Develop Systems Characterization/Categorization (d)

AMS Lifecycle Phase:Investment Analysis >>> Initial Investment Analysis

Description

After needs have been determined, the list of alternative(s) in CRD was determined and the system should be categorized as to what level of potential impact a security breach would have. Security categorization assists the product teams in making the appropriate selection of security controls for the program.

The system characterization is the central document in the SCAP. Developed by the System Owner, its purpose is to provide a single document that contains relevant system description information, including system architecture, interfaces, data/information types, and the general system operations and maintenance environment in sufficient detail for the reviewer to gain a reasonable understanding of the system and its operating environment. It is important that logical network diagrams be included to provide an opportunity to view the conceptual composition of the system/network. By using logical diagrams in conjunction with the design description, reviewers will be provided with a comprehensive understanding of the system/network design, requirements, goals, and plan for projected growth.

FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, guides the determination of the potential magnitude of harm resulting from a NAS security incident. FIPS 199 categorizes "High," "Moderate," and "Low" impacts of losses of availability, integrity or confidentiality. The assessed categorization provides the impact variable used as a multiplier of likelihood in the ISS Program Handbook risk assessment model:

Note: During this phase of the system's development, the security needs determination and categorization should result in a high-level description of the security controls (800-53) in the proposed system to meet the assurance requirements. NISTSP 800-53 is separated into management, operational and technical control that ensures the confidentiality, integrity and availability (CIA) of the system. Check into the latest version of the NIST 800-53 and ISSA for security controls for methodologies on selection and allocation.

Tasks

• Define the security categorization of the program
• Determine the system and its boundaries
• Develop a high level description of the security controls

Resources

• NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• NIST FIPS199, Standards for Security Categorization of Federal Information and Information Systems
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• Federal Information Security Management Act (FISMA), PL 107-347, Title III
• FAA Order 1370.82A, Information Systems Security Program
• OMB Circular A-130, Management of Federal Information Systems, Appendix III
• ATO Information Systems Security Program Implementation Guide (SCAPs)
• ISSA latest version

Develop Preliminary ISSP (Including Basic Security Policy) (c)

AMS Lifecycle Phase:Investment Analysis >>> Initial Investment Analysis

Description

The Information System Security Plan (ISSP) must fully identify and describe the controls currently in place or planned for the system and should include a list of rules or behavior. The existence of, and adherence to, an ISSP is a fundamental requirement in system security certification. The purpose of the ISSP is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements and delineates responsibilities and expected behavior of all individuals who access the system. Once completed, an ISSP will contain technical information about the system, its security requirements, and controls implemented to provide protection against it risks and vulnerabilities.

Further, a system's ISSP acts as a record of the security analysis performed during the mission analysis phase. It provides a place to record the threats that are being considered, the security objectives that are being pursued, and the actual security specifications as they are created. The ISSP should be viewed as an "evolving" document that records the security analysis performed during the course of the requirements generation process. Specific information regarding developing an ISSP can be found in NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.

The security requirements for enterprise systems should address the following issues:

• the system should not create vulnerabilities or unintended interdependencies in other enterprise systems
• the system should not decrease the availability of other enterprise systems
• the system should not decrease the overall security posture of the entire enterprise
• Systems connected to external domains must analyze and attempt to counter hostile actions originating from these domains
• Security specifications should be appropriate for the given state of the system
• Security specifications should be stated clearly to convey the desired functions and assurances to the enterprise system product team and the developers
• Implement specifications that sufficiently reduce the risks to the enterprise system and to the enterprise mission that the system supports

The Basic Security Policy is the foundation for all security decisions made by the IPTs. The Basic Security Policy provides an overview of the security requirements of the system, and delineates responsibilities and expected behaviors of all individuals who access the system. The Security Policy should reflect inputs from information owners, system operators, and the system security manager.

Management acceptance of the policy should be based on an assessment of management, operational, and technical controls. Since the Security Policy establishes and documents the security framework for the system, it should form the basis for management's authorization.

Note on relationship between ISSP and 800-53 security controls:
The ISSP also outlines the management controls that protect their information system resources. Technical and operational controls, in turn, support the management controls. To be effective, these controls must interrelate.

Management Controls

Are in place or planned measures intended to meet the protection requirement of the information system resources. Management controls focus on the management of the information system and the management of risk for a system. The types of control measures are consistent with the need for protection of the information system resources.

System training and awareness requirements must be identified in the appropriate section as indicated in the template instructions. It is critical to identify the required training / awareness, the frequency it is to be delivered, the personnel who will be required to take it, and the responsible party for training record maintenance.

Operational controls

Are mechanisms that are implemented and executed primarily by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise - and often rely upon management activities as well as technical controls.

Technical controls

Focuses on those security controls executed by the computer system. The controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. The implementation of technical controls, however, always requires significant operational considerations and should be consistent with the management of security with the organization.

Tasks

• Develop ISSP based on security requirements
• Determine security requirements for the system
• Determine the 800-53 control for the system assessed
• Define and describe the scope of the system and its boundaries
• Determine who will be the POC for security of the system
• Identify the Security Team and the LOBs involved and ensure commitment

Resources

• OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources
• 44 USC 35, Subchapter II, Federal Information Security Management Act (FISMA)
• Public Law 106-398, Government Information Security Reform Act of 2000 (GISRA)
• NIST Special Publication 800-27, Engineering Principles for IT Security
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• ATO - Information Systems Security Program Implementation Guide (SCAPs)
• FAA's ISS Handbook

Begin Concept and Requirement Definition (CRD) for AMS decision point: #2

(Start:OMB Exhibit 300 Attachment 1 for the Investment Analysis Readiness Decision (IARD))

Review

• The CONOPs of the system.
• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • Concept & Requirements Definition (CRD)
  • Investment Analysis Readiness Decision (IARD)
• FAAFASTISS Flow Chart of the CRD section
• Security engineering activities.
  • AMS Lifecycle Management Process with ISSE related activities
• The NAS-SR1000 security requirements section.
  • To obtain the document please contact Linda Suppan (Acting Manager).

Coordinate

• Service Unit/Service Area Certification Team Lead to determine plans and strategy for SCAP activities including determining the level of effort and security activities.
  • ATO Information System Security Manager (ISSM)
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM)
  • ATO Service Unit/Service Area Certification Team Lead
  • ATO Service Unit/Service Area ISSO.
    • The individual is responsible for all the security functions for the program and is designated by the Program Manager.

Generate

• “Developing CONOPS and Preliminary Security Requirements (b)”
  • CONOPS of system.
  • ISS section of the Preliminary Requirements. (pPR document).
    • For assistance in developing security requirements contact Kenneth Kepchar, ATO-PISS Chief Scientist System Engineer.
  • The 800-53 controls.

Deliverable(s)

1. OMB Exhibit 300, Attachment 1: Preliminary Program Requirements (pPR)
   • ISS Section of the Preliminary requirements. (pPR)

End CRD for AMS decision point: #2 & AMS Phase Mission Analysis (MA)

AMS Information Systems & Security Checklist

Note:

• This is the complete checklist throughout your ISS Engineering activities during the AMS Lifecycle phases.
• The symbol "*" indicates that the FAA firewall access is required to view this link.

Initiate

FAA Information Systems Security (ISS) Activities Process:

1. If any questions, please contact 9-ATOP-HQ-ISSE-Info@faa.gov, ATO-P Information Systems Security Chief Scientist Engineer.
2. Go to the last page of this checklist to review:
   • Appendix 1: "AMS Logo Map - FAA Lifecycle Management Process".
     • Use the map to follow the numbered AMS decision points in the process with this checklist.
   • Appendix 2: "Security Activities during AMS Phases"
     • It is a quick overview of deliverable security related products for each AMS Phases.
3. Use this checklist to map the security activities along with your appendix 1 & 2.
4. Review the lettered content of the "FAA Information Systems Security (ISS) Engineering Process".

Resources

1. The ATOISS related websites:
   • FAAFASTAMS - Security Section
   • FAANAS Enterprise Architecture (NASEA) - Security View (TBA - Still in the maturation process.)
   • FAA Systems Engineering Manual (SEM)
     • Section 4.8.6, Information Security Engineering
   • ATOISS Program Library website
     • An authoritative source indicating governance of SCAP process*
   • ISS related policies*
2. SCAP Templates and FAQs

Quick Links

• Service Analysis (SA)
• Concept & Requirement Definition (CRD)
• Investment Analysis (IA)
• Final Investment Analysis (FIA)
• Solution Implementation (SI)
• In-Service Management (ISM)

Begin Service Analysis (SA) - AMS decision point: #1

(Start: Service Analysis activities for the Mission Needs Decision (MND))

Note: The symbol "*" indicates that the FAA firewall access is required to view this link.

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • Service Analysis (SA)
  • Mission Need Decision (MND)
  • ISS policy guidance listed in the ATOISS Program Library website.
    • FAA Orders 1370.82A, "Information Systems Security Program"*
  • ISS Engineering
    • AMS Lifecycle Management Process with ISSE related activities

Initiate

• Service Level Mission Need (SLMN) Threat Stipulation and basic security policy.
  • Integrating Initial Security Needs and Threat Stipulation into the SLMN (a)

Deliverable(s)

1. Statement of security policy and threat environment stipulation incorporated into the SLMN.

End SA for AMS decision point: #1

Begin Concept and Requirement Definition (CRD) - AMS decision point: #2

(Start:OMB Exhibit 300 Attachment 1 for the Investment Analysis Readiness Decision (IARD))

Review

• The CONOPs of the system.
• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • Concept & Requirements Definition (CRD)
  • Investment Analysis Readiness Decision (IARD)
• FAAFASTISS Flow Chart of the CRD section
• Security engineering activities.
  • AMS Lifecycle Management Process with ISSE related activities
• The NAS-SR1000 security requirements section.
  • To obtain the document please contact Linda Suppan (Acting Manager).

Coordinate

• Service Unit/Service Area Certification Team Lead to determine plans and strategy for SCAP activities including determining the level of effort and security activities.
  • ATO Information System Security Manager (ISSM)
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM)
  • ATO Service Unit/Service Area Certification Team Lead
  • ATO Service Unit/Service Area ISSO.
    • The individual is responsible for all the security functions for the program and is designated by the Program Manager.

Generate

• “Developing CONOPS and Preliminary Security Requirements (b)”
  • CONOPS of system.
  • ISS section of the Preliminary Requirements. (pPR document).
    • For assistance in developing security requirements contact Kenneth Kepchar, ATO-PISS Chief Scientist System Engineer.
  • The 800-53 controls.

Deliverable(s)

1. OMB Exhibit 300, Attachment 1: Preliminary Program Requirements (pPR)
   • ISS Section of the Preliminary requirements. (pPR)

End CRD for AMS decision point: #2 & AMS Phase Mission Analysis (MA)

Begin Initial Investment Analysis (IIA) - AMS decision point: #3

(Start:OMB Exhibit 300 Attachment 2 for the Initial Investment Decision (IID))

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website
  • Investment Analysis (IA)
  • Investment Decision (ID)
• FAAFASTISS Flow Chart of the IIA section
• Security engineering activities
  • FAA Information Systems Security (ISS) Engineering Process

Update

• CONOPS of system.
• ISS section of the Preliminary Requirements. (pPR document).
  • Apply 800-53.
    • Tailor 800-53 security requirements to your acquisitions.

Generate

• Basis of Estimates (BOE) on security cost estimates for alternatives.
• SCAP with your Service Unit/Service Area Certification Team Lead.
• The preliminary Information System Security Plan, (ISSP).
  • "Develop the Preliminary ISSP (Including Basic Security Policy)" (c)
    • NISTSP 800-18, "Guide for Developing Security plans for Federal Information Systems" (February 2006)
• Preliminary System Characterization/Categorization.
  • Develop Systems Characterization/Categorization (d)
  • FIPS-199
  • 800-53 controls.
• Preliminary vulnerability and risk assessment.
  • Developing Preliminary Vulnerability and Risk Assessment (e)
    • NISTSP 800-30, "Risk Management Guide for Information Technology Systems"

Deliverable(s)

1. BOE on security cost estimates for alternatives.
2. OMB Exhibit 300, Attachment 2: Business Case Analysis Report (BCAR)
3. Updated OMB Exhibit 300, Attachment 1: (pPR)
   • Requirements for the ISS section of the (pPR) to include the 800-53 controls.
4. Preliminary vulnerability and risk assessment.
5. Preliminary SCAPs document
   • Preliminary ISSP with security policy statement.
   • Preliminary System Characterization/Categorization.

End IIA for AMS decision point: #3

BEGIN Final Investment Analysis (FIA) - AMS decision point: #4

(Start:OMB Exhibit 300 Attachment 3 for the Final Investment Decision (FID))

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • Investment Analysis (IA)
  • Investment Decision (ID)
• FAAFASTISS Flow Chart of the FIA section.

Update

• SCAP with your Service Unit/Service Area Certification Team Lead.
• CONOPS of system.
• ISS section of the Preliminary Requirements for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
• The ISSP.
• System characterization/categorization.(FIPS-199)
• Vulnerability and risk assessment.

Generate

• Initial Security Test Plan & Report.
  • Documentation should be produced only if test documents are being developed early based on approved system prototype, prior to Solution Implementation phase.
    • “Develop Security Test Plans and Procedures”(k)
• Support for system addition to the ATO Five Year SCAP Plan with your Service Unit/Service Area Certification Team Lead and ISSO.
  • Proposed schedule, security characterization/categorization (FIPS-199) and planned sites where a system would be fielded to the ISSM
• Security Information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).

Obtain

• Stakeholders’ buy-ins and signing of the final security documents.

Deliverable(s)

1. Updated OMB Exhibit 300, Attachment 1:
   • (pPR) transformed into Final Requirement Document (fPR).
2. OMB Exhibit 300, Attachment 2:Business Case Analysis Report (BCAR)
3. OMB Exhibit 300, Attachment 3:Implementation Strategy/Planning (ISP)
4. Final security vulnerability and risk assessment.
5. SCAP documents
   • ISSP with security policy statement.
   • System characterization/categorization.
   • Security Test Plan & Report (See note above.)
6. Proposal of schedule, FIPS-199, and plan toward ATO Five Year SCAP Plan for your added system.
7. The security information for SIR, SOW & CDRL.
8. Stakeholders’ signatures on all finalized security documents

End FIA for AMS decision point: #4 & Phase: IA

BEGIN Solution Implementation (SI) - AMS decision point: #5

(Re-baseline:OMB Exhibit 300, Attachment 1, 2 & 3 for the In-Service Decision (ISD))

Note: The symbol "*" indicates that the FAA firewall access is required to view this link.

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
• Solution Implementation (SI)
• In-Service Decision (ISD)
• FAAFASTISS Flow Chart of the SI section
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• Security information for Solicitation Information Request (SIR), Contract Statement of Work (SOW) and Contract Data Requirement List (CDRL).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
  • This is to be performed independent of the Integrated Product Team (IPT).
  • “Update Vulnerability and Risk Assessment” (f)
• CONOPS of system.
  • “Update the CONOPS and Security Requirements” (g)
  • To include ISS section to the CONOPS depending on level of impact of the NAS system.
• ISS section for the Final Requirement Document (fPR).
  • Security Interfaces document for inclusion in Interface Requirement Document (IRD).
  • “Integrate Security Requirements with System Requirements” (h)
  • “Integrate Security Architecture and Design” (i)
• The ISSP.
  • “Update the ISSP” (j)
• SCAP to reflect actual fielded systems with your Service Unit/Service Area Certification Team Lead and ISSO. Must complete the SCAP documents before operating the system.
  • Locate the “ATOISS Implementation Guide * ” and follow the link “SCAP” for the SCAP guidance document.
  • “Create Final Security C&A Documents” (n)

Generate

• Security testing on system baseline and refine solution as needed for ISD/commissioning.
  • This is to be performed independent of the IPT.
  • “Develop Security Test Plans and Procedures” (k)
• Users guide, training plans, and contingency/disaster recovery plans.
  • “Develop User’s Guides, Training, and Contingency Plans” (l)
  • “Conduct Security Testing” (m)

Obtain

• DAA signature(s) of Certification and Authorization to connect and operate system in the NAS.
  • “Obtain Security Authorization and Accreditation” (o)
    • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. SCAP Implementation Guide(Reference: SCAP implementation guide - Section 4.1.1 *)
2. Baselined OMB Exhibit 300, Attachment 1:
   • ISS section of the Final Requirement Document(fPR).
     • Security Interfaces in the IRD.
3. Baselined OMB Exhibit 300, Attachment 2, & 3
4. The security information for SIR, SOW & CDRL.
5. DAA signature(s) of Certification and Authorization to connect and operate the system in the NAS.

End SI for AMS decision point: #5 & AMS Phase: SI

BEGIN In-Service Management (ISM) – Systems Engineering Milestones: Technology Refresh Assessment (TRA)

(Determine: To continue, update (Tech refresh, P3I) or end the Systems Development Lifecycle needs for the (ISM))

Review

• FAAFASTAMS Lifecycle Phases and Decisions guidance website:
  • In-Service Management (ISM)
• FAAFASTISS Flow Chart of the ISM section.
• The ISSP for the system assessed.
• OMB Exhibit 300, Attachment 1, 2, & 3.

Update

• ISS section of the Final Requirement Document (fPR).
• Vulnerability and risk assessment for the Security Risk Assessment (SRA).
• SCAP with your Service Unit/Service Area Certification Team Lead.
  • Verify if recertification is required.

Generate

• Technology refresh and/or upgrade of the system assessed.
  • Prepare for Technology Refresh and Upgrade Planning (p)
  • NISTSP 800-64, “Security Considerations in the Information System Development Life Cycle”
• For disposal of the system.
  1. Follow ISSP
  2. Archive information
  3. Sanitize media
  4. Dispose of hardware and software.

Obtain

• DAA signature(s) of Certification and Authorization package (SCAP).
  • Service Unit/Service Area Certification Team Lead and ISSO.
  • ATO Designated Approving Authority (DAA), Information System Security Certifier (ISSC), and Information System Security Manager (ISSM).

Deliverables

1. Updated OMB Exhibit 300, Attachment 1, 2, & 3
   • ISS section of the Final Requirement Document (fPR).
2. Updated Security vulnerability and threat assessment for the SRA.
3. Updated SCAP documents.
4. DAA signature(s) of the SCAP documents.

End ISM for Systems Engineering Milestones: TRA & AMS Phase: ISM

Kenai Flight Service Station

Home Page

Below -20°C

Celsius to Fahrenheit Temperature Conversion
(-20°C to +39°C)

Celsius to Fahrenheit Temperature Conversion
(Below -20°C)

Top of Page

Questions or Comments Welcome

Kenai Flight Service Station

Home Page

Current Date: 11/3/21 (U.S. Eastern Time)

Top of Page

Questions or Comments Welcome

Kenai Flight Service Station

Home Page

Alaska Flight Service Master Flight Plans

Master Flight Plan Worksheet. Click Here.

After completing the applicable data fields in the form use an email button to send it to the
appropriate Flight Service Station. It may also be sent via FAX, or mailed directly to the Flight Service Station. Forwarding information can be found on page 2 of the form.

Top of Page

Questions or Comments Welcome

Kenai Flight Service Station

Home Page

Kenai FSS User Comment Form

Air Traffic Organization

The Air Traffic Organization (ATO) is the operational arm of the FAA. It is responsible for providing safe and efficient air navigation services to 29.4 million square miles of airspace. This represents more than 17 percent of the world's airspace and includes all of the United States and large portions of the Atlantic and Pacific Oceans and the Gulf of America.

Our stakeholders are commercial and private aviation and the military. Our employees are the service providers – the 35,000 controllers, technicians, engineers and support personnel whose daily efforts keep aircraft moving safely through the nation's skies.

Aviation is essential to our way of life and is a driving force in our economy. Entire industries rely on the successful operation of the national airspace system. Aviation accounts for 11 million jobs and is responsible for more than 5 percent of our gross domestic product.

The U.S. air traffic system is experiencing the safest period in its history. This is the result of the ATO's robust safety culture. With the implementation of its proactive Safety Management System, the ATO is now able to identify precursors of risk before there is a safety problem.

Mission Analysis

The Information Systems Security (ISS) engineering process starts in the Corporate Mission Analysis. In this phase, the ISSE process focuses on:

• the proposed system's operating environment
• system boundaries
• information assets and functions
• and the potential threat and vulnerability sources to the system's information assets and functions.

Basic system security policy flows from FAA organizational directives, such as FAA Order 1370.82A, "ISS Program Policy" as well as from FAA operating procedures and instructions. Basic system security policy is the set of rules governing control, access, and use of system information. For example, a basic security policy statement may be that only authorized FAA users shall access the system.

The ISS engineering process applies NIST Federal Information Processing Standards (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems" to categorize the information system assets and functions. The ISSE process analyzes the NAS system concept of operations (CONOPS) and mission need statement (MNS) to formulate a basic security policy.

The security planning aspects of ISS engineering also begins in this phase, following guidance of NIST Special Publication (SP) 800-18, "Guide for Developing Security Plans for Federal Information Systems". Security requirements, based on security policy, are in the Preliminary Program Requirements (pPR) document.