Computer Security:

FAA Needs to Improve Controls Over Use of Foreign Nationals to Remediate and Review Software

AIMD-00-55: Published: Dec 23, 1999. Publicly Released: Jan 4, 2000.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the Federal Aviation Administration's (FAA) security controls over information on the foreign nationals involved in remediating and reviewing software, focusing on: (1) the extent to which foreign nationals were involved in year 2000 code remediation and subsequent code review activities at FAA; and (2) FAA's policies covering this involvement.

GAO noted that: (1) FAA policy requires system owners and users to prepare risk assessments for all contractor tasks, and to have background investigations conducted for all contractor employees in high-risk positions; (2) FAA also requires more limited background checks for moderate- and low-risk positions; (3) FAA's mission-critical systems requiring year 2000 repairs--including some of the most important systems supporting the air traffic control system--were remediated by a mix of FAA and contractor employees and, in the case of commercial-off-the-shelf products, by the product vendors; (4) while FAA did not maintain detailed information on individuals assigned to perform year 2000 code remediation, FAA compiled some of this information in response to GAO's request; (5) in doing so, FAA identified instances where foreign nationals, employed by contractors, performed year 2000 code remediation activities; (6) of 153 mission-critical systems that were remediated, 15 had foreign national involvement--including Chinese, Ukrainian, and Pakistani nationals; (7) FAA was unable to provide any information about the individuals who performed code remediation for 4 of the 153 systems; (8) with regard to code reviews, 20 key mission-critical systems have been, or are in the process of being, reviewed by two contractors who have foreign national employees; (9) one code review contractor employed 36 mainland Chinese nationals while the other employed one Canadian national; (10) FAA, however, did not perform background searches on all of its contractor employees, as required by policy; (11) the agency did not perform risk assessments and was unaware of whether it or the contractor had performed background searches on all the contractor employees, including the foreign nationals; (12) during GAO's review, GAO found instances where background searches of foreign nationals were not performed; (13) FAA's failure to perform risk assessments, its lack of complete information on whether background searches were performed, and the fact that some foreign nationals did not undergo background searches have increased the risk that inappropriate individuals may have gained access to FAA's facilities, information, or resources; and (14) as a result, the air traffic control system may be more susceptible to intrusion and malicious attacks.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: FAA revised its policy governing the release of technical data owned or acquired by FAA, including source code. The new policy was implemented in February 2002.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to carefully control access to and distribution of program source code, in conjunction with security reviews.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  2. Status: Closed - Implemented

    Comments: FAA is tracking 24 systems that had been remediated or reviewed by foreign nationals, and of those 24 systems, has completed its security certification and accreditation on 20 of the most critical systems.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform security reviews of critical systems that have been remediated under contract.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  3. Status: Closed - Implemented

    Comments: DOT concurred with this recommendation, and FAA has established processes for obtaining background investigations on contractors and federal employees. It also established a task force to oversee the background investigation process and to report on its progress on a monthly basis. Because of the attention to background investigations, contracting officers are maintaining information on the individuals working on key systems.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to maintain records of the individuals, both FAA and contractor employees, working on systems, especially mission-critical applications.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  4. Status: Closed - Implemented

    Comments: DOT concurred with this recommendation, and FAA has evaluated, revised, and implemented its requirements for contract provisions covering FAA personnel security orders. Furthermore, FAA security officials are reviewing existing contracts to ensure that they contain the appropriate contract provisions, and are modifying these contracts as needed.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Research and Acquisitions to provide guidance on contract provisions, such as mandatory versus optional clauses, and enforce the appropriate use of these clauses. The Associate Administrator should instruct personnel to review current and pending contracts to ensure that all applicable contract provisions are included. In addition, the reasonableness of all clause limitations should be reviewed.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  5. Status: Closed - Implemented

    Comments: DOT concurred with this recommendation, and FAA has taken action to ensure that the requirements for contractor employee background searches are understood, and that there is a process in place for performing these searches. Specifically, FAA officials issued a policy memo calling attention to FAA's personnel security requirements, and FAA's security office provided briefings to contracting officers on these requirements. Also, in order to improve the process for implementing personnel security requirements, FAA developed new security clauses to be added to relevant contracts, and reaffirmed the roles of the various organizations involved in obtaining background searches of contractor employees.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Civil Aviation Security to clarify the requirements for contractor employee background checks or investigations and establish a process under which background checks or investigations are performed for all contractor staff where applicable. To increase the effectiveness of such an action, the Associate Administrator must also ensure that risk assessments are prepared with appropriate input from system owners and users.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  6. Status: Closed - Implemented

    Comments: DOT concurred with this recommendation, and stated that FAA had performed a security review on each critical system that had undergone a code review. FAA officials stated that they would perform additional reviews during each system's risk assessment. Since that time, FAA identified 24 systems that had been remediated or reviewed by foreign nationals, and has recently completed its risk assessments of those systems.

    Recommendation: In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform a risk assessment for code reviews conducted by Primeon to determine the potential exposure and consider retroactively performing background investigations of Primeon's staff.

    Agency Affected: Department of Transportation: Federal Aviation Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 14, 2016

Sep 2, 2016

Aug 8, 2016

Jul 28, 2016

Jul 13, 2016

Jul 7, 2016

Jun 24, 2016

Jun 21, 2016

May 26, 2016

Looking for more? Browse all our products here