scope:

This policy is designed to assist FAA employees and contract personnel with the secure development, management, maintenance, and use of the FAA websites/services (Internet, Intranet, Extranet) to enhance security on web systems. Any third party websites and social media websites are not within the scope of this policy. This policy addresses:

a. Implementing and maintaining security controls for web servers, such as those that provide Internet and email services;

b. Protecting FAA web information and data from unauthorized access, use, disclosure, disruption, modification, or destruction;

c. Protecting the FAA network from external threats delivered over the web, such as viruses, malicious attacks, data leaks, etc;

d. The System Authorization process for web systems as part of the FAA-wide Information Systems Security (ISS) Program;

e. Ensuring that authentication processes are in place that provide the appropriate level of assurance for web-based access and FAA online services;

f. Ensuring that security controls are implemented in all phases of the System Development Lifecycle (SDLC) for systems within the FAA web environment; and

g. Establishing and implementing clear privacy policies for the FAA web environment.

Purpose of This Order. This Order establishes the Federal Aviation Administration's (FAA) enterprise-wide Web Security Management Policy. This order outlines the policies, roles and responsibilities for developing, managing and maintaining web systems. This order will assign the framework, mandatory standards, procedures, and security and privacy requirements for the FAA web environment.