Audit Reports

-A A +A
skip-to-content

FAA Has Made Progress But Additional Actions Remain To Implement Congressionally Mandated Cyber Initiatives

Requested by the Committee on Transportation and Infrastructure, U.S. House of Representatives
Project ID: 
AV2019021
What We Looked At
FAA manages air traffic control operations through a complex network of information systems and air traffic control facilities. Cyber-based threats are rapidly evolving and could threaten the connectivity of this complex aviation infrastructure. In 2016, Congress passed the FAA Extension, Safety, and Security Act. Section 2111 of the act establishes requirements for FAA to enhance cybersecurity. The Chairmen and Ranking Members of the House Committee on Transportation and Infrastructure and the Subcommittee on Aviation requested that we assess FAA’s progress in addressing section 2111’s requirements.
 
What We Found
As required by section 2111, FAA has completed a cybersecurity strategic plan, coordinated with other Federal agencies to identify cyber vulnerabilities, and developed a cyber threat model and cyber research and development plan. However, the Agency has not completed a comprehensive, strategic policy framework to identify and mitigate cybersecurity risks. For example, the Agency has not established target dates to complete implementation of recommendations from its working group established to recommend cybersecurity rulemaking and policies for aircraft systems. Furthermore, while FAA is applying its cyber threat model across the National Airspace System, mission support, and research and development areas, it has not established target dates for full model implementation. Finally, as outlined in its cybersecurity research and development plan, FAA anticipates increased investments in research areas, but has not completed decisions on its research and development priorities in upcoming fiscal years.
 
Recommendations
FAA concurred with all three of our recommendations and proposed appropriate actions and completion dates.

Recommendations

Open

Closed

Closed on 10.28.2019
No. 1 to FAA

Develop a plan with target dates to address the Working Group's four deferred recommendations to enhance aircraft systems cybersecurity.

No. 2 to FAA

Develop a plan with target dates to finalize the application of CyRM to the mission support and research and development areas, and determine when full application of CyRM will occur.

No. 3 to FAA

Establish priorities for FAA-led research and development activities and incorporate these priorities into the budget process.