Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Information Security and Privacy Controls Over the Airmen Medical Support Systems

Project ID
FI2010069
File Attachment

On June 18, 2010 we issued our final report on the Information Security and Privacy Controls over the Airmen Medical Support Systems.  For the report we determined if airmen’s personally identifiable information (PII) is properly secured from unauthorized use or access and assessed FAA’s progress in establishing mechanisms to identify airmen holding current medical certificates while receiving disability pay. 

We found that the PII of airmen were not properly secured to prevent unauthorized access due to serious security lapses in FAA’s management of user access to the system, and that only limited progress has been made in identifying airmen who receive disability benefits while holding medical certificates.  FAA has begun to take action to fix the weaknesses identified in this report in order to provide greater assurance that sensitive information is protected from misuse and airmen holding medical certificates are fit to fly. 

This review was requested by the Chairmen of the House Committee on Transportation and Infrastructure and its Subcommittee on Aviation. 

Recommendations

Closed on
No. 1 to FAA
Finalize implementation of MSS application security administration improvements to ensure only authorized medical staff has access to MSS, as identified by the FAA's Federal Air Surgeon in June 26, 2009, internal memorandum and report progress to the FAA Administrator.
Closed on
No. 2 to FAA
Implement restrictions on AME access to inactive airman records based on a need to know.
Closed on
No. 3 to FAA
Develop documentation detailing the intended controls regarding how users function within their assigned security roles, how the MSS application enforces both access control and segregation of duties, and the features of the application to assist security administration.
Closed on
No. 4 to FAA
Encrypt sensitive airmen PII stored in MSS as well as MSS user passwords, and develop agreements as appropriate to ensure airmen PII provided to other systems is also encrypted.
Closed on
No. 5 to FAA
Implement multifactor user authentication, as required by OMB, and the Department's Secure Remote Access capability for all MSS users with remote access to sensitive PII.
Closed on
No. 6 to FAA
Require and validate that all AMEs and their staff participate in the DOT security and privacy awareness training, as well as sign the DOT Rules of Behavior.
Closed on
No. 7 to FAA
Implement the audit and accountability recommendations received during the previous certification and accreditation process to help identify inappropriate access to sensitive PII (abuse of access privileges) and ensure data extract/query has been erased within 90 days from its creation date.
Closed on
No. 8 to FAA
Develop edit checks on the integrity of airman application data when entered into MSS.
Closed on
No. 9 to FAA
Mitigate the vulnerabilities identified by OIG on MSS computers that could allow unauthorized access and potentially jeopardize confidentiality, integrity, and availability of sensitive PII.
Closed on
No. 10 to FAA
Configure MSS computer systems in compliance with applicable Government standards including ensuring vendor security updates are applied, the Web site locks the user account after three unsuccessful attempts, all passwords on the MSS database are in compliance with standards, and that the application will enforce a session lock after 15-minute inactivity for all users in accordance with OMB and DOT guidance.
Closed on
No. 11 to FAA
Perform and document security testing as a continual part of the MSS development process to confirm that security features remain in effect and are still functioning properly when system changes are made.
Closed on
No. 12 to FAA
Acquire a back-up server, finalize the Memorandum of Understanding with the selected alternate processing site, and conduct a comprehensive contingency test at the alternate site in accordance with Government standards.
Closed on
No. 13 to FAA
Upgrade the database system to a version supported by the software vendor.
Closed on
No. 14 to FAA
Develop back-up database administration capability in the event the primary Database Administrator is unavailable.
Closed on
No. 15 to FAA
Work with SSA and other disability benefits providers to establish a target completion date for performing computer matching to identify airmen applying for, or holding, medical certificates and receiving disability benefits.