FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are Implemented

Published by the Department of Transportation, Office of Inspector General on 2021-08-02.

Below is a raw (and likely hideous) rendition of the original report.

Audit Reports | Office of Inspector General | U.S. Department of Transportation
Jump to navigation
The latest general information on the Coronavirus Disease 2019 (COVID-19) is available on Coronavirus.gov.
Office of Inspector General | U.S. Department of Transportation
Eric J. Soskin, Inspector General
Report Fraud, Waste & Abuse
HomeAuditsThe Audit ProcessAudit ReportsNew Audit AnnouncementsManagement AdvisoriesRecommendation DashboardRecommendation Dashboard ChartsRecommendationsRecommendations Dashboard ChartsInvestigationsThe Investigative ProcessOIG Investigative PrioritiesLaw Enforcement AuthorityCommon Fraud SchemesHousehold Goods Moving FraudWanted FugitivesWhistleblower ProtectionFAR Contractor ReportingReport Fraud HotlineTestimonyCorrespondenceAbout OIGThe Inspector GeneralInformation ToolkitOIG HistoryStrategic PlanBudgetPeer ReviewOIG JobsDOT's Top Management ChallengesSemiannual ReportsContact Us
Search form
Search Website
You are hereHome / Audit Reports / IT2021033 Audit Reports
-A A +A
August 2, 2021FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are ImplementedSelf-InitiatedProject ID: IT2021033
What We Looked At
As the Federal Aviation Administration’s (FAA) operational arm, Air Traffic Organization (ATO) is responsible for providing safe and efficient air navigation services in U.S. controlled airspace. ATO provides air navigation services in over 17 percent of the world’s airspace and includes large portions of international airspace over the Atlantic and Pacific Oceans and the Gulf of Mexico. Until recently, FAA ATO had never applied the high-impact security categorization rating to any of its information systems. While many of these systems provide safety-critical services and would have adverse high impact to FAA’s mission in the event of system failure, and on the safety and efficiency of the National Airspace System (NAS), FAA categorized all of them as low or moderate. Given the importance of ATO’s information systems to air traffic control security and traveler safety, we initiated this audit. Our audit objectives were to assess (1) FAA’s information system categorization process and (2) the security controls that FAA has selected for the systems it recently re-categorized as high impact.
Our Recommendations
FAA concurred with all six of our recommendations to enhance FAA’s categorization process, and mitigate security risks until the Agency selects and implements high security controls for its re-categorized high-impact systems.
THE DEPARTMENT HAS DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECUITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. SSI will be redacted from the report version posted on our website.
Related Library Items
FAA and Its Partner Agencies Have Begun Work on the Aviation Cyber Initiative and Are Implementing Priorities
Audit Initiated of FAA’s System Security Re-Categorizations
Audit Initiated of FAA’s Roles and Responsibilities on the Aviation Cybersecurity Initiative
FAA Has Made Progress But Additional Actions Remain To Implement Congressionally Mandated Cyber Initiatives
DOT Has Not Met Federal Targets for Implementing Components of Its Information Security Continuous Monitoring Program
Audit Initiated of FAA’s Progress in Complying with Section 2111 of the FAA Extension, Safety, and Security Act of 2016
Audit Initiated of DOT’s Information Security Continuous Monitoring (ISCM) Program
FAA’s Security Controls Are Insufficient for Large Terminal Radar Approach Control Facilities
FAA’s Contingency Plans and Security Protocols Were Insufficient at Chicago Air Traffic Control Facilities
FAA Is Making Progress in Addressing ADS-B’S Security Issues but Weaknesses Still Exist
Audit Initiated of the Information Technology Controls over FAA’s Large Terminal Radar Approach Control Facilities
FAA Has Not Adequately Implemented Security Requirements for Its En Route Automation Modernization System
Audit Initiated of FAA's En Route Automation Modernization Program Information Security Controls
Quality Control Review on the Vulnerability Assessment of FAA's Operational Air Traffic Control System
Audit Announcement for the Vulnerability Assessment of the Federal Aviation Administration's Operational Air Traffic Control System
Letter to Representatives Mica and Petri Regarding ATC Web Security
Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems
Oversight Areas
Acquisition & Procurement
Auto Safety
Commercial Vehicles
Highway Infrastructure
Information Technology
Management & Financial
Pipelines & Hazmat
Railroads & Transit
Recovery & Relief
Single Audits
Browse By AgencyFederal Aviation Administration
Federal Highway Administration
Federal Motor Carrier Safety Administration
Federal Railroad Administration
Federal Transit Administration
Great Lakes St. Lawrence Seaway Development Corporation
Maritime Administration
National Highway Traffic Safety Administration
National Transportation Safety Board
Office of the Secretary of Transportation
Pipeline and Hazardous Materials Safety Administration
Surface Transportation Board
Show More AgenciesAmtrak
Metropolitan Washington Airports Authority
Research and Innovative Technology Administration
Transportation Security Administration
United States Coast Guard
Email Signup
About OIG
The Inspector General
Mission & Vision
Strategic Plan
Organizational Chart
OIG History
Peer Review
Careers at OIG
Contact OIG
Reports & Publications
Audit Reports
New Audit Announcements
Management Advisories
Semiannual Reports
DOT Management Challenges
OIG Information Toolkit
Report Fraud Hotline
Contractor FAR Reporting
Wanted Fugitives
Whistleblower Protection
The Investigative Process
Common Fraud Schemes
Fraud Awareness Posters
The Audit Process
Recovery Act Oversight
Additional Resources
Site Map
Web Policies & Notices
Frequently Asked Questions
Office of Inspector General, U.S. Department of Transportation  |  1200 New Jersey Ave SE, Washington DC 20590