Skip to Highlights
Highlights

The Federal Aviation Administration (FAA) performs critical functions that contribute to ensuring safe, orderly, and efficient air travel in the national airspace system. To that end, it operates and relies extensively on an array of interconnected automated information systems and networks that comprise the nation's air traffic control systems. These systems provide information to air traffic controllers and aircraft flight crews to help ensure the safe and expeditious movement of aircraft. Interruptions of service by these systems could have a significant adverse impact on air traffic nationwide. Effective information security controls are essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction. Accordingly, GAO was asked to evaluate the extent to which FAA has implemented information security controls for these systems.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by ensuring that risk assessments are completed.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA ensured that risk assessments were completed.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing and implementing policies and procedures to address such issues as patch management and the reviewing and monitoring of physical access.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA implemented policies and procedures to address patch management and developed procedures for reviewing and monitoring physical access.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing system security plans to ensure that they contain the information required by OMB A-130 and are up to date.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA, revised a critical system security plan to include missing information and kept the plan up-to-date.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by enhancing the security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA enhanced its security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing a process to ensure that sensitive information is not publicly available on the Internet.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA developed a process to ensure that sensitive information is not publicly available on the Internet.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by conducting tests and evaluations of the effectiveness of controls on operational systems, and document results.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA conducted tests and evaluations of the effectiveness of controls on operational systems, and documented results.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by performing more frequent testing of system controls on critical systems to ensure that the controls are operating as intended.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA performed frequent testing of system controls on critical systems to ensure that the controls were operating as intended.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing remedial action plans to ensure that they address all of the weaknesses that have been identified.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA, reviewed remedial action plans to ensure that they addressed all of the weaknesses that have been identified.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by prioritizing weaknesses in the remedial action plans and establish appropriate, timely milestone dates for completing the planned actions.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA prioritized weaknesses in remedial action plans and established appropriate, timely milestone dates for completing the planned actions.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by implementing FAA's plan to deploy intrusion detection capabilities for portions of the network infrastructure that are not currently covered.
Closed - Implemented

Recommendation status is Closed - Implemented.

In fiscal year 2009, we verified that FAA implemented a plan to deploy intrusion detection capabilities for portions of the network infrastructure that were not currently covered.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by correcting configuration issues in current intrusion detection systems to ensure that they are working as intended.
Closed - Not Implemented

Recommendation status is Closed - Not Implemented.

FAA has tested, and intends to purchase, a product to mitigate the weakness with current intrusion detection systems, but has not yet done so because funding has not been approved according to FAA officials.
Department of Transportation To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing service continuity plans to ensure that they appropriately reflect the current operating environment.
Closed - Not Implemented

Recommendation status is Closed - Not Implemented.

The service continuity plan for a key system does not appropriately reflect the current operating environment.

Full Report