Skip to Highlights
Highlights

Pursuant to a congressional request, GAO reviewed the Federal Aviation Administration's (FAA) computer security practices, focusing on: (1) whether FAA is effectively managing physical security at air traffic control (ATC) facilities and systems security for its current operational systems; (2) whether FAA is effectively managing systems security for future ATC modernization systems; and (3) the effectiveness of FAA's management structure and implementation of policy for computer security.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Transportation 1. Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to develop and execute a plan to inspect the 187 ATC facilities that have not been inspected in over 4 years and correct any weaknesses identified so that these ATC facilities can be granted physical security accreditation as expeditiously as possible, but no later than April 30, 1999.
Closed - Implemented
FAA inspected the facilities that had not been inspected since 1993 and accredited 297 of its key facilities, but these efforts were not sufficient. In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy will need to be assessed and re-accredited under the revised policy. FAA is making progress in accrediting facilities and plans to complete its efforts to accredit all staffed facilities by September 30, 2005.
Department of Transportation 2. Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to correct identified physical security weaknesses at inspected facilities so that these ATC facilities can be granted physical security accreditation as expeditiously as possible, but no later than April 30, 1999.
Closed - Implemented
FAA accredited 297 of its key facilities, but these efforts were not sufficient. In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy will need to be assessed and re-accredited under the revised policy. FAA security officials plan to accredit all staffed facilities by September 30, 2005.
Department of Transportation 3. Given the importance of physical security at the FAA facilities that house ATC systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that the required annual or triennial follow-up inspections are conducted, deficiencies are promptly corrected, and accreditation is kept current for all ATC facilities, as required by FAA policy.
Closed - Implemented
In March 1999, FAA implemented a new policy governing the accreditation of its facilities, which requires that a facility undergo a more stringent, detailed assessment prior to accreditation, as well as follow-up inspections. Accordingly, FAA officials noted that all of the facilities that had been inspected and accredited under the prior policy need to be assessed and re-accredited under the revised policy. As of July 2002, FAA has completed facility assessments, and has set a goal of accrediting all staffed facilities by 2009. Also, the FAA Security Director reported that follow-up inspections are ongoing, according to FAA policy.
Department of Transportation 4. Given the importance of operational ATC systems security, the Secretary of Transportation should direct the Administrator, FAA, to assess, certify, and accredit all ATC systems, as required by FAA policy, as expeditiously as possible, but no later than April 30, 1999.
Closed - Implemented
DOT partially concurred with this recommendation and noted that FAA could not assess, certify, and accredit all ATC systems by April 30, 1999. To date, FAA has accredited about 30 of its approximately 90 operational ATC systems. FAA security officials plan to complete this process for all critical ATC systems by May 2003.
Department of Transportation 5. Given the importance of operational ATC systems security, the Secretary of Transportation should direct the Administrator, FAA, to ensure that all systems are assessed, certified, and accredited at least every 3 years, as required by federal policy.
Closed - Implemented
DOT concurred with this recommendation, and FAA has delegated responsibility for overseeing systems security to the Chief Information Officer's Office of Information Systems Security. This office is tracking the security certification and authorization of all FAA systems to ensure that they meet policy requirements. However, to date, FAA has authorized only about one-third of its operational ATC systems.
Department of Transportation 6. To improve security for future ATC modernization systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that specifications for all new ATC systems include security requirements based on detailed security assessments by requiring that security requirements be included as a criterion when FAA analyzes new systems for funding under its acquisition management system.
Closed - Implemented
FAA's acquisition management policy requires that ATC systems obtain security assessments, certification, and accreditation by the time they are operational. This accredition process ensures that security features are incorporated into the new systems' requirements.
Department of Transportation 7. To improve security for future ATC modernization systems, the Secretary of Transportation should direct the Administrator, FAA, to ensure that the National Airspace Systems Information Security (NIS) group establishes detailed plans and schedules to develop a security architecture, a security concept of operations, and security standards and that these plans are implemented.
Closed - Implemented
DOT concurred with this recommendation. However, under FAA's new CIO organizational structure, the NIS group was no longer required and has been disbanded. The CIO's Office of Information Systems Security recently issued a security architecture and a revised information systems security policy. This office has also developed standards and directives to support and provide detail on the information systems security policy. Further, the office has developed a strategic vision and an implementation plan for information systems security.
Department of Transportation 8. The Secretary of Transportation should report FAA physical security controls at its ATC facilities, operational ATC system security, and the lack of information security guidance (e.g., a security architecture, a security concept of operations, and security standards) as material internal control weaknesses in the department's fiscal year 1998 Federal Managers' Financial Integrity Act (FMFIA) report and in subsequent annual FMFIA reports until these problems are substantially corrected.
Closed - Not Implemented
DOT did not concur with this recommendation and did not implement it. It stated that the actions taken in response to the other recommendations in the report such as completing physical security inspections and implementation of a CIO reporting directly to the FAA administrator are sufficient actions to address information security issues.
Department of Transportation 9. The Secretary of Transportation should direct the Administrator, FAA, to establish an effective management structure for developing, implementing, and enforcing ATC computer security policy.
Closed - Implemented
The FAA Administrator agreed with this recommendation and established a CIO position. The new CIO joined the organization February 1, 1999, and has responsibility for developing, implementing, and enforcing the FAA Information Security Program, to include policy for all FAA information systems, according to FAA. Policies, procedures, and standards developed to support individual lines of business will be coordinated with the CIO prior to finalization.
Department of Transportation 10. Given the importance and the magnitude of the information technology initiative at FAA, GAO is expanding on its earlier recommendation that a Chief Information Officer (CIO) management structure similar to the department-level CIOs as prescribed in the Clinger-Cohen Act be established for FAA by recommending that FAA's CIO be responsible for computer security.
Closed - Implemented
The FAA Administrator agreed with this recommendation and has established a CIO position. The CIO has responsibility for establishing and oversight of the agency's information security program, to include the agency information security budget, according to FAA.
Department of Transportation 11. The NIS group should report to the CIO and the CIO should direct the NIS group to implement its plans.
Closed - Implemented
The NIS group was replaced by the Office of Information Systems Security, which reports directly to FAA's Chief Information Officer. This office is responsible for developing information systems security policies, procedures, and the security architecture.
Department of Transportation 12. The CIO should designate a senior manager in Air Traffic Services to be the ATC operational accrediting authority.
Closed - Implemented
DOT agreed with this recommendation, and FAA's CIO has designated the Associate Administrator for Air Traffic Service (ATS-1) the Delegated Approving Authority (DAA). Since this position can be delegated to a senior executive service member one level below the Associate, ATS-1 has delegated the Director, Airway Facilities Service DAA for operational Air Traffic Systems.

Full Report