Charter On behalf of the FAA Chief Information Officer Council

By Aaron Grant,2014-11-25 08:39
11 views 0
Charter On behalf of the FAA Chief Information Officer Council

    Information Technology Standards

    Federal Aviation Administration

    April 15, 2010

    Version 7.2


    1.0 Draft of Charter developed outline 06-19-2003 1.1 Refined content in existing sections 07-22-2003 1.2 08-25-2003 Re-wrote scope and group charter, added

    Recommendations section

    1.3 Further editing, added Conclusion section 08-27-2003 1.4 Changed review cycle to monthly, and incorporated 09-16-2003

    recommended wording changes.

    1.5 Revised build-to and buy-to baseline standard. 05-08-2004

    Revised layout of charter to align with the creation of a

    technical standard.

    1.6 ITEB Cost Control Team 3 comments addressed quarterly 06-10-2004

    review cycle

    2.0 CIOC Comments addressed 07-07-2004 3.0 Updated Standard 06-16-2005 3.1 Updated for Antivirus Desktop Standard 0109-2006 3.2 Expanded for servers and network devices 04-27-2006 3.3 Added a laptop standard, updated Adobe Acrobat and 06-15-2006

    WinZip standards; IPV6 language added on network

    switches; 1 Gig RAM for desktop buy-to standard due to


    4.0 Adds remote access standards, Adds the SQL specification 04-17-2006

    for databases and identifies our build-to standard as Oracle

    and MS SQL Server. Adds FIPS 140-2 as a specification

    relating to laptop encryption and identifies Safeboot as our

    product for doing that. Updates two Sun server models

    which reached end-of-life. The V240 and V440 are replaced

    with the V245 and V445 respectively; Adds a standard for

    Storage Area Networking

    Added standards citations in several areas (column D),

    Adds a row on data modeling & identifies ERwin as our build-

    to standard

    4.1 Adds Sun server X4600 M2 to the list of standards 07-05-2007

Information Technology Standards Page 2 of 14




    5 03/05/2008 ; Adds GIS, Business intelligence/reporting, and video

     teleconferencing standard

     ; Server virtualization technical and product standard

     ; Dell Servers, Sun servers, and switches are updated. ; Desktop operating system build-to standard updated from Windows 2000 to Windows XP (due to IT Asset Inventory) ; Desktop Office Suite updated build-to from Office 2000 Pro to Office 2003 (due to IT Asset Inventory) ; LCD monitor standard added. ; Updates versions particularly for software products (MS Project, Adobe Acrobat, Windows Media Player, Visio, and Winzip) ; Replaced the Cisco 3500 family of switches with the Cisco 3750 family of switches ; Proposed change to waiver process in Section 3 of this document. ; Section 8 addition of OMB requirement for federal desktop security settings ; Added Data center utility standards ; Adds rationale for several product based standards (response to AGC recommendation) ; Adds a build-to standard for network access control Waiver process revised. 5.1 04/21/2008 ; Increased desktop RAM requirement; Buy-to increases 5.2 06/24/2008 from 1 GB or higher to 2 GB or higher; Build-to increases from 512K to 1 GB; due to Lotus Notes V8 needs in conjunction with MS Office and the Windows desktop operating system

    ; Removed the Sun V245 and V445 models as they are no

    longer available from Sun.

    ; Added to our existing Sun server standards the Sun

    T5140 and T5240 UltraSPARC models due to newer

    technology offerings from Sun for better performance,

    scalability and compute density (compact rack size),

    power & cooling advantages as well as ATO interest.

    ; Updated the Sun X2200 to the Sun X2200 M2 server due

    to change by Sun

Information Technology Standards Page 3 of 14




     ; Added the Sun X4150 and X4450 Intel Xeon servers.

     They offer power and cooling advantages, small space

     requirement, and offer VMWare/ VMotion compatibility

     with other Intel servers. They are compatible with the

     Dell Intel servers

     ; Updated the Dell 1950 and the 2950 models to the Dell

     1950 III and the 2950 III models due to Dell product line


     ; Removed the Dell 6850 model as it is no longer available ; Replaced the Dell 6850 (discontinued) with the Dell R900 server, its replacement ; Updated the Dell blade server 1955 with the M600 replacement Dell blade server (both Intel chip) Sun server M series added; Hitachi line of storage devices 5.3 7/29/2008 added as an interim standard 5.4 Windows Server 2008 and Oracle 11g added to buy-to list as 9/4/2008 part of updating the standards 6.0 Updated desktop and laptop standard; updated flash 12/18/2008 standard; 6.1 Added standards for smart card readers and their 2/26/2009 middleware; Updated Sun SPARC server standard; Removal of “interim” status for Hitachi storage standard; Added information on contract sources (SAVES, etc.) 6.2 Revises file compression standard into a file 4/16/2009 compression/data encryption standard; Changes buy-to standard to encryption products that are FIPS 140-2 compliant including SecureZip 6.3 Adds IBM System Architect to the build-to standards for 7/30/2009 “Modeling”; “Data Modeling”; Adds IBM Telelogic Synergy to the build-to standard for Software CM; Adds “IBM System Architect Visio Process Integrator” to the build-to standard for “Business/Technical Diagramming”; Adds a build-to standard for server operating systems; Replaces Sun AMD X4200 server with its life cycle replacement, the X4240. 6.4 8/24/2009 Added SOA standards (separate spreadsheet); Added comment on planned migration to IE8. 6.5 11/19/09 Added document management build-to standard and double stsided copying (rows 23 and 61 of 1 worksheet only)

Information Technology Standards Page 4 of 14


    7.0 Added second set of SOA standards; Added Windows XP 1/21/2010

    SP3 and Lotus Notes 8.02; Updated column on enterprise

    agreements/contracts; modified wording on double sided

    printer per ARB request

    7.1 Adds IE8 and Release 2 of Windows Server 2008 to buy-to 2/9/2010 rd7.2 Adds a 3 set of SOA standards; Updates Dell servers; 3/3/2010

Information Technology Standards Page 5 of 14

1. Purpose

    Under the sponsorship of the CIO and the FAA Architecture Review Board (ARB), Chief Information Officer Council (CIOC), the Technology Control Board (TCB) was tasked with updating agency standards. This is part of the FAA Technical Reference Model (TRM) as described in the Federal Enterprise Architecture Framework (FEAF). Among the driving influences behind the creation of information technology (IT) standards include:

    a) A mandate from the Office of Management and Budget (OMB) to manage IT

    efficiently and effectively

    b) FAA and e-Government initiatives to control IT costs

    c) Industry success with IT standardization to control IT costs

    In effect, standards provide a better means to manage the agency’s IT assets. FAA is using IT standards in enterprise-wide procurement vehicles (using larger volume purchases to attain lower industry prices) including enterprise license agreements.

2. Scope

    These IT standards apply to Administrative and NAS Regulatory Support (formerly administrative and mission support systems), internal to the FAA, excluding real-time NAS systems relating to air traffic control. In general, these standards specify each standard to a selected level of detail such as a base model or series while allowing the requiring FAA organization or program the flexibility to add options or features available from a vendor for that specified standard.

    These standards do not apply to contracts such as performance-based contracts where the FAA has delegated to a contractor the decision-making on the nature of the hardware and software for meeting FAA requirements (for example, the FTI Program’s

    contracts). However, performance based contracts should justify why they are going outside these standards

    The standards are defined in terms that are compatible with OMB’s Federal Enterprise Architecture (FEA) and the categories outlined in the FEA TRM.

    3.0 Waiver Process

    While the primary objective is to define standards for use across the FAA’s Lines of Business (LOBs) and Staff Offices (SOs), some exceptions to the standard may exist based on the requirements of legacy applications and other legitimate business needs. Exceptions to the standard should not be based on user or organizational preferences. A waiver request from this standard may be approved if it meets one of the following conditions:

    a. The standard has a direct measurable negative impact on a service we provide

    the public.

    b. The standard will adversely affect an LOB/SO business or performance goal. Information Technology Standards Page 6 of 14

    c. The standard will negatively impact business applications or increase costs



    1. Prepare waiver request: The waiver request form is provided in Appendix C.

    Anyone may file a request. Waivers are needed if one is taking an action that

    does not conform to either 1) a relevant technical standard cited or 2) an

    acquisition or “buy-to” standard. If there is no relevant technical or buy-to

    standard, then no waiver is needed.

    o If the requestor is a manager, skip to the LOB/SO CIO (Step 3). 2. Obtain manager concurrence: The requestor's immediate supervisor must

    review and concur with the request, and forward it to the LOB/SO CIO. 3. Obtain LOB/SO CIO approval or concurrence: Per the charts below, if the

    request has a low or very low impact, the LOB/SO CIO must approve or deny the

    waiver request. Approved requests must be sent to the ARD-1 as co-chair of the

    ARB. Otherwise, the LOB/SO CIO must review and concur with the request, and

    forward the request to the ARB.

    4. Obtain ARB approval: The ARB must review and approve or deny the waiver

    request. If an expedited approval is required, the ARB co-chairs may act on the


    5. Analyze approved waiver requests: The ARB co-chairs will analyze the

    approved waivers in aggregate, looking for trends that will help determine what

    additional steps are needed to maximize service value, efficiency, and


    6. The LOB/SO CIOs will forward their approved waivers to the FAA CIO who will

    analyze and aggregate the waivers.

    7. If the LOB or SO CIO wishes to appeal the ARB decision, the SES official above

    the CIO may appeal the decision to the ITEB.

    Information Technology Standards Page 7 of 14

    Level of Impact of the Proposed Waiver to FAA Technical Reference Model (TRM)

    and/or FAA IT Standards

Impact LevelDescription

    Waiver involves a national application of technology or cross-FAA Very High

    or new platform or E-Gov or high business impact; Or the waiver

    involves ISS implications

    Involves Major LOB or cross-LOB application of technology or High

    standards; $10M and above (lifecycle cost) or time critical or

    management directed; Or the waiver involves ISS implications

    Moderate LOB application of technology or standard; Or waiver Medium

    involves an investment that exceeds $1M in cost; And the waiver

    has minor or no ISS implications

    Scope is limited to a subset of an LOB or less than 500 employees Low

    or less than 10 servers or less than 100 desktops; And waiver has

    minor or no ISS implications; Or the wiaver duration is for less than

    15 months and the waiver does not impede future competition

    among vendor products

    Waiver is intended for a short duration of less than 10 months; Very Low

    And the waiver has minor or no ISS implication; And the waiver

    involves costs of less than $250K and does not impede future

    competition among vendor products

[Minor or no ISS implications refers here to a low probability of a risk or threat and a low

    severity of potential outcome from such risk(s) or threat(s)]. Program Impact Reviewers Approvers

    Very High Manager, LOB/SO CIO ARB

    High Manager, LOB/SO CIO ARB

    Medium Manager LOB/SO CIO

    Low Manager LOB/SO CIO

    Very Low Manager LOB/SO CIO

    Any waivers granted from the above process only apply to FAA IT Standards and FAA’s Technical Reference Model (TRM). It does not apply to other kinds of standards such as data standards described in FAA Order 1375.1D.

    4.0 Information Technology Standards

Appendix A enumerates the specific standards in three categories Relevant

    International/Government standards, FAA minimum or build-to standards and FAA acquisition standards or buy-to standards. (Note that Appendix A is not a requirement for all configurations to have all of the software listed. For instance, many desktops will

    not have Microsoft Project or Visio software).

Information Technology Standards Page 8 of 14

Relevant International/Government Standards

    ; These are internationally recognized standards that the FAA is targeting for

    compliance in its target architecture. These standards apply to the acquisition

    (or “buy-to”) standards; they do not relate to the “build-to” standards.

    ; Sources for these standards include the International Organization for

    Standardization (ISO), International Electrotechnical Commission (IEC), National

    Institute of Standards and Technology (NIST), Internet Engineering Task Force

    (IETF), and others.

Characteristics of FAA Minimum Standards Build-To Standards

    ; These standards are meant to be the target environment for software

    applications being currently built for national fielding across FAA organizations

    within the next 10 months. They recognize the current installed base of

    hardware and software at the FAA. They are used to simplify development and

    ensure successful deployment by providing a stable and predictable


    ; These hardware and software standards often represent the norm in the FAA.

    They represent an average or below average system in the FAA.

    ; With few exceptions, we intend that current applications are compatible with the

    build-to standard, especially enterprise-wide applications.

Characteristics of FAA Acquisition Standards Buy-To Standards

    ; Meaning: If an LOB or SO is to make a purchase in the near future, then they are

    expected to purchase the buy-to standard or seek a waiver.

    ; The standard ought to support an economically efficient system life. For

    desktops, this is about 3-4 years for a desktop system (shorter for any laptop

    hardware standards) as determined by the FAA LOB or SO.

    ; Constraint: These standards need to be a currently commercially available

    product or one that is anticipated to be available shortly or within the target time

    horizon of the standard.

    5.0 Future Updates.

    Due to the changing nature of technology, these standards will need to be updated periodically. The CIO Council and/or ITEB will need to charter a revision to update these standards periodically.

     6.0 Mechanism to test standards.

    In order to promote the integration of standards in desktop and server environments and compatibility with agency applications, FAA testing capabilities may be required to properly test changes to the standards. Some testing capabilities exist in the FAA already. Where possible, FAA organizations ought to use existing testing facilities within the LOBs.

Information Technology Standards Page 9 of 14

    7.0 Standard Compliance

    FAA organizations are expected to follow these standards in any new systems unless a waiver is obtained from the LOB/SO CIO. Furthermore, forthcoming life cycle controls in the Acquisition Management System are expected to call for program managers to make use of the Enterprise architecture at several stages of their acquisition process. The latter includes compliance with FAA’s Technical Reference Model (TRM) which includes this standard.

     8.0 Broadly Applicable Standards

    The following are standards with a broad scope affecting virtually all federal information technology.

    A) The Federal Information Processing Standard (FIPS) Publications 199 and 200 have broad applicability for federal information and federal information systems. The NIST authored these in February 2004 and March 2006 respectively. They were issued as a result of the Federal Information Security Management Act (FISMA).

    ; FIPS Publication 199 requires agencies to categorize their information systems

    as low-impact, moderate-impact, or high-impact for the security objectives of

    confidentiality, integrity, and availability.

    ; The FIPS 200 standard addresses the specification of minimum security

    requirements for federal information and information systems. It is applicable to:

    (i) all information within the federal government other than that information that

    has been determined pursuant to Executive Order 12958, as amended by

    Executive Order 13292, or any predecessor order, or by the Atomic Energy Act

    of 1954, as amended, to require protection against unauthorized disclosure and

    is marked to indicate its classified status; and (ii) all federal information systems

    other than those information systems designated as national security systems as

    defined in 44 United States Code Section 3542(b)(2).

    B) Section 508 of the Rehabilitation Act of 1973 (as amended in 1998) requires that when Federal agencies develop, procure, maintain, or use electronic and information technology, they shall ensure that the electronic and information technology allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. The FAA Acquisition Management System (AMS)

    Rehabilitation Act policy mandates that after June 21, 2001, new procurements (contracts, task orders, delivery orders, orders under government wide-schedules, interagency agreements) shall include requirements that have provisions for Electronic and Information Technology (EIT) Accessibility Standards (for telecommunication products, information kiosks, transaction machines, web sites, multimedia, office equipment and others.) Please refer to Appendix B, when procuring EIT, and insert the 36 Code of Federal Regulations for the applicable commodity.

Information Technology Standards Page 10 of 14

Report this document

For any questions or suggestions please email