Physical security is directly applicable to aviation industry operations and activities, and to supporting infrastructure such as communications, sensors, and information processing. In addition, physical security applies to staffed facilities that the FAA leases, owns, and operates. For more information concerning physical security, see FAA Order 1600.69, FAA Facility Security Management Program, as amended.

Personnel security applies to all FAA positions and FAA employees, contractors, subcontractors, and other users of FAA information systems. Each position must be designated as to the level of risk in terms of suitability and access to FAA facilities, sensitive information, and/or resources, and also designated as to the level of sensitivity in terms of national security and public trust responsibilities related to the efficiency of the service.

The FAA is required by Executive Orders 13292 and 12968 to protect classified information from unauthorized disclosure. The FAA is also required by law to protect sensitive unclassified information from public disclosure. FAA policy for information security is found in FAA Orders 1600.2E and 1600.72A.

The FAA is required by law (PL 100-235, Federal Information Security Management Act, 2002 (FISMA)), OMB Circular A-130, and other federal standards to provide security for all information that is collected, stored, processed, disseminated, or transmitted using FAA or non-FAA-owned information systems. Information system security (ISS) requirements must be integrated into each phase of a program’s lifecycle (see ISS system process flowchart). The acquisition program baseline and planning documents for each investment program must include the cost of complying with national security policy and must allow sufficient time for compliance. FAA ISS program policy is contained in FAA Order 1370.82 (intranet.faa.gov/aio), as amended. This order supersedes FAA Order 1600.54B (FAA Automated Information Systems Security Handbook).