Audit Reports

Finalize implementation of MSS application security administration improvements to ensure only authorized medical staff has access to MSS, as identified by the FAA's Federal Air Surgeon in June 26, 2009, internal memorandum and report progress to the FAA Administrator.

Implement restrictions on AME access to inactive airman records based on a need to know.

Develop documentation detailing the intended controls regarding how users function within their assigned security roles, how the MSS application enforces both access control and segregation of duties, and the features of the application to assist security administration.

Encrypt sensitive airmen PII stored in MSS as well as MSS user passwords, and develop agreements as appropriate to ensure airmen PII provided to other systems is also encrypted.

Implement multifactor user authentication, as required by OMB, and the Department's Secure Remote Access capability for all MSS users with remote access to sensitive PII.

Require and validate that all AMEs and their staff participate in the DOT security and privacy awareness training, as well as sign the DOT Rules of Behavior.

Implement the audit and accountability recommendations received during the previous certification and accreditation process to help identify inappropriate access to sensitive PII (abuse of access privileges) and ensure data extract/query has been erased within 90 days from its creation date.

Develop edit checks on the integrity of airman application data when entered into MSS.

Mitigate the vulnerabilities identified by OIG on MSS computers that could allow unauthorized access and potentially jeopardize confidentiality, integrity, and availability of sensitive PII.

Configure MSS computer systems in compliance with applicable Government standards including ensuring vendor security updates are applied, the Web site locks the user account after three unsuccessful attempts, all passwords on the MSS database are in compliance with standards, and that the application will enforce a session lock after 15-minute inactivity for all users in accordance with OMB and DOT guidance.

Perform and document security testing as a continual part of the MSS development process to confirm that security features remain in effect and are still functioning properly when system changes are made.

Acquire a back-up server, finalize the Memorandum of Understanding with the selected alternate processing site, and conduct a comprehensive contingency test at the alternate site in accordance with Government standards.

Upgrade the database system to a version supported by the software vendor.

Develop back-up database administration capability in the event the primary Database Administrator is unavailable.

Work with SSA and other disability benefits providers to establish a target completion date for performing computer matching to identify airmen applying for, or holding, medical certificates and receiving disability benefits.