The Office of Inspector General (OIG) at the Department of Transportation says some security risks remain for the Federal Aviation Administration’s high-impact information systems.
As the FAA’s operational arm, Air Traffic Organization (ATO) is responsible for providing safe and efficient air navigation services in U.S. controlled airspace. ATO provides air navigation services in over 17 percent of the world’s airspace and includes large portions of international airspace over the Atlantic and Pacific Oceans and the Gulf of Mexico.
FAA ATO sets categorization levels of low, moderate and high, based on how much of an impact a security breach of an information system would cause a “loss of confidentiality, integrity, or availability.”
Until recently, FAA ATO had never applied the high-impact security categorization rating to any of its information systems. While many of these systems provide safety-critical services and would have adverse high impact to the FAA’s mission in the event of system failure, and on the safety and efficiency of the National Airspace System (NAS), the FAA categorized all of them as low or moderate.
In August 2017, the FAA informed ATO program managers that it was re-categorizing 61 ATO systems from low or moderate impact to high. In January 2018, many system owners appealed the recategorization to an FAA-convened adjudication board. After the completion of the appeal process, 50 of the 61 systems had been re-categorized as high impact.
Given the importance of ATO’s information systems to air traffic control security and traveler safety, OIG initiated an audit to assess the FAA’s information system categorization process and the security controls that the FAA has selected for the systems it recently re-categorized as high impact.
Due to the security sensitivity of OIG’s findings, much of the watchdog’s report is redacted. In general, the audit found that the FAA is now taking steps to properly categorize high-impact information systems. However, OIG cautioned that security risks will remain until high security controls are fully implemented.
The FAA concurred with OIG’s recommendations to enhance FAA’s categorization process, and mitigate security risks until the Agency selects and implements high security controls for its re-categorized high-impact systems.