Skip to main content

Information Security: Progress Made, but Federal Aviation Administration Needs to Improve Controls over Air Traffic Control Systems

GAO-05-712 Published: Aug 26, 2005. Publicly Released: Sep 26, 2005.
Jump To:
Skip to Highlights

Highlights

The Federal Aviation Administration (FAA) performs critical functions that contribute to ensuring safe, orderly, and efficient air travel in the national airspace system. To that end, it operates and relies extensively on an array of interconnected automated information systems and networks that comprise the nation's air traffic control systems. These systems provide information to air traffic controllers and aircraft flight crews to help ensure the safe and expeditious movement of aircraft. Interruptions of service by these systems could have a significant adverse impact on air traffic nationwide. Effective information security controls are essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction. Accordingly, GAO was asked to evaluate the extent to which FAA has implemented information security controls for these systems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by ensuring that risk assessments are completed.
Closed – Implemented
In fiscal year 2009, we verified that FAA ensured that risk assessments were completed.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing and implementing policies and procedures to address such issues as patch management and the reviewing and monitoring of physical access.
Closed – Implemented
In fiscal year 2009, we verified that FAA implemented policies and procedures to address patch management and developed procedures for reviewing and monitoring physical access.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing system security plans to ensure that they contain the information required by OMB A-130 and are up to date.
Closed – Implemented
In fiscal year 2009, we verified that FAA, revised a critical system security plan to include missing information and kept the plan up-to-date.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by enhancing the security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
Closed – Implemented
In fiscal year 2009, we verified that FAA enhanced its security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing a process to ensure that sensitive information is not publicly available on the Internet.
Closed – Implemented
In fiscal year 2009, we verified that FAA developed a process to ensure that sensitive information is not publicly available on the Internet.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by conducting tests and evaluations of the effectiveness of controls on operational systems, and document results.
Closed – Implemented
In fiscal year 2009, we verified that FAA conducted tests and evaluations of the effectiveness of controls on operational systems, and documented results.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by performing more frequent testing of system controls on critical systems to ensure that the controls are operating as intended.
Closed – Implemented
In fiscal year 2009, we verified that FAA performed frequent testing of system controls on critical systems to ensure that the controls were operating as intended.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing remedial action plans to ensure that they address all of the weaknesses that have been identified.
Closed – Implemented
In fiscal year 2009, we verified that FAA, reviewed remedial action plans to ensure that they addressed all of the weaknesses that have been identified.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by prioritizing weaknesses in the remedial action plans and establish appropriate, timely milestone dates for completing the planned actions.
Closed – Implemented
In fiscal year 2009, we verified that FAA prioritized weaknesses in remedial action plans and established appropriate, timely milestone dates for completing the planned actions.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by implementing FAA's plan to deploy intrusion detection capabilities for portions of the network infrastructure that are not currently covered.
Closed – Implemented
In fiscal year 2009, we verified that FAA implemented a plan to deploy intrusion detection capabilities for portions of the network infrastructure that were not currently covered.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by correcting configuration issues in current intrusion detection systems to ensure that they are working as intended.
Closed – Not Implemented
FAA has tested, and intends to purchase, a product to mitigate the weakness with current intrusion detection systems, but has not yet done so because funding has not been approved according to FAA officials.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing service continuity plans to ensure that they appropriately reflect the current operating environment.
Closed – Not Implemented
The service continuity plan for a key system does not appropriately reflect the current operating environment.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Air traffic control systemsAir transportationAutomated security systemsComputer networksComputer securityInformation resources managementInformation securityInformation systemsInternal controlsPasswordsPhysical securityStrategic planningSystem security plansSystems evaluationTransportation safetyTransportation securityUnauthorized access