Summary

We issued a report to the FAA Administrator on security and controls over en route air traffic control computer system operations. FAA relies on computer systems deployed to 20 en route centers to direct high-altitude air traffic (above 18,000 feet) over the United States. Our audit objectives were to determine whether en route center systems are adequately secured to ensure the integrity, confidentiality, and availability of air traffic control services.

While having limited exposure to the general public, en route center computer systems need to be better protected. We made specific recommendations to enhance system, physical, and network access security; reduce risks of en route service disruptions; strengthen FAA’s overall contingency planning; and improve the security review process for air traffic control computer systems.

FAA management concurred with our findings and is taking corrective actions that, when fully implemented, will enhance the integrity and availability of en route computer system operations. These corrective actions are in various stages of implementation. In some instances, FAA has completed corrective actions.

The Department of Transportation has determined that this report contains Sensitive Security Information (SSI) as defined by 49 CFR Part 1520. Accordingly, it is not available for public inspection or copying. The regulations provide that, under the Freedom of Information Act (FOIA) and the Privacy Act, should a document contain both SSI and non-SSI information, the Department may disclose the document with the SSI information redacted, so long as this information is not otherwise exempt from disclosure under FOIA or the Privacy Act.