Security requirements and security testing of an Federal Aviation Administration (FAA) System are described for systems during planning, development, and operation.
FAA System Security Testing and Evaluation
Download Resources
PDF Accessibility
One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.
Security requirements and security testing of a Federal Aviation Administration (FAA) System are described for systems during planning, development, and operation. The guidance herein for security testing and evaluation follows best practice in security testing, exemplified by the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) based on the Common Evaluation Methodology (CEM) for developmental systems and the National Institute of Standards and Technology (NIST) Guideline on Network Security Testing for operational systems. Security testing is part of the analysis of security properties in developmental systems. These security properties are verified relative to the functional specification, guidance documentation, and the high-level design of the system. The analysis is supported by independent testing of a subset of the system security functions, evidence of developer testing based on the functional specification, dynamically selective confirmation of the developer test results, analysis of strength of functions, and evidence of a developer search for obvious vulnerabilities. Some testing of installed operational systems repeats the tests performed on the developmental systems, while other testing is unique to the operational in-service phase. Operational system security testing should be integrated into an organization's security program. The primary reason for testing an operational system is to identify potential vulnerabilities and repair them prior to going operational. The following types of testing are described: network mapping, vulnerability scanning, penetration testing, password cracking, log review, integrity and configuration checkers, malicious code detection, and modem security. Often, several of these testing techniques are used in conjunction to gain more comprehensive assessment of the overall security posture. Testing should be designed to avoid any possible disruption to ongoing activities. Attacks, countermeasures, and test tools tend to change rapidly and often dramatically. Current information should always be sought. Testing will change along with changes in technology, threats, and needs.