Airport & Aviation SecurityTransportation SecurityCybersecurity

OIG: FAA Does Not Effectively Secure Its High-Impact Systems Supporting the National Airspace System

Homeland Security Today
By Homeland Security Today
April 9, 2026
Seal of the Federal Aviation Administration (FAA) on a waving flag out-front of the headquarters in Washington, D.C.
(iStock Photo)

Why the OIG Did This Audit

The Federal Aviation Administration (FAA) relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. In August 2021, the OIG reported that the FAA had re-categorized 45 information systems as high-impact systems. Further, they found that the FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Given the OIG’s previous findings and the potential risks to the National Airspace System (NAS) if high-impact baseline security controls are not fully implemented, they self-initiated this audit.

What the OIG Found

FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain. 

  • FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. The OIG found 15 of the 45 high-impact systems reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards.
  • FAA has not fully implemented required security controls for systems that support the NAS. According to the system documentation OIG reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems.
  • Some high-impact systems continue to have missing baseline security controls, according to their system documentation.
  •  According to FAA, these gaps exist in part because of technical and other challenges with FAA’s systems. Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS.

FAA does not fully track and mitigate all potential vulnerabilities for its high-impact systems in DOT’s system of record.

  • FAA is not tracking and mitigating vulnerabilities within DOT’s system of record, as required. As a result, FAA is not being fully transparent with the Department in identifying its vulnerabilities, according to the OIG.
  • FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities.

What the OIG Recommends

OIG made 4 recommendations to mitigate the risks associated with not selecting and implementing all required high-baseline security controls and/or not fully mitigating potential vulnerabilities for FAA’s 45 high-impact systems supporting the NAS.

Read the full OIG report here.

Previous article
Human Growth Hormones Shipments Worth Over $3 Million Stopped by Chicago CBP

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

- Advertisement -

Latest Articles

Load more