Audit Reports

-A A +A
skip-to-content

FAA’s Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures

Self-Initiated
Project ID: 
FI2013101

On June 27, 2013, we issued our final report on Federal Aviation Administration’s (FAA) Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures. Our objectives were to determine whether (1) aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, (2) security controls keep the Registry secure from unauthorized access, and (3) contingency plans are sufficient to recover the Registry system in the event of an emergency. We determined whether aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, and assessed the security controls and contingency plans that keep the Registry secure from unauthorized access and recoverable in the event of an emergency. We found that FAA lacks the information it needs on the identity of non-citizen aircraft owners and complete information on pilot certifications. We also found that FAA has not implemented the necessary security controls over the Registry’s configuration and account management, and that its recovery plan does not meet the Department requirements to ensure the system is recoverable after a disaster or other event. We made several recommendations for further action, including developing procedures, policy or regulations necessary to improve the integrity of aircraft and airman data, and implementing controls required by the Federal Information Security Management Act and Department of Transportation policy to improve both its security posture and contingency plans to recover the system.

Recommendations

Open

Closed

Closed on 03.17.2017
No. 1 to FAA

Develop procedures for periodic reassessments of aircraft and airman data to improve and maintain data integrity.

Closed on 08.18.2015
No. 2 to FAA

Issue policy or regulations that clarify informational requirements for registration of aircraft owned by trusts for non-citizens.

Closed on 03.17.2017
No. 3 to FAA

Develop procedures to ensure that airman addresses are kept current.

No. 4 to FAA

Implement the provisions of the Intelligence Reform and Terrorism Prevention Act's for pilot certifications.

Closed on 09.28.2018
No. 5 to FAA

Implement access monitoring, user accounts, and multi-factor authentication for the Registry.

No. 6 to FAA

Encrypt PII and mitigate the vulnerabilities on Registry computers. If controls cannot be implemented immediately then remove all PII or take other actions as appropriate, such as suspend the system's operation in accordance with FAA Order 1280.1B.

Closed on 03.20.2017
No. 7 to FAA

Ensure that the FAA contractor's computers and other third-party systems comply with information security controls required by FISMA and DOT policy.

Closed on 07.30.2019
No. 8 to FAA

Mitigate contingency planning weaknesses by selecting an alternative processing site and periodically conducting comprehensive contingency tests at the alternate site in accordance with DOT policy.