Air Traffic Control

The Federal Aviation Administration (FAA) was ineffective in all critical areas included in GAO's computer security review--facilities physical security, operational systems information security, future systems modernization security, and management structure and policy implementation. Because physical security is the agency's first line of defense against criminal and terrorist attack, the failure to beef up physical security at air traffic control towers, terminal radar approach control facilities, and en route centers places property and the safety of the flying public at risk. Information security safeguards cannot be fully effective as long as FAA continues to operate with significant physical security vulnerabilities. Also, because FAA has not assessed physical security controls at all its facilities since 1993, it does not know how vulnerable they are. Similarly, FAA does not know how vulnerable its operational air traffic control systems are and cannot adequately protect them until it performs the appropriate system risk assessments and certifies and accredits air traffic control systems. Moreover, FAA is not effectively incorporating security controls into new air traffic control systems. Until FAA carries out its computer security responsibilities, sensitive information is at risk of being compromised and flight services interrupted. GAO summarized this study, along with the preceding report (GAO/AIMD-98-145), in testimony before Congress; see: Information Security: Serious Weaknesses Put State Department and FAA Operations at Risk, by Gene L. Dodaro, Assistant Comptroller General for Accounting and Information Management Issues, before the Senate Committee on Governmental Affairs. GAO/T-AIMD-98-170, May 19 (14 pages).

GAO noted that: (1) FAA is ineffective in all critical areas included in GAO's computer security review--facilities physical security, operational systems information security, future systems modernization security, and management structure and policy implementation; (2) in the physical security area, known weaknesses exist at many ATC facilities; (3) FAA is similarly ineffective in managing systems security for its operational systems and is in violation of its own policy; (4) an October 1996 information systems security assessment concluded that FAA had performed the necessary analysis to determine system threats, vulnerabilities, and safeguards for only 3 of 90 operational ATC computer systems, or less than 4 percent; (5) FAA officials told GAO that this assessment is an accurate depiction of the current state of operational systems security; (6) according to the team that maintains FAA's telecommunications networks, only one of the nine operational ATC telecommunications networks has been analyzed; (7) without knowing the specific vulnerabilities of its ATC systems, FAA cannot adequately protect them; (8) FAA is also not effectively managing systems security for future ATC modernization systems; (9) it does not consistently include well formulated security requirements in specifications for all new ATC modernization systems, as required by FAA policy; (10) it does not have a well-defined security architecture, a concept of operations, or security standards, all of which are needed to define and ensure adequate security throughout the ATC network; (11) FAA's management structure and implementation of policy for ATC computer security is not effective; (12) security responsibilities are distributed among three organizations, all of which have been remiss in their ATC security duties; (13) the Office of Civil Aviation Security is responsible for developing and enforcing security policy, the Office of Air Traffic Services is responsible for implementing security policy for operational ATC systems, and the Office of Research and Acquisitions is responsible for implementing policy for ATC systems that are being developed; (14) the Office of Civil Aviation Security has not adequately enforced FAA's policies that require the assessment of physical security controls at all ATC facilities and vulnerabilities, threats, and safeguards for all operational ATC computer systems; and (15) the Office of Research and Acquisitions has not implemented the FAA policy that requires it to formulate requirements for security in specifications for all new ATC modernization systems.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: