scope:

This Order applies to all FAA-owned and FAA-controlled information systems, including any customized software acquired from any third party, whether open source, Government-off-the-shelf, or Commercial-off-the-shelf software. This policy does not apply to operating systems.

Purpose of This Order. This Order establishes policy for the Federal Aviation Administration (FAA) to mandate adherence to the 1) FAA Application Standards for Building Secure Information Systems and 2) FAA Minimum System Development Life Cycle (SDLC) Requirements for Building Secure Applications to promote the implementation of secure information systems throughout the FAA. This policy seeks to ensure:

a. the establishment of the minimum required SDLC activities that must be included in all FAA software system development efforts, regardless of the platform or the lines of business staff office's (LOB/SO) iterative or traditional life cycle process in use; and

b. that the LOB/SOs, all program and project managers, and all software development teams adequately plan for security by properly identifying, assessing and mitigating risks; including security controls in the software system design; adhering to agency and Federal Information Technology (IT) policies and regulations, and continually monitoring and assessing security through system retirement.