Information Security:

FAA Needs to Address Weaknesses in Air Traffic Control Systems

GAO-15-221: Published: Jan 29, 2015. Publicly Released: Mar 2, 2015.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. However, FAA's implementation of its security program was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.

The weaknesses in FAA's security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information. FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.

Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk.

Why GAO Did This Study

In support of its mission, FAA relies on the NAS—one of the nation's critical infrastructures—which is comprised of air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA's systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats.

GAO was asked to review FAA's information security program. Specifically, the objective of this review was to evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems. To do this, GAO reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance; assessed the implementation of security controls over FAA systems; and interviewed officials. This is a public version of a report containing sensitive security information. Information deemed sensitive has been redacted.

What GAO Recommends

GAO is making 17 recommendations to FAA to fully implement its information security program and establish an integrated approach to managing information security risk. In a separate report with limited distribution, GAO is recommending that FAA take 168 specific actions to address weaknesses in security controls. In commenting on a draft of this report, FAA concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, Nabajyoti Barkakati, Ph.D. at (202) 512-4499 or barkakatin@gao.gov, or Gerald L. Dillingham, Ph.D. at (202) 512-2834 or dillinghamg@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.

    Agency Affected: Department of Transportation

  2. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.

    Agency Affected: Department of Transportation

  3. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.

    Agency Affected: Department of Transportation

  4. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.

    Agency Affected: Department of Transportation

  5. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.

    Agency Affected: Department of Transportation

  6. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.

    Agency Affected: Department of Transportation

  7. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.

    Agency Affected: Department of Transportation

  8. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.

    Agency Affected: Department of Transportation

  9. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to address identified weaknesses in the search function of the NCO database event query system to eliminate the need for manual workarounds and ensure that all data relevant for security investigations can be retrieved.

    Agency Affected: Department of Transportation

  10. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to develop a formal process for NCO to assess significant identified incidents for potential impact to NAS operations.

    Agency Affected: Department of Transportation

  11. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.

    Agency Affected: Department of Transportation

  12. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.

    Agency Affected: Department of Transportation

  13. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to update the FAA information security strategic plan to reflect current conditions, including the increased reliance on IP networking and the designation of the NAS as one of the nation's critical infrastructures.

    Agency Affected: Department of Transportation

  14. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to create an agency-wide commitment to strategic planning for information security by ensuring that planning activities are coordinated with all relevant organizations represented on the Cyber Security Steering Committee.

    Agency Affected: Department of Transportation

  15. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to clearly define organizational responsibilities for information security for NAS systems, and ensure that all relevant organizations, including the Office of Information and Technology and Air Traffic Organization, are in agreement with them.

    Agency Affected: Department of Transportation

  16. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.

    Agency Affected: Department of Transportation

  17. Status: Open

    Comments: We have not yet validated agency actions on this recommendation.

    Recommendation: To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.

    Agency Affected: Department of Transportation

 

Explore the full database of GAO's Open Recommendations »

Jul 7, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here