Summary

We issued a report to the Federal Aviation Administrator on security and controls over en route air traffic control developmental systems located in the computer laboratory at FAA’s William J. Hughes Technical Center. This is the second in a series of reports concerning en route air traffic control systems security. New systems or upgrades cannot be deployed to en route centers to support high-altitude (above 18,000 feet) air traffic control without first being tested on the developmental systems in the Technical Center computer laboratory. Our audit objectives were to determine whether en route developmental systems are adequately secured to ensure the integrity, confidentiality, and availability of air traffic control system testing and modernization efforts. We made specific recommendations to strengthen security protection over en route developmental systems. FAA management concurred with our findings and has taken corrective actions to secure outside entities’ connections to the Technical Center network, eliminate computer vulnerabilities, improve access controls to the computer laboratory and developmental systems, and enhance contingency planning for essential operations at the Technical Center. The Department of Transportation has determined that this report contains Sensitive Security Information (SSI) as defined by 49 CFR Part 1520. Accordingly, it is not available for public inspection or copying. The regulations provide that, under the Freedom of Information Act (FOIA) and the Privacy Act, should a document contain both SSI and non-SSI information, the Department may disclose the document with the SSI information redacted, as long as this information is not otherwise exempt from disclosure under FOIA or the Privacy Act.