FAA Computer Security

This report is part of a continuing assessment of FAA's overall computer security program. FAA has a history of computer security weaknesses, including physical security management at facilities that house air traffic control systems, systems security for both operational and future systems, implementation of security policies, and personnel security. Although FAA is addressing these weaknesses, its progress has been slow in key areas. Specifically, the agency has not yet completed accrediting its facilities and systems as secure and has not yet completed background checks on thousands of contractors actively working on FAA contracts. Until it does so, the agency will remain vulnerable to intrusions and malicious attacks on its facilities, information, and resources.

GAO noted that: (1) FAA has a history of computer security weaknesses in a number of areas, including its physical security management at facilities that house air traffic control systems, systems security for both operational and future systems, management structure for implementing security policies, and personnel security; (2) over the last 3 years, GAO made 22 recommendations to FAA to address these security weaknesses; (3) while FAA is working to address computer security weaknesses, its progress has been slow in key areas; (4) GAO's ongoing work is finding that FAA still has much to do in the areas of physical, systems, and personnel security; (5) specifically, the agency has not yet completed efforts to accredit its facilities and systems as secure, and has not yet completed background checks on thousands of contractors actively working on FAA contracts; and (6) until it does so, the agency will continue to have undue exposure to intrusions and malicious attacks on its facilities, information, and resources.