Responses to Questions on FAA's Computer Security and Year 2000 Program
AIMD-98-301R: Published: Sep 14, 1998. Publicly Released: Sep 14, 1998.
- Full Report:
Pursuant to a congressional request, GAO provided responses to questions following its August 6, 1998, testimony on the Federal Aviation Administration's (FAA) management of technology issues, focusing on: (1) why risk assessments are essential in the design of the new air traffic control (ATC) systems; (2) what role should the National Airspace System (NAS) Infrastructure Management System play in protecting critical airspace infrastructure; (3) whether FAA will be able to adapt its systems to protect it from evolving threats; (4) what FAA has done to comply with the planning requirements of the Presidential Decision Directive 63; (5) the reasons why 15 mission-critical ATC systems were dropped from the list of systems needing repair prior to the July 31 milestone; (6) when FAA plans to run end-to-end tests of all key business processes; (7) whether FAA included key user groups in its formulation of year 2000 contingency plans; (8) whether FAA's contingency plans include the possibility of complete systemwide breakdown; (9) whether FAA can successfully complete its ATC modernization, given its poor track record for completing large computer and software-intensive projects; and (10) what is the chance that FAA will not complete all of its year 2000 renovation and testing activities before time runs out. These responses cover two areas--FAA's computer security and year 2000 program.
GAO noted that: (1) without knowing the specific vulnerabilities of its new ATC systems, FAA cannot adequately protect them from attack; (2) FAA does not have a common set of security standards to which all new ATC systems are being built; (3) as a result, implementation of security requirements across ATC development efforts is sporadic and ad hoc; (4) the NAS Infrastructure Management System will play a vital role in protecting the future ATC network since it will provide connectivity to many systems; (5) it is essential that this system have adequate access controls to protect against unauthorized access and an intrusion detection capability to detect unauthorized access should it occur; (6) FAA will be better positioned to protect its systems from evolving threats if it strengthens its current computer security program; (7) FAA has not provided an official written response on how it plans to comply with instructions in Presidential Decision Directive 63 to develop and implement a comprehensive NAS security program; (8) of the 15 mission-critical ATC systems removed from the list of systems needing repair prior to the July 31 milestone, FAA reported that: (a) 13 were removed because they were found to be year 2000 compliant, and thus did not require repair; (b) 1 was removed because FAA determined that this system would be replaced, instead of repaired; and (c) 1 was removed because FAA later determined that the system had no year 2000 issues; (9) FAA plans to perform NAS end-to-end testing beginning in January 1999 and ending by March 31, 1999; (10) FAA's year 2000 program manager decided not to issue the year 2000 NAS Continuity and Contingency Plan in final form until December 1998 in order to coordinate with system users; (11) year 2000 program officials told GAO that the agency recently decided to revise its draft contingency plan to incorporate the comments of system users, including the concern that the continuity plans do not currently include the possibility of multifacility breakdowns; (12) over the past 15 years, FAA's ATC modernization has experienced cost overruns, schedule delays, and performance shortfalls of large proportions; (13) FAA lacks the organizational structure and process discipline to manage complex technology initiatives; and (14) while it is difficult to respond in terms of percentage, FAA must still correct, test, and implement many of its mission-critical systems, and it is doubtful that FAA can adequately do all of this in the time remaining.