Audit Reports

-A A +A

Opportunities Exist To Further Strengthen the Security Controls of FAA’s Data Communications Program

Project ID: 
What We Looked At
Part of the Federal Aviation Administration’s (FAA) efforts to modernize and increase the efficiency of the Nation’s aging air traffic system, Data Communications (DataComm) will play an important role in air traffic controller to flight crew communication. Thus, it is critical that FAA incorporate sufficient controls to protect against potential security threats to that communication, including an effective contingency plan to ensure a quick recovery from losses of DataComm availability. Accordingly, we initiated this audit to determine whether (1) FAA is identifying and properly mitigating security risks and (2) FAA’s contingency plan is sufficient to limit the effects of DataComm availability losses. We focused on two DataComm systems during our review—the Data Communications Network Service (DCNS) and Tower Data Link Services (TDLS).
What We Found
FAA is identifying—but is not mitigating—security risks in a timely manner. Specifically, two high-impact plans of action and milestones (POA&M) were scheduled to be completed in October 2017. However, as of May 10, 2018, FAA had not mitigated the two security control vulnerabilities. An Agency official stated that FAA is working with a vendor to complete the first POA&M by December 31, 2018, and the second POA&M by March 31, 2019. FAA’s contingency plans for DCNS and TDLS are sufficient to limit the effects of DataComm unavailability.
This report is marked For Official Use Only to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Accordingly, a redacted version of the report is posted on our website.
Our Recommendation
FAA concurred with our one recommendation to improve DataComm security controls.




No. 1 to FAA

Update and remediate the completion dates in the plans of action and milestones for SI-02.A and CM07.A.2 to ensure that the confidentiality, integrity, and availability of the system are not at risk.