Summary
The nationwide demand for skilled programmers to cope with the Year 2000 computing problem has raised questions about whether key organizations, such as the Federal Aviation Administration (FAA), have resorted to using foreign nationals for Y2K remediation. Of 153 mission critical FAA systems that were remediated, 15 had foreign involvement, including Chinese, Ukranian, and Pakistani nationals. FAA was unable to provide any information on the individuals who did code remediation for four of its 153 computer systems. With regard to code review, 20 key mission-critical systems have been, or are in the process of being, reviewed by two contractors who use foreign nationals. One code contractor employed 36 mainland Chinese nationals, while the other employed one Canadian national. FAA did not perform background searches--investigations or checks--on all of its contractor employees, as required by its policy. This situation increased the risk that inappropriate persons may have gained access to FAA's facilities, information, or resources. As a result, the air traffic control system may be more vulnerable to intrusion and malicious attacks. GAO recommends that FAA improve its security controls, identify the risk of malicious attacks on its critical systems, and mitigate that risk. FAA agrees with GAO's recommendations and is moving to implement them.
GAO noted that: (1) FAA policy requires system owners and users to prepare risk assessments for all contractor tasks, and to have background investigations conducted for all contractor employees in high-risk positions; (2) FAA also requires more limited background checks for moderate- and low-risk positions; (3) FAA's mission-critical systems requiring year 2000 repairs--including some of the most important systems supporting the air traffic control system--were remediated by a mix of FAA and contractor employees and, in the case of commercial-off-the-shelf products, by the product vendors; (4) while FAA did not maintain detailed information on individuals assigned to perform year 2000 code remediation, FAA compiled some of this information in response to GAO's request; (5) in doing so, FAA identified instances where foreign nationals, employed by contractors, performed year 2000 code remediation activities; (6) of 153 mission-critical systems that were remediated, 15 had foreign national involvement--including Chinese, Ukrainian, and Pakistani nationals; (7) FAA was unable to provide any information about the individuals who performed code remediation for 4 of the 153 systems; (8) with regard to code reviews, 20 key mission-critical systems have been, or are in the process of being, reviewed by two contractors who have foreign national employees; (9) one code review contractor employed 36 mainland Chinese nationals while the other employed one Canadian national; (10) FAA, however, did not perform background searches on all of its contractor employees, as required by policy; (11) the agency did not perform risk assessments and was unaware of whether it or the contractor had performed background searches on all the contractor employees, including the foreign nationals; (12) during GAO's review, GAO found instances where background searches of foreign nationals were not performed; (13) FAA's failure to perform risk assessments, its lack of complete information on whether background searches were performed, and the fact that some foreign nationals did not undergo background searches have increased the risk that inappropriate individuals may have gained access to FAA's facilities, information, or resources; and (14) as a result, the air traffic control system may be more susceptible to intrusion and malicious attacks.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Civil Aviation Security to clarify the requirements for contractor employee background checks or investigations and establish a process under which background checks or investigations are performed for all contractor staff where applicable. To increase the effectiveness of such an action, the Associate Administrator must also ensure that risk assessments are prepared with appropriate input from system owners and users.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: DOT concurred with this recommendation, and FAA has taken action to ensure that the requirements for contractor employee background searches are understood, and that there is a process in place for performing these searches. Specifically, FAA officials issued a policy memo calling attention to FAA's personnel security requirements, and FAA's security office provided briefings to contracting officers on these requirements. Also, in order to improve the process for implementing personnel security requirements, FAA developed new security clauses to be added to relevant contracts, and reaffirmed the roles of the various organizations involved in obtaining background searches of contractor employees.
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Research and Acquisitions to provide guidance on contract provisions, such as mandatory versus optional clauses, and enforce the appropriate use of these clauses. The Associate Administrator should instruct personnel to review current and pending contracts to ensure that all applicable contract provisions are included. In addition, the reasonableness of all clause limitations should be reviewed.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: DOT concurred with this recommendation, and FAA has evaluated, revised, and implemented its requirements for contract provisions covering FAA personnel security orders. Furthermore, FAA security officials are reviewing existing contracts to ensure that they contain the appropriate contract provisions, and are modifying these contracts as needed.
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to maintain records of the individuals, both FAA and contractor employees, working on systems, especially mission-critical applications.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: DOT concurred with this recommendation, and FAA has established processes for obtaining background investigations on contractors and federal employees. It also established a task force to oversee the background investigation process and to report on its progress on a monthly basis. Because of the attention to background investigations, contracting officers are maintaining information on the individuals working on key systems.
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform security reviews of critical systems that have been remediated under contract.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: FAA is tracking 24 systems that had been remediated or reviewed by foreign nationals, and of those 24 systems, has completed its security certification and accreditation on 20 of the most critical systems.
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to carefully control access to and distribution of program source code, in conjunction with security reviews.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: FAA revised its policy governing the release of technical data owned or acquired by FAA, including source code. The new policy was implemented in February 2002.
Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform a risk assessment for code reviews conducted by Primeon to determine the potential exposure and consider retroactively performing background investigations of Primeon's staff.
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Closed - implemented
Comments: DOT concurred with this recommendation, and stated that FAA had performed a security review on each critical system that had undergone a code review. FAA officials stated that they would perform additional reviews during each system's risk assessment. Since that time, FAA identified 24 systems that had been remediated or reviewed by foreign nationals, and has recently completed its risk assessments of those systems.
