FAA Computer Security:

Actions Needed to Address Critical Weaknesses That Jeopardize Aviation Operations

T-AIMD-00-330: Published: Sep 27, 2000. Publicly Released: Sep 27, 2000.

Additional Materials:


Joel C. Willemssen
(202) 512-6253


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO discussed the Federal Aviation Administration's (FAA) computer security weaknesses, focusing on: (1) FAA's history of computer security weaknesses; (2) the adequacy of FAA's efforts to prevent unauthorized access to data--specifically focusing on personnel security, facilities' physical security, systems security, security program planning and management, and service continuity; and (3) the effectiveness of processes implemented by the agency for detecting, responding to, and reporting anomalies and computer misuse.

GAO noted that: (1) FAA's agencywide computer security program has serious and pervasive problems; (2) in the area of personnel security, FAA appears to perform appropriate background searches for federal employees, but many Top Secret reinvestigations of senior personnel are past due--some by over 5 years; (3) FAA is also working to complete background searches on thousands of its contractor employees, but much work remains to be done; (4) in the area of facilities' physical security, FAA is making progress in assessing its facilities, but FAA has identified significant weaknesses, and numerous air traffic control (ATC) facilities have yet to be assessed and accredited as secure, in compliance with FAA's policy; (5) FAA does not know how vulnerable the majority of its operational ATC systems are and cannot adequately protect them until it performs the appropriate risk assessments and addresses identified weaknesses; (6) further, FAA has not always acted quickly to implement corrective actions for the systems that have undergone risk assessments and penetration testing; (7) FAA has established an information systems security management structure, but does not yet have a comprehensive security program in place; (8) FAA's efforts to ensure service continuity are limited; and (9) FAA has not yet fully implemented an intrusion detection capability that will enable it to quickly detect and respond to malicious intrusions.