FAA Computer Security: Recommendations to Address Continuing Weaknesses
GAO-01-171
Published: Dec 06, 2000. Publicly Released: Dec 06, 2000.
Skip to Highlights
Highlights
The Federal Aviation Administration's (FAA) agencywide computer security programs have serious, pervasive problems in the following key areas: personnel security, facility physical security, operational systems security, information systems security management, service continuity, and intrusion detection. Until FAA addresses the pervasive weaknesses in its computer security program, its critical information systems will remain at increased risk of intrusion and attack and its aviation operations will also remain at risk.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, actively track when reinvestigations of federal employees are due, and ensure that they occur. |
Closed – Implemented
FAA officials added a module to their investigation tracking system that allows them to track when reinvestigations of federal employees are due. Officials noted that they use this system to ensure that reinvestigations occur.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, move expeditiously to complete the required background searches of contract employees. |
Closed – Implemented
FAA has established a process for obtaining background checks and for monitoring the status of those checks. FAA status reports show that thousands of background checks have been completed. Furthermore, as new contracts are awarded, new background checks are initiated.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, verify the background searches of both current and prior contract employees who performed or are performing vulnerability assessments, and update or upgrade these background searches as warranted. |
Closed – Implemented
FAA officials have completed the background checks of contractors working on vulnerability assessments.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of personal security, perform vulnerability assessments of the critical systems that were worked on by foreign nationals in order to assess these systems' vulnerability to unauthorized access. |
Closed – Implemented
FAA agreed with this recommendation and has performed risk assessments on the relevant systems as part of its system certification and accreditation program.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of facility physical security, proceed quickly to complete facility assessments, perform corrective actions on any weaknesses identified during these facility assessments, and accredit these facilities. |
Closed – Implemented
FAA concurred with this recommendation. Over the past few years, the agency has assessed all of its staffed facilities and performed corrective actions as part of its process for accrediting facilities. While facility accreditation is an ongoing process, the agency reports that the majority of facilities have been accredited.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, proceed quickly to complete assessments of all operational air traffic control systems, address any weaknesses identified during these assessments, and accredit these systems. |
Closed – Implemented
FAA has established a process for assessing risks, and certifying and authorizing critical systems and has certified and authorized its air traffic control systems in compliance with the Federal Information Security Management Act.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, complete efforts to implement and enforce a comprehensive configuration management/software change control policy. |
Closed – Not Implemented
FAA is refining its configuration control approach and plans to implement a configuration management/software change control policy. FAA officials developed an initial draft of the policy in March 2004 and are continuing to refine it.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, complete overall security guidance documents, including a security concept of operations and security standards. |
Closed – Implemented
FAA has issued numerous security guidance documents, including new versions of the information systems security architecture and security handbook, and multiple security directives. Furthermore, the office has drafted an Information Systems Security Strategic Vision and implementation plan.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of operational systems security, ensure that new systems development efforts conform with policy requirements and the information systems security architecture. |
Closed – Implemented
FAA revised its Information Systems Security Architecture to provide technical guidance for securing legacy and new FAA systems and networks. The agency enforces compliance with this guidance through its system certification and accreditation process.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete the information systems security directives. |
Closed – Implemented
FAA has issued security directives on its information systems security program, internet access points, internet services, software releases, and password administration. Additional directives are being developed and planned.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, fully implement and enforce all security policies. |
Closed – Implemented
FAA is implementing its information systems security policies. Specifically, it is tracking security training of all key ISS personnel, proceeding to assess, certify and accredit information systems as secure, and its computer security incident response center is operational.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete efforts to develop and implement new information systems security training courses. |
Closed – Implemented
FAA has developed a series of security training courses. These include system certification and accreditation courses and information systems security officer training. Additionally, FAA is developing new courses to be offered in 2003.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, assess the effects of security breaches on all systems. |
Closed – Implemented
FAA's Computer Security Incident Response Center now assesses reported security incidents and their impact on FAA.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, enhance existing contingency plans to address potential systems security breaches. |
Closed – Implemented
Under FAA's information systems security policy, system-specific contingency plans are required as part of the systems certification and authorization process. FAA reports that it has certified and authorized critical air traffic control systems.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, correct inadequacies in facility contingency plans. |
Closed – Implemented
FAA is working to improve facilities' contingency plans as it inspects individual facilities. FAA security officials reported that any inadequacies identified during facility inspections are corrected as appropriate.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of intrusion detection, increase efforts to establish a fully operational computer security and intrusion response capability that allows for the detection, analysis, and reporting of all computer systems security incidents promptly. |
Closed – Implemented
FAA'S Computer Security Incident Response Center became fully operational in March 2002. This center is responsible for detecting, analyzing, and reporting on security incidents.
|
| Department of Transportation | The Secretary of Transportation should direct the Administrator, FAA, to, in the area of intrusion detection, ensure that all physical security incidents are reported to security personnel. |
Closed – Implemented
FAA policy requires reporting of all physical security incidents at FAA facilities. In March 2001, FAA took additional action to clarify what needs to be reported and the channels available for reporting incidents. This information was issued in a memorandum, signed by the Administrator, reinforcing the need to report incidents at facilities.
|
Full Report
Office of Public Affairs
Topics
Air traffic control systemsComputer securityCyber securityEmergency preparednessFacility securityHomeland securityInformation resources managementInternal controlsTerrorismPhysical security