FAA Computer Security

In the area of personnel security, the Federal Aviation Administration (FAA) appears to perform appropriate background searches for federal employees, but many top secret reinvestigations of senior personnel are past due--some by more than five years. FAA also has yet to complete background searches on thousands of contractor employees. As to facilities' physical security, FAA has identified significant weaknesses, and air traffic control (ATC) facilities have yet to be assessed and accredited as secure. FAA does not know how vulnerable the majority of its operational ATC systems is and cannot adequately protect them until it performs the appropriate risk assessments and addresses identified weaknesses. Although FAA has established an information systems security management structure, it still lacks a comprehensive security program. FAA'S efforts to ensure service continuity are limited and it has not yet fully implemented an intrusion detection capability that will allow it to quickly detect and respond to malicious intrusions.

GAO noted that: (1) FAA's agencywide computer security program has serious and pervasive problems; (2) in the area of personnel security, FAA appears to perform appropriate background searches for federal employees, but many Top Secret reinvestigations of senior personnel are past due--some by over 5 years; (3) FAA is also working to complete background searches on thousands of its contractor employees, but much work remains to be done; (4) in the area of facilities' physical security, FAA is making progress in assessing its facilities, but FAA has identified significant weaknesses, and numerous air traffic control (ATC) facilities have yet to be assessed and accredited as secure, in compliance with FAA's policy; (5) FAA does not know how vulnerable the majority of its operational ATC systems are and cannot adequately protect them until it performs the appropriate risk assessments and addresses identified weaknesses; (6) further, FAA has not always acted quickly to implement corrective actions for the systems that have undergone risk assessments and penetration testing; (7) FAA has established an information systems security management structure, but does not yet have a comprehensive security program in place; (8) FAA's efforts to ensure service continuity are limited; and (9) FAA has not yet fully implemented an intrusion detection capability that will enable it to quickly detect and respond to malicious intrusions.