Summary
The Federal Aviation Administration (FAA) performs critical functions that contribute to ensuring safe, orderly, and efficient air travel in the national airspace system. To that end, it operates and relies extensively on an array of interconnected automated information systems and networks that comprise the nation's air traffic control systems. These systems provide information to air traffic controllers and aircraft flight crews to help ensure the safe and expeditious movement of aircraft. Interruptions of service by these systems could have a significant adverse impact on air traffic nationwide. Effective information security controls are essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction. Accordingly, GAO was asked to evaluate the extent to which FAA has implemented information security controls for these systems.
FAA has made progress in implementing information security for its air traffic control information systems; however, GAO identified significant security weaknesses that threaten the integrity, confidentiality, and availability of FAA's systems--including weaknesses in controls that are designed to prevent, limit, and detect access to these systems. The agency has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events. Other information security controls--including physical security, background investigations, segregation of duties, and system changes--also exhibited weaknesses, increasing the risk that unauthorized users could breach FAA's air traffic control systems, potentially disrupting aviation operations. While acknowledging these weaknesses, agency officials stated that the possibilities for unauthorized access were limited, given that the systems are in part custom built and that they run on older equipment that employs special-purpose operating systems, proprietary communication interfaces, and custom-built software. Nevertheless, the proprietary features of these systems cannot fully protect them from attacks by disgruntled current or former employees who are familiar with these features, nor will they keep out more sophisticated hackers. A key reason for the information security weaknesses that GAO identified in FAA's air traffic control systems is that the agency had not yet fully implemented its information security program to help ensure that effective controls were established and maintained. Although the agency has initiatives under way to improve its information security, further efforts are needed. Weaknesses that need to be addressed include outdated security plans, inadequate security awareness training, inadequate system testing and evaluation programs, limited security incident-detection capabilities, and shortcomings in providing service continuity for disruptions in operations. Until FAA has resolved these issues, the information security weaknesses that GAO has identified will likely persist.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by ensuring that risk assessments are completed.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA it has completed a risk assessment for one of the systems GAO reviewed; both of the other systems will complete a system re-certification, which would include a risk assessment. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing and implementing policies and procedures to address such issues as patch management and the reviewing and monitoring of physical access.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, efforts are underway to develop and coordinate patch management procedures. Interim guidance has already been issued to include additional responsibilities for facility managers to review access logs and access privileges (i.e. monitoring of physical access). GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing system security plans to ensure that they contain the information required by OMB A-130 and are up to date.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, it updated the system security plan for one of the systems reviewed by GAO. Both of the remaining systems will undergo re-certification, which will include updating their security plans. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by enhancing the security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
Agency Affected: Department of Transportation
Status: In process
Comments: FAA has implemented a web-based course on its Intranet and linked it to personnel training records. According to FAA, it has also implemented this course in another format for field personnel that do not have Intranet access, and has begun initial reporting by automated means. FAA will continue to refine this capability. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing a process to ensure that sensitive information is not publicly available on the Internet.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, it issued guidance relating to the types of information appropriate for public websites. It also issued guidance to ensure each organization within FAA annually certifies to the FAA Administrator that each web page under their purview is accurate, current, and meets FAA web standards and requirements. GAO has not yet verified this action.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by conducting tests and evaluations of the effectiveness of controls on operational systems, and document results.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, it verified completion of tests and evaluations for one of the systems GAO reviewed. The remaining systems will undergo re-certification, which will include test and evaluation.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by performing more frequent testing of system controls on critical systems to ensure that the controls are operating as intended.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, activities have been limited due to budget allocations. FAA plans to conduct compliance checks on remediation activities upon completion, including standard operating procedures associated with security. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing remedial action plans to ensure that they address all of the weaknesses that have been identified.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, plans of actions and milestones have been updated with vulnerabilities and planned corrective actions for the systems GAO reviewed. These plans will continue to be updated quarterly. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by prioritizing weaknesses in the remedial action plans and establish appropriate, timely milestone dates for completing the planned actions.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, plans of actions and milestones have been updated with vulnerabilities and planned corrective actions for the systems GAO reviewed. These plans will continue to be updated quarterly. FAA prioritizes weaknesses identified through its certification and accreditation process, annual self assessments, or identified through other means and makes priority decisions based on risk, funding and other factors. GAO has not verified these actions. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by implementing FAA's plan to deploy intrusion detection capabilities for portions of the network infrastructure that are not currently covered.
Agency Affected: Department of Transportation
Status: In process
Comments: FAA in in the process of installing intrusion detection capabilities. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by correcting configuration issues in current intrusion detection systems to ensure that they are working as intended.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, its plans to deploy an intrusion detection capability will also correct the configuration issues. GAO will verify the agency's actions in FY 2008.
Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing service continuity plans to ensure that they appropriately reflect the current operating environment.
Agency Affected: Department of Transportation
Status: In process
Comments: According to FAA, it has completed the service continuity plan for one of the systems GAO reviewed. Service continuity plans for the remaining systems will be updated as part of their re-certification process. GAO will verify the agency's actions in FY 2008.
