Computer Security:

FAA Is Addressing Personnel Weaknesses, But Further Action Is Required

AIMD-00-169: Published: May 31, 2000. Publicly Released: Jun 13, 2000.

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Federal Aviation Administration's (FAA) efforts to address personnel security issues, focusing on: (1) the factors that contributed to FAA's failure to adhere to the requirements of its personnel security program, which requires background searches--investigations or checks--of contractor employees commensurate with the risk level of the tasks to be performed; (2) whether FAA's "five layers of system protection" concept is a generally accepted security framework reflective of its security policies and procedures; and (3) the extent of FAA's compliance with the requirements of its personnel security program concerning background searches for FAA and contractor employees at all agency facilities.

GAO noted that: (1) key factors contributing to FAA's failure to comply with its policy on personnel security were: (a) insufficient management support; (b) insufficient user awareness and training on personnel security; and (c) inadequate policy enforcement activities; (2) FAA has since made progress in addressing these shortcomings; (3) as a result of GAO's prior review, FAA management issued a memorandum promoting adherence to the policy and has worked with security personnel to revise applicable contract provisions and conduct briefings to make staff aware of the policy and its requirements; (4) security personnel have been tasked with conducting compliance audits semiannually beginning in September 2000 to enforce adherence to the policy; (5) FAA still lacks a personnel security training program and quality assurance function to ensure consistency in policy implementation and to prevent noncompliance; (6) although FAA did not comply with key requirements of its personnel security policy, FAA concluded that the risk of intrusion is extremely low because of FAA's five layers of system protection concept; (7) this concept is being promoted by FAA's Chief Information Officer and is expected to be used as the future basis for addressing information systems security within FAA; (8) while this concept is not a generally accepted security framework supported entirely by policies and procedures, it appears to be a logical overview to understanding computer security at FAA; (9) there are known weaknesses within each individual layer that could negatively affect the operational efficiency of the National Airspace System; (10) as for FAA's compliance in implementing its personnel security policy requiring background searches on FAA and contractor employees, FAA is making progress but still needs to complete the required background searches for a substantial number of contractor employees (11) according to its records, which GAO did not verify, FAA has completed the required background searches for 98 percent of its approximately 48,000 federal employees, but does not yet know the full extent of contractor employees who lack the necessary background checks; (12) FAA's contracting organization plans to complete its risk assessment activities by September 2000 for all contracts; (13) the actual background searches, which can take anywhere from 1 week to 4 months, will still need to be completed by either the Office of Personnel Management or the Federal Bureau of Investigation; and (14) until this effort is completed, FAA's facilities, information, and resources will remain exposed to contractor employees who have not received the required background searches.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to establish a user awareness and training program that clearly delineates the requirements of the policy and directs staff in the tasks to be performed in adherence to the policy. All personnel staff responsible for implementation of the policy should receive the baseline training as well as periodic updates on the security requirements, especially when policy changes occur.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has undertaken an agency-wide campaign to increase awareness about protecting its information infrastructure. This campaign includes information security awareness conferences, computer based training available to all FAA employees, and mobile training teams that travel to FAA regions and field offices to provide training on information systems security policies and procedures.

    Recommendation: In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to establish a quality assurance process that will focus on implementation of the requirements outlined within the personnel security policy. This process should ensure that all contract tasks and the respective contractor positions are evaluated in terms of risk and that the appropriate forms are completed and background searches are initiated and completed for the contractor employees assigned to perform work under the contract.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has established a quality assurance process for conducting reviews to ensure compliance with agency policy on conducting suitability checks on FAA contractors. To date, FAA has conducted several reviews, and plans to continue to conduct two to three reviews per year. Also, FAA's internal program evaluation branch has completed three evaluations of FAA's personnel and contractor security programs, which focused on processing and adjudicating background investigations.

    Recommendation: In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to evaluate resource needs for ensuring implementation and enforcement of security policies, such as user awareness and training, review of position risk designation forms, and compliance audits.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA officials reported that they have reassessed their resource needs and have reprioritized funds and staff to address the agency's efforts on information systems security, personnel security, and physical security. For example, resources were made available to increase security awareness and information systems security training, and to track the background investigation process.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here