FAA’s Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures
On June 27, 2013, we issued our final report on Federal Aviation Administration’s (FAA) Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures. Our objectives were to determine whether (1) aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, (2) security controls keep the Registry secure from unauthorized access, and (3) contingency plans are sufficient to recover the Registry system in the event of an emergency. We determined whether aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, and assessed the security controls and contingency plans that keep the Registry secure from unauthorized access and recoverable in the event of an emergency. We found that FAA lacks the information it needs on the identity of non-citizen aircraft owners and complete information on pilot certifications. We also found that FAA has not implemented the necessary security controls over the Registry’s configuration and account management, and that its recovery plan does not meet the Department requirements to ensure the system is recoverable after a disaster or other event. We made several recommendations for further action, including developing procedures, policy or regulations necessary to improve the integrity of aircraft and airman data, and implementing controls required by the Federal Information Security Management Act and Department of Transportation policy to improve both its security posture and contingency plans to recover the system.