May 31, 2017
Requested by the Senate Committee on Commerce, Science, and Transportation
FAA’s Security Controls Are Insufficient for Its En Route Automation Modernization Program
The Federal Aviation Administration’s (FAA) En Route Automation Modernization (ERAM) program modernized how air traffic controllers manage high-altitude traffic by replacing aging hardware and software at FAA’s Air Route Traffic Control Centers nationwide. Although FAA completed deployment of ERAM in March 2015, recent system failures have raised questions about the reliability and security of the system. These ERAM software failures prompted the Senate Committee on Commerce, Science, and Transportation to request that we update our prior cybersecurity work on ERAM. Our audit objectives were to determine (1) whether FAA has effectively implemented security controls to address weaknesses identified during our prior review of ERAM and (2) what other weaknesses, if any, have developed.
FAA concurred with seven of our eight recommendations to enhance the security of ERAM systems and acknowledged that the Agency is continuing its efforts to improve ERAM’s security controls. FAA plans to complete implementation of all but one of our recommended cybersecurity and contingency planning improvements by November 30, 2017, and the other by September 30, 2020, to coincide with ERAM technical refresh activities.
THE DEPARTMENT HAS DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECURITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520. If you have further questions, please contact our Freedom of Information Act Office.