FAAO 1370.94 Wireless Security Policy - National Air Traffic ...

safflowerpepperoniMobile - Wireless

Nov 24, 2013 (3 years and 11 months ago)

129 views


FOR OFFICIAL USE ONLY

(Public Availability To Be
Determined Under 5 USC 552)


Distribution: A
-
WXYZ
-
2;AFOF
-
O


Initiated by: AIS
-
500





2/03/05


SUBJ:

WIRELESS TECHNOLOGIES SECURITY



Wireless communications can offer agencies, organizations, and users many benefits through
higher productivity, flexibility, portability, and lower costs. However, there are inherent risks in
wi
reless technology that can create loss of availability, integrity, and the threat of denial of
service. Unauthorized users can gain access to agency systems and information, corrupt the
agency’s data, consume network bandwidth, degrade network performance
, and weaken or
prevent authorized users from accessing the agency’s networks.


Wireless technologies have become increasingly popular in our everyday business lives and it is
important to the Federal Aviation Administration (FAA) that an order be implemen
ted to ensure
that our wireless technologies are secure.


This order establishes the FAA policy on wireless network security and assigns organizational
and managerial responsibilities for new and existing wireless connections using the 802.11x
family of s
tandards and the Bluetooth standards. The lines of business and staff offices
(LOBs/SOs) have participated in developing this policy. FAA Order 1370.82, Information
Systems Security Program, as amended, delegates authority to the Office of the Assistant
Administrator for Information Services and Chief Information Officer (AIO
-
1) to issue
information systems security policies for the FAA.


SIGNED



Daniel J. Mehan

Assistant Administrator for Information Services


and Chief Information Officer

ORDER

1370.94

U.S. DEPARTMENT OF TRANSPORTATION

FEDERAL AVIATION ADMINISTRATION


National Policy

1370.94


2/03/05


Page
2

FOR OFFICIAL USE ONLY

(Public Availability To Be Determined Under 5 USC 552)

1.

Purpose
of this Order.
This order establishes the Federal Aviation Administration (FAA)
wireless network security policy and assigns security management responsibilities for new and
existing commercial off
-
the
-
shelf and government
-
off
-
the shelf wireless informat
ion system
connections using the 802.11x family of standards and the Bluetooth standard. The policies or
procedures specified in this order address security requirements associated with wireless
technology.

2.

Scope.
This order applies to:


a.

All operating
and future FAA information systems and wireless devices, including
prototypes and telecommunications, which allow the transfer of information by means of the
802.11 family of standards (802.11x) and the Bluetooth standard.

b.

FAA information collected, stor
ed, processed, disseminated, or transmitted using FAA
or non
-
FAA owned information systems that access FAA information systems.

c.

The following devices when connected to the FAA information infrastructure or
operated within an FAA facility:


(1)

802.11x Wireless Access Points (WAPs);

(2)

Bluetooth WAPs;

(3)

Any laptop or tablet computers with 802.11x networking capability;

(4)

Any laptop or tablet computers with Bluetooth wireless networking capability;

(5)

All other 802.11x devices, including but not limited

to: bridges, repeaters, and
gateways; and

(6)

All other 802.11x and Bluetooth devices, including but not limited to: Personal
Digital Assistants (PDAs), Position Determination Equipment, wireless keyboards, input
devices, cellular phones, pagers, messaging d
evices, printers, remote switching devices, and
storage devices.

d.
All FAA employees, contractors, and users of FAA information systems and supporting
information systems, as described in the National Information Infrastructure Protection Act of
1996
, 18 USC 1030.

e.

All information systems being developed, installed, operated, or maintained, regardless
of ownership, within any FAA facility.

3.

Delegation of Authority.

The FAA Administrator has delegated responsibility to establish
policy and assign

organization and management responsibilities for information and information

1370.94


2/03/05


Page
3

FOR OFFICIAL USE ONLY

(Public Availability To Be Determined Under 5 USC 552)

systems security related issues to AIO
-
1.

4.

Related Publications.
The following is a list of related publications:

a.

Public Law 107347, Federal Information Security Management A
ct (FISMA) of 2002,
December 17, 2002.

b.

Office of Management and Budget Circular A
-
130, Management of Federal Information
Resources, February 8, 1996.

c.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800
-
21,
Guideline for I
mplementing Cryptography in the Federal Government, November 1999.

d.

NIST SP 800
-
37, Guidance for the Security Certification and Accreditation of Federal
Information Systems, May 2004.

e.

NIST SP 800
-
48, Wireless Network Security 802.11, Bluetooth and Handheld
Devices,
November 2002.

f.

Department of Transportation (DOT) Personal Data Assistant (PDA) and Wireless
Technologies Security Implementation Guidelines, January 2004.

g.

FAA Order 1370.82, Information Systems Security Program, as amended.

5.

Definitions.

Defin
itions of specialized terms used in this subject area, with relevant
abbreviations and acronyms, are contained in Appendix 1.

6.

Policy.
The FAA must secure wireless systems and wireless devices as required by
NIST SP 800
-
48, Wireless Network Secu
rity 802.11, Bluetooth and Handheld Devices, and DOT
PDA and Wireless Technologies Security Implementation Standards, industry best practices, and
in accordance with the policies stated above in paragraph 4.

a.

System Certification and Authorization (C&A).

FAA Order 1370.82, as amended,
requires all information systems to complete the FAA C&A process. This order does not relieve
system owners of that responsibility.

b.

Standard Operating Procedures.

Before deploying a wireless solution, each line of
busi
ness and staff office (LOB/SO) must develop a wireless standard operating procedure
containing, at a minimum, preferred security configurations based on appropriate NIST wireless
publications.

c. Wireless Access Points.
Adding wireless capability to an

existing information system
constitutes a significant change to the risk profile of that system and will require a security
review of the change and its impact to that system.
d. Validation and Verification.

The FAA will conduct network and wireless sca
ns for
unauthorized wireless use.

1370.94


2/03/05


Page
4

FOR OFFICIAL USE ONLY

(Public Availability To Be Determined Under 5 USC 552)

e. Compliance Monitoring and Auditing.

All wireless devices operating within FAA
facilities will be subject to monitoring, audit, and review, including vulnerability scanning and
testing to detect anomalous events and
trends. The FISMA requires Federal agencies to
periodically test and evaluate information security controls to ensure they are effectively
implemented. Therefore, each LOB/SO will take the following actions:


(1)

Leverage FAA available scanning (discovery
) tool to automate enforcement of the
requirements of this order to the extent possible;


(2)

Where automated enforcement is not possible, implement managerial controls
such as policies, procedures, and guidance to ensure the requirements of this order are

met; and


(3)

Ensure that testing of compliance with the requirements of this order is included
during the C&A of each system that uses Bluetooth or the 802.11x family of wireless
communications.

f. Notice of Exception or Non
-
Compliance.
The LOB/SO desi
gnated approving authority
(DAA) must submit a notice of exception to this order to AIO
-
1. The notice must describe the
compelling business need(s) for non
-
compliance and explain the system security risk mitigation
strategy. The notice will contain the fo
llowing paragraphs: background, system description,
vulnerabilities identified, risk mitigation strategy, residual risk, and recommendation. At a
minimum, the LOB/SO information systems security manager, DAA, and system owner must
sign this notice.

7.

I
nformation Disclosure.
While implementing this order, the FAA may collect information
that is protected under certain exemptions contained in the Freedom of Information Act (FOIA)
5 USC 552. The appropriate program office must review each request to det
ermine if the
information falls within the mandatory disclosure provisions of the FOIA.

8.


Devices Outside the Scope of this Order
.
This order does not apply to the following
devices:

b.


Privately owned cellular telephones or pagers that do not connect to

FAA information
systems;

c.

Very high frequency air traffic control radios;

d.

Infrared devices such as keyboards, mice, and PDAs;

e.

Cellular devices that are not Bluetooth or 801.11x capable; and

f.

Point
-
to
-
point wireless bridges that do not use 802.11x technology
.

9. Distribution.
This order is distributed to the division level in Washington headquarters and
in the regions and centers, and a limited distribution to all field offices and facilities.
1370.94


2/03/05


Page
5

FOR OFFICIAL U
SE ONLY

(Public Availability To Be Determined Under 5 USC 552)



















This page is left intentionally blank.


1370.94


2/03/05


A
-
1

FOR OFFICIAL USE ONLY

(Publ
ic Availability To Be Determined Under 5 USC 552)

APP
ENDIX A. Definitions and Acronyms


Bluetooth.

A specification used for low
-
power radio communications to wirelessly link phones,
computers, and other network devices over short distances. The wireless signals transmitted in
Bluetooth reach over short dis
tances, typically up to 30 feet (10 meters). Bluetooth devices
communicate at less than 1 Mbps. Although the Bluetooth standard uses the same 2.4 GHz
range as IEEE 802.11a/b/g, Bluetooth is regulated by a different standards agency.

Cellular.

General na
me for analog and digital networks that divide large areas into smaller
coverage areas called cells. As a user moves from cell to cell their connection is theoretically
handed off without interruption.

Infrared Peripheral Devices (IPD).

Any device that is

connected to or part of a computer with an
infrared hardware port. An IPD is not capable of full functionality in a stand
-
alone
configuration. An IPD can include printers, scanners, facsimile machines, CD
-
ROM drive,
floppy drives, modems, keyboards, mic
e, speakers, stylus pens, and others.

Institute of Electrical and Electronics Engineers (IEEE).

A worldwide professional association
for electrical and electronics engineers that sets standards for telecommunications and computing
applications.

Personal
Digital Assistant (PDA).

A handheld computer that serves as an organizer for personal
information. It includes at least a name
-
and
-
address database, checklist, and note taker. PDAs
are pen
-
based and use a stylus to tap selections on menus and to enter p
rinted characters. The
unit may include a small on
-
screen keyboard that is tapped with the pen, so data may be
synchronized between a user’s PDA and desktop computer by cable or wireless transmission.

Simple Network Management Protocol (SNMP).

It is th
e standard protocol for network
management in the TCP/IP environment. It is an application layer protocol that facilitates the
exchange of management information between network devices. SNMP enables network
administrators to manage network performance, f
ind and solve network problems, and plan for
network growth.

Secure Sockets Layer (SSL).

A standard for encrypted client
-
server communication between
network devices. A network layer protocol, SSL runs on top of TCP/IP. SSL uses several
standard network s
ecurity techniques including public keys, symmetric keys, and certificates.
Web sites commonly use SSL to guard private information such as credit card numbers
.

Time Division Multiple Access.

A wireless technology that allows for increased bandwidth over
digital cellular networks. Similar to CDMA, the call stream is broken into fragments so multiple
calls can take place over a single frequency.

It is considered the less advanced digital technology,

partly because of its lack of flexibility compared with ot
her digital cellular technologies.
Wireless Access Point (WAP).

Specially configured nodes on wireless local area networks
(WLANs), which act as central transmitters and receivers of WLAN radio signals. When a
1370.94


2/03/05


A
-
2

FOR OFFICIAL USE ONLY

(Public Availability To Be Determined Under 5 USC 552)

WLAN operates with access points, this is ref
erred to as "infrastructure" mode. WLAN can also
exist without access points in “Ad Hoc” mode, where clients communicate directly. Using access
points in infrastructure mode bridges WLANs with wired Ethernet LANs permits larger
networks. Older and base mod
el access points allowed a maximum of only 10 or 20 clients;
many newer access points support up to 255 clients.


Wired Equivalent Privacy (WEP).

A security protocol, specified in the IEEE Wireless Fidelity
(Wi
-
Fi) standard, 802.11, that is designed to pr
ovide a wireless local area network (WLAN) with
a level of security and privacy comparable to what is usually expected of a wired LAN.

Wireless Systems or Devices.

Any network or network device, server, system, personal
computer, communication device, han
dheld device, or technology that is able to transfer
information (actively or passively) between physically separated points without the use of a
physical connection, such as copper or fiber cabling.

Wi
-
Fi Protected Access (WPA).

Replaces the existing Wir
ed Equivalent Privacy (WEP)
standard, and provides users with improved data encryption protocols keeping intruders from
even connecting to a wireless network. WPA implements the 802.1X standard and the
Extensible Authentication Protocol (EAP). The combin
ed framework uses a centralized
authentication server that allows WPA to provide a much secure authentication to the wireless
network by authenticating each user before joining.

802.11a.

A physical layer standard in the 5 GHz radio band. It specifies eig
ht available radio
channels (in some countries, 12 channels are permitted). The maximum link rate is 54 Mbps per
channel; maximum actual user data throughput is about half of that, and the throughput is shared
by all users of the same radio channel.

802.1
1b.

This is a physical layer standard in the 2.4 GHz radio band. It specifies three available
radio channels. Maximum link rate is 11 Mbps per channel, but maximum user throughput will
be about half of this because the throughput is shared by all users
of the same radio channel.

802.11g.

This is a physical layer standard for WLANs in the 2.4 GHz and 5 GHz radio band. It
specifies three available radio channels. The maximum link rate is 54 Mbps per channel whereas
11b has 11Mbps. The 802.11g standar
d uses orthogonal frequency
-
division multiplexing
(OFDM) modulation but, for backward compatibility with 11b, it also supports complementary
code
-
keying (CCK) modulation and, as an option for faster link rates, allows packet binary
convolution coding (PBCC
) modulation.

802.11i.

This standard is supplementary to the MAC layer to improve security. It will apply to
802.11 physical standards a, b, and g. It provides an alternative to Wired Equivalent Privacy
(WEP) with new encryption methods and authenticati
on procedures. IEEE 802.1X forms a key
part of 802.11i.
1370.94


2/03/05


A
-
3

FOR OFFICIAL USE ONLY

(Public Availab
ility To Be Determined Under 5 USC 552)

802.1x.

An IEEE port authentication standard that applies to both wired and wireless networks.
802.1X uses an existing authentication protocol known as the Extensible Authentication Protocol
(EAP).
802.1X takes EAP and ties it to the physical medium, be it Ethernet, Token Ring or
wireless LAN. For example, when a client tries to connect to a wireless access point, it detects
the client and enables the client's port. It forces the port into an unautho
rized state, so only
802.1x traffic is forwarded and other services such as HTTP, FTP and SMTP are blocked. The
authentication process at the client level then begins through one of the EAP supported
protocols.

1370.94


2/03/05


Page A
-
4

FOR OFFICIAL USE ONLY

(Public Availability To Be Determined Under 5 USC 552)

This page is left intentionally blank.