Audit Reports

-A A +A
skip-to-content

Information Security and Privacy Controls Over the Airmen Medical Support Systems

Project ID: 
FI2010069

On June 18, 2010 we issued our final report on the Information Security and Privacy Controls over the Airmen Medical Support Systems.  For the report we determined if airmen’s personally identifiable information (PII) is properly secured from unauthorized use or access and assessed FAA’s progress in establishing mechanisms to identify airmen holding current medical certificates while receiving disability pay. 

We found that the PII of airmen were not properly secured to prevent unauthorized access due to serious security lapses in FAA’s management of user access to the system, and that only limited progress has been made in identifying airmen who receive disability benefits while holding medical certificates.  FAA has begun to take action to fix the weaknesses identified in this report in order to provide greater assurance that sensitive information is protected from misuse and airmen holding medical certificates are fit to fly. 

This review was requested by the Chairmen of the House Committee on Transportation and Infrastructure and its Subcommittee on Aviation. 

Recommendations

Open

Closed

Closed on 08.28.2013
No. 1 to FAA

Finalize implementation of MSS application security administration improvements to ensure only authorized medical staff has access to MSS, as identified by the FAA's Federal Air Surgeon in June 26, 2009, internal memorandum and report progress to the FAA Administrator.

Closed on 03.17.2017
No. 2 to FAA

Implement restrictions on AME access to inactive airman records based on a need to know.

Closed on 10.24.2012
No. 3 to FAA

Develop documentation detailing the intended controls regarding how users function within their assigned security roles, how the MSS application enforces both access control and segregation of duties, and the features of the application to assist security administration.

Closed on 01.08.2016
No. 4 to FAA

Encrypt sensitive airmen PII stored in MSS as well as MSS user passwords, and develop agreements as appropriate to ensure airmen PII provided to other systems is also encrypted.

Closed on 03.02.2016
No. 5 to FAA

Implement multifactor user authentication, as required by OMB, and the Department's Secure Remote Access capability for all MSS users with remote access to sensitive PII.

Closed on 03.17.2017
No. 6 to FAA

Require and validate that all AMEs and their staff participate in the DOT security and privacy awareness training, as well as sign the DOT Rules of Behavior.

Closed on 10.11.2017
No. 7 to FAA

Implement the audit and accountability recommendations received during the previous certification and accreditation process to help identify inappropriate access to sensitive PII (abuse of access privileges) and ensure data extract/query has been erased within 90 days from its creation date.

Closed on 10.24.2012
No. 8 to FAA

Develop edit checks on the integrity of airman application data when entered into MSS.

Closed on 01.07.2011
No. 9 to FAA

Mitigate the vulnerabilities identified by OIG on MSS computers that could allow unauthorized access and potentially jeopardize confidentiality, integrity, and availability of sensitive PII.

Closed on 01.08.2016
No. 10 to FAA

Configure MSS computer systems in compliance with applicable Government standards including ensuring vendor security updates are applied, the Web site locks the user account after three unsuccessful attempts, all passwords on the MSS database are in compliance with standards, and that the application will enforce a session lock after 15-minute inactivity for all users in accordance with OMB and DOT guidance.

Closed on 12.06.2013
No. 11 to FAA

Perform and document security testing as a continual part of the MSS development process to confirm that security features remain in effect and are still functioning properly when system changes are made.

Closed on 07.08.2010
No. 12 to FAA

Acquire a back-up server, finalize the Memorandum of Understanding with the selected alternate processing site, and conduct a comprehensive contingency test at the alternate site in accordance with Government standards.

Closed on 07.08.2010
No. 13 to FAA

Upgrade the database system to a version supported by the software vendor.

Closed on 07.08.2010
No. 14 to FAA

Develop back-up database administration capability in the event the primary Database Administrator is unavailable.

Closed on 03.17.2017
No. 15 to FAA

Work with SSA and other disability benefits providers to establish a target completion date for performing computer matching to identify airmen applying for, or holding, medical certificates and receiving disability benefits.