Information Security:

FAA Needs to Address Weaknesses in Air Traffic Control Systems

GAO-15-221: Published: Jan 29, 2015. Publicly Released: Mar 2, 2015.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. However, FAA's implementation of its security program was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.

The weaknesses in FAA's security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information. FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.

Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk.

Why GAO Did This Study

In support of its mission, FAA relies on the NAS—one of the nation's critical infrastructures—which is comprised of air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA's systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats.

GAO was asked to review FAA's information security program. Specifically, the objective of this review was to evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems. To do this, GAO reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance; assessed the implementation of security controls over FAA systems; and interviewed officials. This is a public version of a report containing sensitive security information. Information deemed sensitive has been redacted.

What GAO Recommends

GAO is making 17 recommendations to FAA to fully implement its information security program and establish an integrated approach to managing information security risk. In a separate report with limited distribution, GAO is recommending that FAA take 168 specific actions to address weaknesses in security controls. In commenting on a draft of this report, FAA concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, Nabajyoti Barkakati, Ph.D. at (202) 512-4499 or barkakatin@gao.gov, or Gerald L. Dillingham, Ph.D. at (202) 512-2834 or dillinghamg@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by September 2015. However, as of August 2016, FAA has provided partial documentation, but has not yet provided GAO with sufficient evidence to validate FAA's actions to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.

    Agency Affected: Department of Transportation

  2. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by September 2015. As of August 2016, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency Affected: Department of Transportation

  3. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by September 2015. As of August 2016, FAA has provided partial documentation, but has not yet provided GAO sufficient evidence necessary to validate FAA's actions to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.

    Agency Affected: Department of Transportation

  4. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by October 2015. As of August 2016, FAA has updated its NAS testing policy, but has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency Affected: Department of Transportation

  5. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by December 2015. As of August 2016, FAA has updated its NAS Remediation Management Plan to include new risk management processes for identified security weaknesses. However, it has not yet provided GAO sufficient evidence necessary to show that the agency has taken steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes. Subsequent to FAA providing additional evidence, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency Affected: Department of Transportation

  6. Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by June 2016. As of August 2016, FAA has not provided GAO with documentation of the agency's actions to provide NCO with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency Affected: Department of Transportation

  7. Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by June 2016. As of August 2016, FAA has not provided GAO with documentation of the agency's actions to integrate network traffic flow data into NCO's ad-hoc query systems. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency Affected: Department of Transportation

  8. Status: Open

    Comments: FAA concurred with our recommendation and stated that it plans to implement it by December 2016. As of August 2016, FAA had developed a coordinated procedure with the FTI Security Operations Center to provide packet capture information from network sensors based on identified incidents. However, it has not provided GAO with sufficient documentation to demonstrate that the procedure has been implemented. Subsequent to FAA providing additional evidence, we plan to validate its actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.

    Agency Affected: Department of Transportation

  9. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it as of April 2015. However, as of August 2016, FAA has not provided GAO with documentation of its actions to address identified weaknesses in the search function of the NCO database event query system. Subsequent to FAA providing us with supporting documentation, we plan to validate the agency's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to address identified weaknesses in the search function of the NCO database event query system to eliminate the need for manual workarounds and ensure that all data relevant for security investigations can be retrieved.

    Agency Affected: Department of Transportation

  10. Status: Closed - Implemented

    Comments: As of August 2016, FAA has completed actions to address our recommendation. Specifically, we confirmed that FAA has developed an updated NAS Cyber Operations (NCO) Cyber Security Management Center (CSMC) Identified Incident Handling Standard Operating Procedures (SOP), dated December 2015, which includes a formal process for NCO to assess significant identified incidents for potential impact to NAS operations.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to develop a formal process for NCO to assess significant identified incidents for potential impact to NAS operations.

    Agency Affected: Department of Transportation

  11. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by October 2015. As of August 2016, FAA has not yet provided sufficient evidence that it has completed actions to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented. Subsequent to FAA providing sufficient evidence, we plan to validate its actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.

    Agency Affected: Department of Transportation

  12. Status: Open

    Comments: FAA concurred with our recommendation and stated that, as of August 2016, it plans to implement the recommendation by September 2017. Subsequent to FAA informing us that it has implemented the recommendation, we plan to validate its actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency Affected: Department of Transportation

  13. Status: Closed - Implemented

    Comments: We confirmed that FAA has completed actions to address this recommendation. Specifically, FAA issued its updated information security strategic plan in September 2015. The plan reflects the importance and impact of significant changes to the National Airspace System (NAS) environment that we identified, including the increased reliance on IP networks, increased connectivity between systems, the introduction of NextGen systems, and the designation of the NAS as part of the nation's critical infrastructure.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to update the FAA information security strategic plan to reflect current conditions, including the increased reliance on IP networking and the designation of the NAS as one of the nation's critical infrastructures.

    Agency Affected: Department of Transportation

  14. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had completed actions to implement it. As of August 2016, FAA has provided its updated information security strategic plan, approved by all members of the FAA Cyber Security Steering Committee, which emphasizes the need for information security strategic planning and governance to involve all FAA domains. However, FAA has not yet provided sufficient evidence to show that it has created an agency-wide commitment to strategic planning for information security by ensuring that planning activities are coordinated with all relevant organizations represented on the Cyber Security Steering Committee. Subsequent to FAA providing additional sufficient evidence, we plan to validate the agency's actions.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to create an agency-wide commitment to strategic planning for information security by ensuring that planning activities are coordinated with all relevant organizations represented on the Cyber Security Steering Committee.

    Agency Affected: Department of Transportation

  15. Status: Closed - Implemented

    Comments: We confirmed that FAA has clearly defined organizational responsibilities for information security for NAS systems, and has ensured that all relevant organizations, including AIT and ATO, are in agreement with them.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to clearly define organizational responsibilities for information security for NAS systems, and ensure that all relevant organizations, including the Office of Information and Technology and Air Traffic Organization, are in agreement with them.

    Agency Affected: Department of Transportation

  16. Status: Open

    Comments: FAA concurred with our recommendation and stated that it planned to implement it by December 2018. As of August 2016, FAA has provided GAO with its planned actions to provide NCO with security event log data for all IP-connected NAS systems. We plan to validate these actions subsequent to FAA informing us that it has completed them.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency Affected: Department of Transportation

  17. Status: Open

    Comments: FAA concurred with our recommendation and stated that it had implemented it by September 2015. As of August 2016, FAA has finalized the incident response policy for the Air Traffic Organization, but has not yet provided sufficient evidence showing that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported. Subsequent to FAA providing the system-level incident response policies, we plan to validate FAA's actions.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.

    Agency Affected: Department of Transportation

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here