A review by the Office of Inspector General (OIG) at the Department of Transportation has found security gaps in the Federal Aviation Administration’s (FAA) drone registration service.
In 2012, Congress directed FAA to develop a plan for the safe integration of unmanned aircraft systems —or drones—into the National Airspace System. As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports.
Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII).
OIG found that FAA has not effectively ensured that DroneZone and LAANC have adequate security and privacy controls. For example, OIG said “FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised.”
In addition, FAA could not demonstrate to OIG that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII. OIG also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, OIG found that FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability.
To address the security and privacy weaknesses identified in the review, OIG made 13 recommendations:
- Perform a comprehensive assessment of DroneZone and LAANC’s security controls that at a minimum provides the correct implementation status for system specific, common, and hybrid controls, and issue a new Authorization to Operate decision for DroneZone and its interconnected system LAANC.
- Update the security assessment documents for DroneZone and LAANC to reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessing, per DOT requirements.
- Establish and implement controls for monitoring, updating, and remediating open security weaknesses as well as the accepted risk in DOT repository for managing security weaknesses, per the DOT Security Weakness Management Guide.
- Implement procedures to validate that Security Officials responsible for DroneZone and LAANC are trained on NIST and DOT policy for assessing security controls, and require them to follow the guidance.
- Develop Standard Operating Procedures for the use of common and hybrid controls.
- Verify and validate that all external information systems providing cloud services to DroneZone and LAANC are FedRAMP-authorized; if not, obtain a departmental waiver approving their use.
- Develop and implement a process clearly defining how privacy controls are identified, assessed, and documented, and work with the departmental Chief Privacy Officer in developing and implementing the process.
- Complete modification to LAANC Memorandums of Agreement with UAS Service Suppliers to enhance data security and transparency and direct the Authorizing Official to verify and validate that all UAS Service Suppliers are adhering to security requirements outlined in the Memorandum of Agreement.
- Develop and implement a process for testing DroneZone information systems for contingency planning, to include business impact analysis, continuity of operations plans, business continuity plans, disaster recovery plans, and Information System Contingency Planning (ISCP).
- Develop a process to annually document FAA security officials communicating all contingency planning development, planning, and recovery activities to all stakeholders and executive management prior to authorizing officials making risk-based decisions.
- Complete an appropriate ISCP test for DroneZone with its contractor and cloud service provider to ensure the ISCP strategies can be implemented successfully.
- Provide and verify that the required DroneZone personnel listed in the ISCP receive annual contingency planning training.
- Develop, test, and implement an alternative back-up solution verifying that DroneZone data can be backed-up and available to transport to alternate sites in the event the cloud service provider availability zone is unavailable.
FAA concurred with all recommendations and plans to implement recommendation 8 by May 29, 2020; recommendations 1, 2, 6, 7, 9, 10, 11, 12, and 13 by September 30, 2020; and recommendations 3, 4, and 5 by January 29, 2021.