Air Traffic Control:

Weak Computer Security Practices Jeopardize Flight Safety

AIMD-98-155: Published: May 18, 1998. Publicly Released: May 19, 1998.

Contact:

Linda D. Koontz
(202) 512-7487
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Federal Aviation Administration's (FAA) computer security practices, focusing on: (1) whether FAA is effectively managing physical security at air traffic control (ATC) facilities and systems security for its current operational systems; (2) whether FAA is effectively managing systems security for future ATC modernization systems; and (3) the effectiveness of FAA's management structure and implementation of policy for computer security.

GAO noted that: (1) FAA is ineffective in all critical areas included in GAO's computer security review--facilities physical security, operational systems information security, future systems modernization security, and management structure and policy implementation; (2) in the physical security area, known weaknesses exist at many ATC facilities; (3) FAA is similarly ineffective in managing systems security for its operational systems and is in violation of its own policy; (4) an October 1996 information systems security assessment concluded that FAA had performed the necessary analysis to determine system threats, vulnerabilities, and safeguards for only 3 of 90 operational ATC computer systems, or less than 4 percent; (5) FAA officials told GAO that this assessment is an accurate depiction of the current state of operational systems security; (6) according to the team that maintains FAA's telecommunications networks, only one of the nine operational ATC telecommunications networks has been analyzed; (7) without knowing the specific vulnerabilities of its ATC systems, FAA cannot adequately protect them; (8) FAA is also not effectively managing systems security for future ATC modernization systems; (9) it does not consistently include well formulated security requirements in specifications for all new ATC modernization systems, as required by FAA policy; (10) it does not have a well-defined security architecture, a concept of operations, or security standards, all of which are needed to define and ensure adequate security throughout the ATC network; (11) FAA's management structure and implementation of policy for ATC computer security is not effective; (12) security responsibilities are distributed among three organizations, all of which have been remiss in their ATC security duties; (13) the Office of Civil Aviation Security is responsible for developing and enforcing security policy, the Office of Air Traffic Services is responsible for implementing security policy for operational ATC systems, and the Office of Research and Acquisitions is responsible for implementing policy for ATC systems that are being developed; (14) the Office of Civil Aviation Security has not adequately enforced FAA's policies that require the assessment of physical security controls at all ATC facilities and vulnerabilities, threats, and safeguards for all operational ATC computer systems; and (15) the Office of Research and Acquisitions has not implemented the FAA policy that requires it to formulate requirements for security in specifications for all new ATC modernization systems.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to correct identified physical security weaknesses at inspected facilities so that these ATC facilities can be granted physical security accreditation as expeditiously as possible, but no later than April 30, 1999.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA accredited 297 of its key facilities, but these efforts were not sufficient. In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy will need to be assessed and re-accredited under the revised policy. FAA security officials plan to accredit all staffed facilities by September 30, 2005.

    Recommendation: Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that the required annual or triennial follow-up inspections are conducted, deficiencies are promptly corrected, and accreditation is kept current for all ATC facilities, as required by FAA policy.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation, as well as follow-up inspections. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy need to be assessed and re-accredited under the revised policy. As of July 2002, FAA has completed facility assessments, and has set a goal of accrediting all staffed facilities by 2009. Also, the FAA Security Director reported that follow-up inspections are ongoing, according to FAA policy.

    Recommendation: Given the importance of operational ATC systems security, the Secretary of Transportation should direct the Administrator, FAA, to assess, certify, and accredit all ATC systems, as required by FAA policy, as expeditiously as possible, but no later than April 30, 1999.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: DOT partially concurred with this recommendation and noted that FAA could not assess, certify, and accredit all ATC systems by April 30, 1999. To date, FAA has accredited about 30 of its approximately 90 operational ATC systems. FAA security officials plan to complete this process for all critical ATC systems by May 2003.

    Recommendation: Given the importance of operational ATC systems security, the Secretary of Transportation should direct the Administrator, FAA, to ensure that all systems are assessed, certified, and accredited at least every 3 years, as required by federal policy.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: DOT concurred with this recommendation, and FAA has delegated responsibility for overseeing systems security to the Chief Information Officer's Office of Information Systems Security. This office is tracking the security certification and authorization of all FAA systems to ensure that they meet policy requirements. However, to date, FAA has authorized only about one-third of its operational ATC systems.

    Recommendation: To improve security for future ATC modernization systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that specifications for all new ATC systems include security requirements based on detailed security assessments by requiring that security requirements be included as a criterion when FAA analyzes new systems for funding under its acquisition management system.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA's acquisition management policy requires that ATC systems obtain security assessments, certification, and accreditation by the time they are operational. This accredition process ensures that security features are incorporated into the new systems' requirements.

    Recommendation: To improve security for future ATC modernization systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that the National Airspace Systems Information Security (NIS) group establishes detailed plans and schedules to develop a security architecture, a security concept of operations, and security standards and that these plans are implemented.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: DOT concurred with this recommendation. However, under FAA's new CIO organizational structure, the NIS group was no longer required and has been disbanded. The CIO's Office of Information Systems Security recently issued a security architecture and a revised information systems security policy. This office has also developed standards and directives to support and provide detail on the information systems security policy. Further, the office has developed a strategic vision and an implementation plan for information systems security.

    Recommendation: The Secretary of Transportation should report FAA physical security controls at its ATC facilities, operational ATC system security, and the lack of information security guidance (e.g., a security architecture, a security concept of operations, and security standards) as material internal control weaknesses in the department's fiscal year 1998 Federal Managers' Financial Integrity Act (FMFIA) report and in subsequent annual FMFIA reports until these problems are substantially corrected.

    Agency Affected: Department of Transportation

    Status: Closed - Not Implemented

    Comments: DOT did not concur with this recommendation and did not implement it. It stated that the actions taken in response to the other recommendations in the report such as completing physical security inspections and implementation of a CIO reporting directly to the FAA administrator are sufficient actions to address information security issues.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to establish an effective management structure for developing, implementing, and enforcing ATC computer security policy.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: The FAA Administrator agreed with this recommendation and established a CIO position. The new CIO joined the organization February 1, 1999, and has responsibility for developing, implementing, and enforcing the FAA Information Security Program, to include policy for all FAA information systems, according to FAA. Policies, procedures, and standards developed to support individual lines of business will be coordinated with the CIO prior to finalization.

    Recommendation: Given the importance and the magnitude of the information technology initiative at FAA, GAO is expanding on its earlier recommendation that a Chief Information Officer (CIO) management structure similar to the department-level CIOs as prescribed in the Clinger-Cohen Act be established for FAA by recommending that FAA's CIO be responsible for computer security.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: The FAA Administrator agreed with this recommendation and has established a CIO position. The CIO has responsibility for establishing and oversight of the agency's information security program, to include the agency information security budget, according to FAA.

    Recommendation: The NIS group should report to the CIO and the CIO should direct the NIS group to implement its plans.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: The NIS group was replaced by the Office of Information Systems Security, which reports directly to FAA's Chief Information Officer. This office is responsible for developing information systems security policies, procedures, and the security architecture.

    Recommendation: Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to develop and execute a plan to inspect the 187 ATC facilities that have not been inspected in over 4 years and correct any weaknesses identified so that these ATC facilities can be granted physical security accreditation as expeditiously as possible, but no later than April 30, 1999.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA inspected the facilities that had not been inspected since 1993 and accredited 297 of its key facilities, but these efforts were not sufficient. In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy will need to be assessed and re-accredited under the revised policy. FAA is making progress in accrediting facilities and plans to complete its efforts to accredit all staffed facilities by September 30, 2005.

    Recommendation: The CIO should designate a senior manager in Air Traffic Services to be the ATC operational accrediting authority.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: DOT agreed with this recommendation, and FAA's CIO has designated the Associate Administrator for Air Traffic Service (ATS-1) the Delegated Approving Authority (DAA). Since this position can be delegated to a senior executive service member one level below the Associate, ATS-1 has delegated the Director, Airway Facilities Service DAA for operational Air Traffic Systems.

    Jul 31, 2014

    Jul 23, 2014

    Jun 25, 2014

    Jun 24, 2014

    Jun 18, 2014

    Jun 11, 2014

    May 30, 2014

    Looking for more? Browse all our products here