Computer Security: FAA Is Addressing Personnel Weaknesses, But Further Action Is Required
AIMD-00-169
Published: May 31, 2000. Publicly Released: Jun 13, 2000.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed the Federal Aviation Administration's (FAA) efforts to address personnel security issues, focusing on: (1) the factors that contributed to FAA's failure to adhere to the requirements of its personnel security program, which requires background searches--investigations or checks--of contractor employees commensurate with the risk level of the tasks to be performed; (2) whether FAA's "five layers of system protection" concept is a generally accepted security framework reflective of its security policies and procedures; and (3) the extent of FAA's compliance with the requirements of its personnel security program concerning background searches for FAA and contractor employees at all agency facilities.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Transportation | In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to establish a user awareness and training program that clearly delineates the requirements of the policy and directs staff in the tasks to be performed in adherence to the policy. All personnel staff responsible for implementation of the policy should receive the baseline training as well as periodic updates on the security requirements, especially when policy changes occur. |
Closed – Implemented
FAA has undertaken an agency-wide campaign to increase awareness about protecting its information infrastructure. This campaign includes information security awareness conferences, computer based training available to all FAA employees, and mobile training teams that travel to FAA regions and field offices to provide training on information systems security policies and procedures.
|
| Department of Transportation | In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to establish a quality assurance process that will focus on implementation of the requirements outlined within the personnel security policy. This process should ensure that all contract tasks and the respective contractor positions are evaluated in terms of risk and that the appropriate forms are completed and background searches are initiated and completed for the contractor employees assigned to perform work under the contract. |
Closed – Implemented
FAA has established a quality assurance process for conducting reviews to ensure compliance with agency policy on conducting suitability checks on FAA contractors. To date, FAA has conducted several reviews, and plans to continue to conduct two to three reviews per year. Also, FAA's internal program evaluation branch has completed three evaluations of FAA's personnel and contractor security programs, which focused on processing and adjudicating background investigations.
|
| Department of Transportation | In order to address weaknesses in the implementation and enforcement of its personnel security program, the Secretary of Transportation should direct the Administrator, FAA, to evaluate resource needs for ensuring implementation and enforcement of security policies, such as user awareness and training, review of position risk designation forms, and compliance audits. |
Closed – Implemented
FAA officials reported that they have reassessed their resource needs and have reprioritized funds and staff to address the agency's efforts on information systems security, personnel security, and physical security. For example, resources were made available to increase security awareness and information systems security training, and to track the background investigation process.
|
Full Report
Office of Public Affairs
Topics
Air traffic control systemsComputer security policiesComputer securityContractor personnelCyber securityFederal employeesInformation resources managementInternal controlsNoncompliancePersonnel managementPersonnel security clearance programsPersonnel security policiesSecurity clearancesSecurity policiesTransportation safety