Audit Reports | Office of Inspector General | U.S. Department of Transportation Jump to navigation The latest general information on the Coronavirus Disease 2019 (COVID-19) is available on Coronavirus.gov. Office of Inspector General | U.S. Department of Transportation Eric J. Soskin, Inspector General Report Fraud, Waste & Abuse HomeAuditsThe Audit ProcessAudit ReportsNew Audit AnnouncementsManagement AdvisoriesRecommendation DashboardRecommendation Dashboard ChartsRecommendationsRecommendations Dashboard ChartsInvestigationsThe Investigative ProcessOIG Investigative PrioritiesLaw Enforcement AuthorityCommon Fraud SchemesHousehold Goods Moving FraudWanted FugitivesWhistleblower ProtectionFAR Contractor ReportingReport Fraud HotlineTestimonyCorrespondenceAbout OIGThe Inspector GeneralInformation ToolkitOIG HistoryStrategic PlanBudgetPeer ReviewOIG JobsDOT's Top Management ChallengesSemiannual ReportsContact Us Search form Search Search Website You are hereHome / Audit Reports / IT2021033 Audit Reports -A A +A skip-to-content August 2, 2021FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are ImplementedSelf-InitiatedProject ID: IT2021033 What We Looked At As the Federal Aviation Administration’s (FAA) operational arm, Air Traffic Organization (ATO) is responsible for providing safe and efficient air navigation services in U.S. controlled airspace. ATO provides air navigation services in over 17 percent of the world’s airspace and includes large portions of international airspace over the Atlantic and Pacific Oceans and the Gulf of Mexico. Until recently, FAA ATO had never applied the high-impact security categorization rating to any of its information systems. While many of these systems provide safety-critical services and would have adverse high impact to FAA’s mission in the event of system failure, and on the safety and efficiency of the National Airspace System (NAS), FAA categorized all of them as low or moderate. Given the importance of ATO’s information systems to air traffic control security and traveler safety, we initiated this audit. Our audit objectives were to assess (1) FAA’s information system categorization process and (2) the security controls that FAA has selected for the systems it recently re-categorized as high impact. Our Recommendations FAA concurred with all six of our recommendations to enhance FAA’s categorization process, and mitigate security risks until the Agency selects and implements high security controls for its re-categorized high-impact systems. THE DEPARTMENT HAS DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECUITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. SSI will be redacted from the report version posted on our website. Related Library Items 09.02.2020 FAA and Its Partner Agencies Have Begun Work on the Aviation Cyber Initiative and Are Implementing Priorities 03.04.2020 Audit Initiated of FAA’s System Security Re-Categorizations 05.01.2019 Audit Initiated of FAA’s Roles and Responsibilities on the Aviation Cybersecurity Initiative 03.20.2019 FAA Has Made Progress But Additional Actions Remain To Implement Congressionally Mandated Cyber Initiatives 12.04.2018 DOT Has Not Met Federal Targets for Implementing Components of Its Information Security Continuous Monitoring Program 07.27.2017 Audit Initiated of FAA’s Progress in Complying with Section 2111 of the FAA Extension, Safety, and Security Act of 2016 01.18.2017 Audit Initiated of DOT’s Information Security Continuous Monitoring (ISCM) Program 02.04.2016 FAA’s Security Controls Are Insufficient for Large Terminal Radar Approach Control Facilities 09.29.2015 FAA’s Contingency Plans and Security Protocols Were Insufficient at Chicago Air Traffic Control Facilities 12.10.2014 FAA Is Making Progress in Addressing ADS-B’S Security Issues but Weaknesses Still Exist 08.07.2014 Audit Initiated of the Information Technology Controls over FAA’s Large Terminal Radar Approach Control Facilities 12.19.2012 FAA Has Not Adequately Implemented Security Requirements for Its En Route Automation Modernization System 05.20.2011 Audit Initiated of FAA's En Route Automation Modernization Program Information Security Controls 04.15.2011 Quality Control Review on the Vulnerability Assessment of FAA's Operational Air Traffic Control System 08.30.2010 Audit Announcement for the Vulnerability Assessment of the Federal Aviation Administration's Operational Air Traffic Control System 08.19.2010 Letter to Representatives Mica and Petri Regarding ATC Web Security 05.04.2009 Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems Oversight Areas Acquisition & Procurement Auto Safety Aviation Commercial Vehicles Highway Infrastructure Information Technology Management & Financial Maritime Pipelines & Hazmat Railroads & Transit Recovery & Relief Single Audits Browse By AgencyFederal Aviation Administration Federal Highway Administration Federal Motor Carrier Safety Administration Federal Railroad Administration Federal Transit Administration Great Lakes St. Lawrence Seaway Development Corporation Maritime Administration National Highway Traffic Safety Administration National Transportation Safety Board Office of the Secretary of Transportation Pipeline and Hazardous Materials Safety Administration Surface Transportation Board Show More AgenciesAmtrak Metropolitan Washington Airports Authority Research and Innovative Technology Administration Transportation Security Administration United States Coast Guard Email Signup Subscribe Subscribe RSS Twitter Subscribe Twitter YouTube RSS About OIG The Inspector General Mission & Vision Strategic Plan Organizational Chart OIG History Budget Peer Review Careers at OIG Contact OIG Reports & Publications Investigations Audit Reports New Audit Announcements Management Advisories Testimony Correspondence Semiannual Reports DOT Management Challenges OIG Information Toolkit Spotlight Report Fraud Hotline Contractor FAR Reporting Wanted Fugitives Whistleblower Protection The Investigative Process Common Fraud Schemes Fraud Awareness Posters The Audit Process Recovery Act Oversight Additional Resources Site Map Web Policies & Notices Accessibility FOIA Frequently Asked Questions Feedback DOT.gov IGnet.gov USA.gov Office of Inspector General, U.S. Department of Transportation | 1200 New Jersey Ave SE, Washington DC 20590
FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are Implemented
Published by the Department of Transportation, Office of Inspector General on 2021-08-02.
Below is a raw (and likely hideous) rendition of the original report.