FAA Computer Security:

Recommendations to Address Continuing Weaknesses

GAO-01-171: Published: Dec 6, 2000. Publicly Released: Dec 6, 2000.

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Aviation Administration's (FAA) agencywide computer security programs have serious, pervasive problems in the following key areas: personnel security, facility physical security, operational systems security, information systems security management, service continuity, and intrusion detection. Until FAA addresses the pervasive weaknesses in its computer security program, its critical information systems will remain at increased risk of intrusion and attack and its aviation operations will also remain at risk.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, move expeditiously to complete the required background searches of contract employees.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has established a process for obtaining background checks and for monitoring the status of those checks. FAA status reports show that thousands of background checks have been completed. Furthermore, as new contracts are awarded, new background checks are initiated.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, verify the background searches of both current and prior contract employees who performed or are performing vulnerability assessments, and update or upgrade these background searches as warranted.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA officials have completed the background checks of contractors working on vulnerability assessments.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, perform vulnerability assessments of the critical systems that were worked on by foreign nationals in order to assess these systems' vulnerability to unauthorized access.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA agreed with this recommendation and has performed risk assessments on the relevant systems as part of its system certification and accreditation program.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of facility physical security, proceed quickly to complete facility assessments, perform corrective actions on any weaknesses identified during these facility assessments, and accredit these facilities.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA concurred with this recommendation. Over the past few years, the agency has assessed all of its staffed facilities and performed corrective actions as part of its process for accrediting facilities. While facility accreditation is an ongoing process, the agency reports that the majority of facilities have been accredited.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, proceed quickly to complete assessments of all operational air traffic control systems, address any weaknesses identified during these assessments, and accredit these systems.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has established a process for assessing risks, and certifying and authorizing critical systems and has certified and authorized its air traffic control systems in compliance with the Federal Information Security Management Act.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, complete efforts to implement and enforce a comprehensive configuration management/software change control policy.

    Agency Affected: Department of Transportation

    Status: Closed - Not Implemented

    Comments: FAA is refining its configuration control approach and plans to implement a configuration management/software change control policy. FAA officials developed an initial draft of the policy in March 2004 and are continuing to refine it.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, complete overall security guidance documents, including a security concept of operations and security standards.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has issued numerous security guidance documents, including new versions of the information systems security architecture and security handbook, and multiple security directives. Furthermore, the office has drafted an Information Systems Security Strategic Vision and implementation plan.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, ensure that new systems development efforts conform with policy requirements and the information systems security architecture.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA revised its Information Systems Security Architecture to provide technical guidance for securing legacy and new FAA systems and networks. The agency enforces compliance with this guidance through its system certification and accreditation process.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete the information systems security directives.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has issued security directives on its information systems security program, internet access points, internet services, software releases, and password administration. Additional directives are being developed and planned.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, fully implement and enforce all security policies.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA is implementing its information systems security policies. Specifically, it is tracking security training of all key ISS personnel, proceeding to assess, certify and accredit information systems as secure, and its computer security incident response center is operational.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete efforts to develop and implement new information systems security training courses.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA has developed a series of security training courses. These include system certification and accreditation courses and information systems security officer training. Additionally, FAA is developing new courses to be offered in 2003.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, assess the effects of security breaches on all systems.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA's Computer Security Incident Response Center now assesses reported security incidents and their impact on FAA.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, enhance existing contingency plans to address potential systems security breaches.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: Under FAA's information systems security policy, system-specific contingency plans are required as part of the systems certification and authorization process. FAA reports that it has certified and authorized critical air traffic control systems.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, correct inadequacies in facility contingency plans.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA is working to improve facilities' contingency plans as it inspects individual facilities. FAA security officials reported that any inadequacies identified during facility inspections are corrected as appropriate.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of intrusion detection, increase efforts to establish a fully operational computer security and intrusion response capability that allows for the detection, analysis, and reporting of all computer systems security incidents promptly.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA'S Computer Security Incident Response Center became fully operational in March 2002. This center is responsible for detecting, analyzing, and reporting on security incidents.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, actively track when reinvestigations of federal employees are due, and ensure that they occur.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA officials added a module to their investigation tracking system that allows them to track when reinvestigations of federal employees are due. Officials noted that they use this system to ensure that reinvestigations occur.

    Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of intrusion detection, ensure that all physical security incidents are reported to security personnel.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: FAA policy requires reporting of all physical security incidents at FAA facilities. In March 2001, FAA took additional action to clarify what needs to be reported and the channels available for reporting incidents. This information was issued in a memorandum, signed by the Administrator, reinforcing the need to report incidents at facilities.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here