Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

FAA’s Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures

Requested By
Self-Initiated
Project ID
FI2013101
File Attachment

On June 27, 2013, we issued our final report on Federal Aviation Administration’s (FAA) Civil Aviation Registry Lacks Information Needed for Aviation Safety and Security Measures. Our objectives were to determine whether (1) aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, (2) security controls keep the Registry secure from unauthorized access, and (3) contingency plans are sufficient to recover the Registry system in the event of an emergency. We determined whether aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, and assessed the security controls and contingency plans that keep the Registry secure from unauthorized access and recoverable in the event of an emergency. We found that FAA lacks the information it needs on the identity of non-citizen aircraft owners and complete information on pilot certifications. We also found that FAA has not implemented the necessary security controls over the Registry’s configuration and account management, and that its recovery plan does not meet the Department requirements to ensure the system is recoverable after a disaster or other event. We made several recommendations for further action, including developing procedures, policy or regulations necessary to improve the integrity of aircraft and airman data, and implementing controls required by the Federal Information Security Management Act and Department of Transportation policy to improve both its security posture and contingency plans to recover the system.

Recommendations

Closed on
No. 1 to FAA
Develop procedures for periodic reassessments of aircraft and airman data to improve and maintain data integrity.
Closed on
No. 2 to FAA
Issue policy or regulations that clarify informational requirements for registration of aircraft owned by trusts for non-citizens.
Closed on
No. 3 to FAA
Develop procedures to ensure that airman addresses are kept current.
Closed on
No. 4 to FAA
Implement the provisions of the Intelligence Reform and Terrorism Prevention Act's for pilot certifications.
Closed on
No. 5 to FAA
Implement access monitoring, user accounts, and multi-factor authentication for the Registry.
Closed on
No. 6 to FAA
Encrypt PII and mitigate the vulnerabilities on Registry computers. If controls cannot be implemented immediately then remove all PII or take other actions as appropriate, such as suspend the system's operation in accordance with FAA Order 1280.1B.
Closed on
No. 7 to FAA
Ensure that the FAA contractor's computers and other third-party systems comply with information security controls required by FISMA and DOT policy.
Closed on
No. 8 to FAA
Mitigate contingency planning weaknesses by selecting an alternative processing site and periodically conducting comprehensive contingency tests at the alternate site in accordance with DOT policy.