Skip to Highlights
Highlights

Pursuant to a congressional request, GAO provided information on the Federal Aviation Administration's (FAA) security controls over information on the foreign nationals involved in remediating and reviewing software, focusing on: (1) the extent to which foreign nationals were involved in year 2000 code remediation and subsequent code review activities at FAA; and (2) FAA's policies covering this involvement.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Aviation Administration 1. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Civil Aviation Security to clarify the requirements for contractor employee background checks or investigations and establish a process under which background checks or investigations are performed for all contractor staff where applicable. To increase the effectiveness of such an action, the Associate Administrator must also ensure that risk assessments are prepared with appropriate input from system owners and users.
Closed - Implemented
DOT concurred with this recommendation, and FAA has taken action to ensure that the requirements for contractor employee background searches are understood, and that there is a process in place for performing these searches. Specifically, FAA officials issued a policy memo calling attention to FAA's personnel security requirements, and FAA's security office provided briefings to contracting officers on these requirements. Also, in order to improve the process for implementing personnel security requirements, FAA developed new security clauses to be added to relevant contracts, and reaffirmed the roles of the various organizations involved in obtaining background searches of contractor employees.
Federal Aviation Administration 2. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the FAA's Associate Administrator for Research and Acquisitions to provide guidance on contract provisions, such as mandatory versus optional clauses, and enforce the appropriate use of these clauses. The Associate Administrator should instruct personnel to review current and pending contracts to ensure that all applicable contract provisions are included. In addition, the reasonableness of all clause limitations should be reviewed.
Closed - Implemented
DOT concurred with this recommendation, and FAA has evaluated, revised, and implemented its requirements for contract provisions covering FAA personnel security orders. Furthermore, FAA security officials are reviewing existing contracts to ensure that they contain the appropriate contract provisions, and are modifying these contracts as needed.
Federal Aviation Administration 3. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to maintain records of the individuals, both FAA and contractor employees, working on systems, especially mission-critical applications.
Closed - Implemented
DOT concurred with this recommendation, and FAA has established processes for obtaining background investigations on contractors and federal employees. It also established a task force to oversee the background investigation process and to report on its progress on a monthly basis. Because of the attention to background investigations, contracting officers are maintaining information on the individuals working on key systems.
Federal Aviation Administration 4. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform security reviews of critical systems that have been remediated under contract.
Closed - Implemented
FAA is tracking 24 systems that had been remediated or reviewed by foreign nationals, and of those 24 systems, has completed its security certification and accreditation on 20 of the most critical systems.
Federal Aviation Administration 5. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to carefully control access to and distribution of program source code, in conjunction with security reviews.
Closed - Implemented
FAA revised its policy governing the release of technical data owned or acquired by FAA, including source code. The new policy was implemented in February 2002.
Federal Aviation Administration 6. In order to address weaknesses in the enforcement of its policies and to identify and mitigate the risk of malicious intrusions or attacks on mission-critical FAA systems, the Administrator, FAA, should direct the appropriate FAA entity to perform a risk assessment for code reviews conducted by Primeon to determine the potential exposure and consider retroactively performing background investigations of Primeon's staff.
Closed - Implemented
DOT concurred with this recommendation, and stated that FAA had performed a security review on each critical system that had undergone a code review. FAA officials stated that they would perform additional reviews during each system's risk assessment. Since that time, FAA identified 24 systems that had been remediated or reviewed by foreign nationals, and has recently completed its risk assessments of those systems.

Full Report