Information Technology Standards
Federal Aviation Administration
April 15, 2010
Version 7.2
CHANGE CONTROL CHART VERSION DESCRIPTION OF CHANGE DATE NUMBER
1.0 Draft of Charter – developed outline 06-19-2003 1.1 Refined content in existing sections 07-22-2003 1.2 08-25-2003 Re-wrote scope and group charter, added
Recommendations section
1.3 Further editing, added Conclusion section 08-27-2003 1.4 Changed review cycle to monthly, and incorporated 09-16-2003
recommended wording changes.
1.5 Revised build-to and buy-to baseline standard. 05-08-2004
Revised layout of charter to align with the creation of a
technical standard.
1.6 ITEB Cost Control Team 3 comments addressed – quarterly 06-10-2004
review cycle
2.0 CIOC Comments addressed 07-07-2004 3.0 Updated Standard 06-16-2005 3.1 Updated for Antivirus Desktop Standard 01–09-2006 3.2 Expanded for servers and network devices 04-27-2006 3.3 Added a laptop standard, updated Adobe Acrobat and 06-15-2006
WinZip standards; IPV6 language added on network
switches; 1 Gig RAM for desktop buy-to standard due to
Vista
4.0 Adds remote access standards, Adds the SQL specification 04-17-2006
for databases and identifies our build-to standard as Oracle
and MS SQL Server. Adds FIPS 140-2 as a specification
relating to laptop encryption and identifies Safeboot as our
product for doing that. Updates two Sun server models
which reached end-of-life. The V240 and V440 are replaced
with the V245 and V445 respectively; Adds a standard for
Storage Area Networking
Added standards citations in several areas (column D),
Adds a row on data modeling & identifies ERwin as our build-
to standard
4.1 Adds Sun server X4600 M2 to the list of standards 07-05-2007
Information Technology Standards Page 2 of 14
CHANGE CONTROL CHART
VERSION DESCRIPTION OF CHANGE DATE
NUMBER
5 03/05/2008 ; Adds GIS, Business intelligence/reporting, and video
teleconferencing standard
; Server virtualization technical and product standard
; Dell Servers, Sun servers, and switches are updated. ; Desktop operating system – build-to standard updated from Windows 2000 to Windows XP (due to IT Asset Inventory) ; Desktop Office Suite – updated build-to from Office 2000 Pro to Office 2003 (due to IT Asset Inventory) ; LCD monitor standard added. ; Updates versions particularly for software products (MS Project, Adobe Acrobat, Windows Media Player, Visio, and Winzip) ; Replaced the Cisco 3500 family of switches with the Cisco 3750 family of switches ; Proposed change to waiver process in Section 3 of this document. ; Section 8 – addition of OMB requirement for federal desktop security settings ; Added Data center utility standards ; Adds rationale for several product based standards (response to AGC recommendation) ; Adds a build-to standard for network access control Waiver process revised. 5.1 04/21/2008 ; Increased desktop RAM requirement; Buy-to increases 5.2 06/24/2008 from 1 GB or higher to 2 GB or higher; Build-to increases from 512K to 1 GB; due to Lotus Notes V8 needs in conjunction with MS Office and the Windows desktop operating system
; Removed the Sun V245 and V445 models as they are no
longer available from Sun.
; Added to our existing Sun server standards the Sun
T5140 and T5240 UltraSPARC models due to newer
technology offerings from Sun for better performance,
scalability and compute density (compact rack size),
power & cooling advantages as well as ATO interest.
; Updated the Sun X2200 to the Sun X2200 M2 server due
to change by Sun
Information Technology Standards Page 3 of 14
CHANGE CONTROL CHART
VERSION DESCRIPTION OF CHANGE DATE
NUMBER
; Added the Sun X4150 and X4450 Intel Xeon servers.
They offer power and cooling advantages, small space
requirement, and offer VMWare/ VMotion compatibility
with other Intel servers. They are compatible with the
Dell Intel servers
; Updated the Dell 1950 and the 2950 models to the Dell
1950 III and the 2950 III models due to Dell product line
changes
; Removed the Dell 6850 model as it is no longer available ; Replaced the Dell 6850 (discontinued) with the Dell R900 server, its replacement ; Updated the Dell blade server 1955 with the M600 replacement Dell blade server (both Intel chip) Sun server M series added; Hitachi line of storage devices 5.3 7/29/2008 added as an interim standard 5.4 Windows Server 2008 and Oracle 11g added to buy-to list as 9/4/2008 part of updating the standards 6.0 Updated desktop and laptop standard; updated flash 12/18/2008 standard; 6.1 Added standards for smart card readers and their 2/26/2009 middleware; Updated Sun SPARC server standard; Removal of “interim” status for Hitachi storage standard; Added information on contract sources (SAVES, etc.) 6.2 Revises file compression standard into a file 4/16/2009 compression/data encryption standard; Changes buy-to standard to encryption products that are FIPS 140-2 compliant including SecureZip 6.3 Adds IBM System Architect to the build-to standards for 7/30/2009 “Modeling”; “Data Modeling”; Adds IBM Telelogic Synergy to the build-to standard for Software CM; Adds “IBM System Architect Visio Process Integrator” to the build-to standard for “Business/Technical Diagramming”; Adds a build-to standard for server operating systems; Replaces Sun AMD X4200 server with its life cycle replacement, the X4240. 6.4 8/24/2009 Added SOA standards (separate spreadsheet); Added comment on planned migration to IE8. 6.5 11/19/09 Added document management build-to standard and double stsided copying (rows 23 and 61 of 1 worksheet only)
Information Technology Standards Page 4 of 14
VERSION DESCRIPTION OF CHANGE DATE NUMBER
7.0 Added second set of SOA standards; Added Windows XP 1/21/2010
SP3 and Lotus Notes 8.02; Updated column on enterprise
agreements/contracts; modified wording on double sided
printer per ARB request
7.1 Adds IE8 and Release 2 of Windows Server 2008 to buy-to 2/9/2010 rd7.2 Adds a 3 set of SOA standards; Updates Dell servers; 3/3/2010
Information Technology Standards Page 5 of 14
1. Purpose
Under the sponsorship of the CIO and the FAA Architecture Review Board (ARB), Chief Information Officer Council (CIOC), the Technology Control Board (TCB) was tasked with updating agency standards. This is part of the FAA Technical Reference Model (TRM) as described in the Federal Enterprise Architecture Framework (FEAF). Among the driving influences behind the creation of information technology (IT) standards include:
a) A mandate from the Office of Management and Budget (OMB) to manage IT
efficiently and effectively
b) FAA and e-Government initiatives to control IT costs
c) Industry success with IT standardization to control IT costs
In effect, standards provide a better means to manage the agency’s IT assets. FAA is using IT standards in enterprise-wide procurement vehicles (using larger volume purchases to attain lower industry prices) including enterprise license agreements.
2. Scope
These IT standards apply to Administrative and NAS Regulatory Support (formerly administrative and mission support systems), internal to the FAA, excluding real-time NAS systems relating to air traffic control. In general, these standards specify each standard to a selected level of detail such as a base model or series while allowing the requiring FAA organization or program the flexibility to add options or features available from a vendor for that specified standard.
These standards do not apply to contracts such as performance-based contracts where the FAA has delegated to a contractor the decision-making on the nature of the hardware and software for meeting FAA requirements (for example, the FTI Program’s
contracts). However, performance based contracts should justify why they are going outside these standards
The standards are defined in terms that are compatible with OMB’s Federal Enterprise Architecture (FEA) and the categories outlined in the FEA TRM.
3.0 Waiver Process
While the primary objective is to define standards for use across the FAA’s Lines of Business (LOBs) and Staff Offices (SOs), some exceptions to the standard may exist based on the requirements of legacy applications and other legitimate business needs. Exceptions to the standard should not be based on user or organizational preferences. A waiver request from this standard may be approved if it meets one of the following conditions:
a. The standard has a direct measurable negative impact on a service we provide
the public.
b. The standard will adversely affect an LOB/SO business or performance goal. Information Technology Standards Page 6 of 14
c. The standard will negatively impact business applications or increase costs
substantially.
Procedures:
1. Prepare waiver request: The waiver request form is provided in Appendix C.
Anyone may file a request. Waivers are needed if one is taking an action that
does not conform to either 1) a relevant technical standard cited or 2) an
acquisition or “buy-to” standard. If there is no relevant technical or buy-to
standard, then no waiver is needed.
o If the requestor is a manager, skip to the LOB/SO CIO (Step 3). 2. Obtain manager concurrence: The requestor's immediate supervisor must
review and concur with the request, and forward it to the LOB/SO CIO. 3. Obtain LOB/SO CIO approval or concurrence: Per the charts below, if the
request has a low or very low impact, the LOB/SO CIO must approve or deny the
waiver request. Approved requests must be sent to the ARD-1 as co-chair of the
ARB. Otherwise, the LOB/SO CIO must review and concur with the request, and
forward the request to the ARB.
4. Obtain ARB approval: The ARB must review and approve or deny the waiver
request. If an expedited approval is required, the ARB co-chairs may act on the
request.
5. Analyze approved waiver requests: The ARB co-chairs will analyze the
approved waivers in aggregate, looking for trends that will help determine what
additional steps are needed to maximize service value, efficiency, and
effectiveness.
6. The LOB/SO CIOs will forward their approved waivers to the FAA CIO who will
analyze and aggregate the waivers.
7. If the LOB or SO CIO wishes to appeal the ARB decision, the SES official above
the CIO may appeal the decision to the ITEB.
Information Technology Standards Page 7 of 14
Level of Impact of the Proposed Waiver to FAA Technical Reference Model (TRM)
and/or FAA IT Standards
Impact LevelDescription
Waiver involves a national application of technology or cross-FAA Very High
or new platform or E-Gov or high business impact; Or the waiver
involves ISS implications
Involves Major LOB or cross-LOB application of technology or High
standards; $10M and above (lifecycle cost) or time critical or
management directed; Or the waiver involves ISS implications
Moderate LOB application of technology or standard; Or waiver Medium
involves an investment that exceeds $1M in cost; And the waiver
has minor or no ISS implications
Scope is limited to a subset of an LOB or less than 500 employees Low
or less than 10 servers or less than 100 desktops; And waiver has
minor or no ISS implications; Or the wiaver duration is for less than
15 months and the waiver does not impede future competition
among vendor products
Waiver is intended for a short duration of less than 10 months; Very Low
And the waiver has minor or no ISS implication; And the waiver
involves costs of less than $250K and does not impede future
competition among vendor products
[Minor or no ISS implications refers here to a low probability of a risk or threat and a low
severity of potential outcome from such risk(s) or threat(s)]. Program Impact Reviewers Approvers
Very High Manager, LOB/SO CIO ARB
High Manager, LOB/SO CIO ARB
Medium Manager LOB/SO CIO
Low Manager LOB/SO CIO
Very Low Manager LOB/SO CIO
Any waivers granted from the above process only apply to FAA IT Standards and FAA’s Technical Reference Model (TRM). It does not apply to other kinds of standards such as data standards described in FAA Order 1375.1D.
4.0 Information Technology Standards
Appendix A enumerates the specific standards in three categories – Relevant
International/Government standards, FAA minimum or build-to standards and FAA acquisition standards or buy-to standards. (Note that Appendix A is not a requirement for all configurations to have all of the software listed. For instance, many desktops will
not have Microsoft Project or Visio software).
Information Technology Standards Page 8 of 14
Relevant International/Government Standards
; These are internationally recognized standards that the FAA is targeting for
compliance in its target architecture. These standards apply to the acquisition
(or “buy-to”) standards; they do not relate to the “build-to” standards.
; Sources for these standards include the International Organization for
Standardization (ISO), International Electrotechnical Commission (IEC), National
Institute of Standards and Technology (NIST), Internet Engineering Task Force
(IETF), and others.
Characteristics of FAA Minimum Standards – Build-To Standards
; These standards are meant to be the target environment for software
applications being currently built for national fielding across FAA organizations
within the next 10 months. They recognize the current installed base of
hardware and software at the FAA. They are used to simplify development and
ensure successful deployment by providing a stable and predictable
infrastructure.
; These hardware and software standards often represent the norm in the FAA.
They represent an average or below average system in the FAA.
; With few exceptions, we intend that current applications are compatible with the
build-to standard, especially enterprise-wide applications.
Characteristics of FAA Acquisition Standards – Buy-To Standards
; Meaning: If an LOB or SO is to make a purchase in the near future, then they are
expected to purchase the buy-to standard or seek a waiver.
; The standard ought to support an economically efficient system life. For
desktops, this is about 3-4 years for a desktop system (shorter for any laptop
hardware standards) as determined by the FAA LOB or SO.
; Constraint: These standards need to be a currently commercially available
product or one that is anticipated to be available shortly or within the target time
horizon of the standard.
5.0 Future Updates.
Due to the changing nature of technology, these standards will need to be updated periodically. The CIO Council and/or ITEB will need to charter a revision to update these standards periodically.
6.0 Mechanism to test standards.
In order to promote the integration of standards in desktop and server environments and compatibility with agency applications, FAA testing capabilities may be required to properly test changes to the standards. Some testing capabilities exist in the FAA already. Where possible, FAA organizations ought to use existing testing facilities within the LOBs.
Information Technology Standards Page 9 of 14
7.0 Standard Compliance
FAA organizations are expected to follow these standards in any new systems unless a waiver is obtained from the LOB/SO CIO. Furthermore, forthcoming life cycle controls in the Acquisition Management System are expected to call for program managers to make use of the Enterprise architecture at several stages of their acquisition process. The latter includes compliance with FAA’s Technical Reference Model (TRM) which includes this standard.
8.0 Broadly Applicable Standards
The following are standards with a broad scope affecting virtually all federal information technology.
A) The Federal Information Processing Standard (FIPS) Publications 199 and 200 have broad applicability for federal information and federal information systems. The NIST authored these in February 2004 and March 2006 respectively. They were issued as a result of the Federal Information Security Management Act (FISMA).
; FIPS Publication 199 requires agencies to categorize their information systems
as low-impact, moderate-impact, or high-impact for the security objectives of
confidentiality, integrity, and availability.
; The FIPS 200 standard addresses the specification of minimum security
requirements for federal information and information systems. It is applicable to:
(i) all information within the federal government other than that information that
has been determined pursuant to Executive Order 12958, as amended by
Executive Order 13292, or any predecessor order, or by the Atomic Energy Act
of 1954, as amended, to require protection against unauthorized disclosure and
is marked to indicate its classified status; and (ii) all federal information systems
other than those information systems designated as national security systems as
defined in 44 United States Code Section 3542(b)(2).
B) Section 508 of the Rehabilitation Act of 1973 (as amended in 1998) requires that when Federal agencies develop, procure, maintain, or use electronic and information technology, they shall ensure that the electronic and information technology allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. The FAA Acquisition Management System (AMS)
Rehabilitation Act policy mandates that after June 21, 2001, new procurements (contracts, task orders, delivery orders, orders under government wide-schedules, interagency agreements) shall include requirements that have provisions for Electronic and Information Technology (EIT) Accessibility Standards (for telecommunication products, information kiosks, transaction machines, web sites, multimedia, office equipment and others.) Please refer to Appendix B, when procuring EIT, and insert the 36 Code of Federal Regulations for the applicable commodity.
Information Technology Standards Page 10 of 14