Information Security

The Federal Aviation Administration (FAA) was ineffective in all critical areas included in GAO's computer security review--facilities physical security, operational systems information security, future systems modernization security, and management structure and policy implementation. Because physical security is the agency's first line of defense against criminal and terrorist attack, the failure to beef up physical security at air traffic control towers, terminal radar approach control facilities, and en route centers places property and the safety of the flying public at risk. Information security safeguards cannot be fully effective as long as FAA continues to operate with significant physical security vulnerabilities. Also, because FAA has not assessed physical security controls at all its facilities since 1993, it does not know how vulnerable they are. Similarly, FAA does not know how vulnerable its operational air traffic control systems are and cannot adequately protect them until it performs the appropriate system risk assessments and certifies and accredits air traffic control systems. Moreover, FAA is not effectively incorporating security controls into new air traffic control systems. Until FAA carries out its computer security responsibilities, sensitive information is at risk of being compromised and flight services interrupted.

GAO noted that: (1) the dramatic increase in computer interconnectivity and the popularity of the Internet are offering government agencies unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information; (2) at the same time, however, malicious attacks on computer systems are increasing at alarming rates and are posing serious risks to key government operations; (3) in conjunction with GAO's financial statement audit focus and high-risk reviews, this work has revealed a disturbing picture of the government's lack of success in protecting federal assets from fraud and misuse, sensitive information from inappropriate disclosure, and critical operations from disruption; (4) State relies on a variety of decentralized information systems and networks to help it carry out its responsibilities; (5) GAO's tests demonstrated that State's computer systems and the information contained within them are susceptible to hackers, terrorists, or other unauthorized individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses; (6) FAA's air traffic control (ATC) computer systems provide information to air traffic controllers and aircraft flight crews to ensure safe and expeditious movement of aircraft; (7) failure to adequately protect these systems, as well as the facilities that house them, could cause nationwide disruptions of air traffic or even loss of life due to collisions; (8) GAO found that FAA was not effectively managing physical security at ATC facilities; (9) furthermore, GAO found that FAA did not know if other facilities were similarly vulnerable because it had not assessed the physical security controls at 187 facilities since 1993; (10) FAA was also ineffective in managing systems security for its operational systems and was in violation of its own policy; (11) additionally, FAA had not been effectively managing systems security for future ATC modernization systems; (12) FAA's management structure and implementation of policy for ATC computer security was not effective; (13) GAO found that many problems contribute to agencies' difficulties in successfully balancing the tradeoffs necessary to establish effective computer security; and (14) the organizations with superior security programs managed their information security risks by implementing a continuing cycle of monitoring business risks, maintaining policies and controls, and monitoring operations.