and procedures (also known as security certification) is a critical activity conducted by the agency or by an independent third party on behalf of the agency to give agency officials confidence that the appropriate safeguards and countermeasures are in place to protect the agency's information system. In addition to security control effectiveness, security certification also uncovers and describes the actual vulnerabilities in the information system. The determination of security control effectiveness and information system vulnerabilities provides essential information to authorizing officials to facilitate credible, risk-based, security accreditation decisions.

OMB Circular A-130 requires the security authorization of an information system to process, store or transmit information. This authorization, granted by a senior agency official, is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to agency assets or operations (including mission, functions, image, or reputation). The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. An authorizing official relies primarily on:

• The completed Information Systems Security Plan (ISSP)
• The Security Test Plan and Test Results Report
• The Plan of Action and Milestones (POAM) for reducing or eliminating the information system vulnerabilities

In making the security accreditation decision on whether to authorize operation of the information system and to explicitly accept the residual risk to agency assets or operations.

Tasks

• Submit the SCAP to the ISSM, ISSC, ISSCA, and the DAA for review
• Update the SCAP based on comments received from the certification officials' reviews
• Resubmit SCAP to ISSM, ISSC, ISSCA, and/or DAA for review
• After DAA approval, the system is able to go operational in the field

Resources

• NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• FAA's ISS Handbook
• ATO — Information Systems Security Program Implementation Guide (SCAPs)

Begin Solution Implementation (SI) for AMS decision point: #5

(Re-baseline:OMB Exhibit 300, Attachment 1, 2 & 3 for the In-Service Decision (ISD))

Note: The symbol "*" indicates that the FAA firewall access is required to view this link.

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
• Solution Implementation (SI)
• In-Service Decision (ISD)
• FAAFASTISS Flow Chart of the SI section
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• Security information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
  • This is to be performed independent of the Integrated Product Team (IPT).
  • “Update Vulnerability and Risk Assessment” (f)
• CONOPS of system.
  • “Update the CONOPS and Security Requirements” (g)
  • To include ISS section to the CONOPS depending on level of impact of the NAS system.
• ISS section for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
  • “Integrate Security Requirements with System Requirements” (h)
  • “Integrate Security Architecture and Design” (i)
• The ISSP.
  • “Update the ISSP” (j)
• SCAP to reflect actual fielded systems with your Service Unit/Service Area Certification Team Lead and ISSO. Must complete the SCAP documents before operating the system.
  • Locate the “ATOISS Implementation Guide * ” and follow the link “SCAP” for the SCAP guidance document.
  • “Create Final Security C&A Documents” (n)

Generate

• Security testing on system baseline and refine solution as needed for ISD/commissioning.
  • This is to be performed independent of the IPT.
  • “Develop Security Test Plans and Procedures” (k)
• Users guide, training plans, and contingency/disaster recovery plans.
  • “Develop User’s Guides, Training, and Contingency Plans” (l)
  • “Conduct Security Testing” (m)

Obtain

• DAA signature(s) of Certification and Authorization to connect and operate system in the NAS.
  • “Obtain Security Authorization and Accreditation” (o)
    • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. SCAP Implementation Guide(Reference: SCAP implementation guide - Section 4.1.1 *)
2. Baselined OMB Exhibit 300, Attachment 1:
   • ISS section of the Final Requirement Document(fPR).
     • Security Interfaces in the IRD.
3. Baselined OMB Exhibit 300, Attachment 2, & 3
4. The security information for SIR, SOW & CDRL.
5. DAA signature(s) of Certification and Authorization to connect and operate the system in the NAS.

End SI for AMS decision point: #5 & AMS Phase: SI

Integrate Security Requirements with System Requirements (h)

AMS Lifecycle Phase:Solution Implementation

Description

After reviewing and updating the security requirements, they can be integrated with the general system requirements. This integration ensures that security requirements receive the appropriate attention from the product team of that program office developing the system. Determining the security features, assurances, and operational practices may yield significant security information and often voluminous requirements. This information needs to be validated, updated, and organized into the detailed security protection requirements and specifications used by system designers and/or purchasers. Synthesis of trade studies, interface requirements, and other Systems Engineering outputs will lead the integration of security architecture into the system design. System design reviews are the key milestones for insuring the security controls are integrated into the system development.

Tasks

• Update the security requirements after updating the risk and vulnerability assessment
• Integrate security requirements with the system requirements
• Track security requirements as part of the key milestones

Resources

• NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
• FAA's System Engineering Manual

Create Final Security C&A Documents (n)

AMS Lifecycle Phase:Solution Implementation

Description

Certification is an official signed statement by the Information System Security Certifier (ISSC) attesting to Agency management and Congress that the following conditions have been satisfied:

• The system has been evaluated in accordance with FAA Order 1370.82, and
• The system, as defined in the accompanying Certification and Authorization (C&A) package, is operating securely, or
• The system is safe to continue operations pending implementation of the identified risk mitigation activities

Authorization is an official signed statement by the Designate Approving Authority (DAA) attesting to Agency management and Congress that:

• In accordance with the system Certification, the system is authorized to operate in the National Airspace System (NAS), and
• The system, as defined in the accompanying C&A package, is operating securely and safely as mitigated with the identified residual risk, or
• The system is safe to continue operations pending implementation of the identified risk mitigation activities

Review the document, "Information Systems Security Program Implementation Guide (SCAPs)" for overview of the Air Traffic Organization's (ATOs) system Security Certification and Authorization package (SCAP) documentation development process and related processes.

The documentation required for the FAA for final C&A is defined based on the System Certification and Authorization Package (SCAP) prepared for the system. The ATO Information Systems Security Program office provides the templates for producing the documentation required by SCAP level of effort (LOE) currently applied to the FAA systems. The SCAP template may change depending on the ISS program office decisions. Review the document, "Information Systems Security Program Implementation Guide (SCAPs)" for the following lists of the applicable SCAP documents. Go to the ATO Information Systems Security Program website for the latest downloadable SCAP templates.

The SCAPLOE is based on mandated annual assessment or the full assessment. The certain LOE indicates a more complete and effective security program. In general, the LOESCAP required depends on the complexity of the system, operational criticality and the level of impact to the system.

Note that special handling procedures apply to SCAP documentation:

• Transmission is from FAA to FAA
• All SCAP documentation is controlled
• Distributed with document tracking forms
• Transmitted via hard copy only
• Not made available via the Web (Internet, Intranet, or Extranet)
• Distribution beyond the SCPA review/approval chain requires prior approval from the system owner, Directorate Security Program Office and designated ISSM.

Tasks

• Prepare Plan of Action and Milestones (POA&M), including estimated length of approval cycle
• Meet with Line of Business (LOB) Information Systems Security Manager (ISSM) to verify level of effort SCAP to be prepared and review POA&M
• Identify key C&A approval personnel with ISSM
• Identify required resources, document authors and production schedule
• Identify test schedule and other supporting milestones

Resources

• NIST Special Publication (SP) 800-53 Rev.1, Recommended Security Controls for Federal Information Systems
• NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• FAAISSA Handbook
• ATO — Information Systems Security Program Implementation Guide (SCAPs)

Develop User's Guides, Training, and Contingency Plans (l)

AMS Lifecycle Phase:Solution Implementation

Description

The Computer Security Act requires federal agencies to provide for the mandatory periodic training in computer security awareness and accepted computer security practices for all employees who are involved with the management, use, or operation of a federal computer system within or under the supervision of a federal agency. This includes contractors as well as FAA employees. Each user must be versed in acceptable rules of behavior for the application before being allowed to access the system. The training program should also inform the user on how to get help when having difficulty using the system and procedures for reporting security incidents.

A system user's guide should be developed that clearly explains how to use the system. All users should be required to review the document and sign a statement that they have read and understand the guide. The guide explains how the software/hardware is to be used and formalizes security and operational procedures specific to the system. The guide should include a description of the hardware and software, as well as descriptions of user and operator procedures.

An example of the security awareness training program requirement that the FAA meets are accomplished this through the use of two tools the CSAT and SAVI.

The contingency/disaster recovery planning (C/DRP) should ensure that interfacing systems are identified and coordinated. Review the document "Information Systems Security Program Implementation Guide (SCAP)" to see what should be addressed in the C/DRP. Procedures are required that will permit the FAA to continue its essential functions if an individual system is interrupted. These procedures should include with plans for the backup, contingency, and recovery of any support systems including networks used by the application. The Product Teams must describe the procedures and coordination of to what would be followed in the event where the system is no longer operational.

Tasks

• Develop the user's guide for the system and make it available to all users
• Ensure that all users (including contractors) take the periodic security awareness training available on the FAA's intranet
• Develop a contingency and disaster recovery plan for the system
• Coordinate all contingency plans with the sites and CSIRC

Resources

• OMB Circular A-130, Appendix III
• Computer Security Act of 1987
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• NIST's Computer Security Resource Center's Incident and Emergency Response References Table
• FAA's Computer Security Awareness Tool (CSAT)
• Security Awareness Virtual Instruction (SAVI)
• FAA's ISS Handbook
• Information Systems Security Program Implementation Guide (SCAP)

Conduct Security Testing (m)

AMS Lifecycle Phase:Solution Implementation

Description

Product Teams should conduct routine tests of their systems and verify that their systems are properly configured with the appropriate security mechanisms and policies. These routine tests help prevent many types of incidents from happening in the first place. Security testing is the best way to determine if the system configured to the correct security controls and policies.

The Operational Test and Evaluation (OT&E) demonstrates that the system is operationally effective and operationally suitable for use in the NAS. This includes its ability to protect itself and the NAS from security incidents. Integrating security testing with OT&E is a step toward ascertaining whether the system is operated according to its security requirements (both operational and technical controls). The test focuses on demonstrating that operational requirements, including security, have been met and that all critical operational issues have been resolved. This test is typically conducted at the Technical Center, before the system is placed in the field. The objectives of this test are to uncover design, implementation, and operational flaws that could allow the violation of the Basic Security Policy, determine the adequacy of security mechanisms, assurances and other properties to enforce the security policy, assess the degree of consistency between the system documentation and its implementation.

Testing the security controls during Site Acceptance Testing (SAT) allows the product team to evaluate how those security controls work at the site and make any adjustments for "real-world" situations that may not have been present during testing in a lab. This testing includes both the actions of people who operate or use the system and the functioning of the technical controls. This testing should also be conducted after the system has undergone major upgrades to be sure it is still configured to the appropriate security mechanisms and security policies.

The results of the security testing should be documented and submitted as part of the SCAP. OT&E security test report should document that testing that took place and any vulnerability that were discovered. This can be used to develop a mitigation schedule and plan. Security test results should be made available for staff as a reference point for defining mitigation activities, and to assess the implementation status of system security requirements. The results can also enhance risk assessments and performance improvement efforts, as well a benchmark for tracing an organization's progress in meeting the security requirements.

Tasks

• Review the Information Systems Security Program Implementation Guide for latest SCAP template
• Develop Security Test Plan
• Develop Security Test Procedures
• Run test along with SAT and OT&E
• Develop Security Test Report
• Develop Mitigation Plan and Schedule for completion of mitigation tasks

Resources

• NIST Special Publication 800-42, Guidelines on Network Security Testing
• NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• FAA's ISS Handbook

Begin Final Investment Analysis (FIA) for AMS decision point: #4

(Start:OMB Exhibit 300 Attachment 3 for the Final Investment Decision (FID))

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • Investment Analysis (IA)
  • Investment Decision (ID)
• FAAFASTISS Flow Chart of the FIA section.

Update

• SCAP with your Service Unit/Service Area Certification Team Lead.
• CONOPS of system.
• ISS section of the Preliminary Requirements for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
• The ISSP.
• System characterization/categorization.(FIPS-199)
• Vulnerability and risk assessment.

Generate

• Initial Security Test Plan & Report.
  • Documentation should be produced only if test documents are being developed early based on approved system prototype, prior to Solution Implementation phase.
    • “Develop Security Test Plans and Procedures”(k)
• Support for system addition to the ATO Five Year SCAP Plan with your Service Unit/Service Area Certification Team Lead and ISSO.
  • Proposed schedule, security characterization/categorization (FIPS-199) and planned sites where a system would be fielded to the ISSM
• Security Information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).

Obtain

• Stakeholders’ buy-ins and signing of the final security documents.

Deliverable(s)

1. Updated OMB Exhibit 300, Attachment 1:
   • (pPR) transformed into Final Requirement Document (fPR).
2. OMB Exhibit 300, Attachment 2:Business Case Analysis Report (BCAR)
3. OMB Exhibit 300, Attachment 3:Implementation Strategy/Planning (ISP)
4. Final security vulnerability and risk assessment.
5. SCAP documents
   • ISSP with security policy statement.
   • System characterization/categorization.
   • Security Test Plan & Report (See note above.)
6. Proposal of schedule, FIPS-199, and plan toward ATO Five Year SCAP Plan for your added system.
7. The security information for SIR, SOW & CDRL.
8. Stakeholders’ signatures on all finalized security documents

End FIA for AMS decision point: #4 & Phase: IA