FAA manages air traffic control operations through a complex network of information systems and air traffic control facilities. Cyber-based threats are rapidly evolving and could threaten the connectivity of this complex aviation infrastructure. In 2016, Congress passed the FAA Extension, Safety, and Security Act. Section 2111 of the act establishes requirements for FAA to enhance cybersecurity. The Chairmen and Ranking Members of the House Committee on Transportation and Infrastructure and the Subcommittee on Aviation requested that we assess FAA’s progress in addressing section 2111’s requirements.
What We Found
As required by section 2111, FAA has completed a cybersecurity strategic plan, coordinated with other Federal agencies to identify cyber vulnerabilities, and developed a cyber threat model and cyber research and development plan. However, the Agency has not completed a comprehensive, strategic policy framework to identify and mitigate cybersecurity risks. For example, the Agency has not established target dates to complete implementation of recommendations from its working group established to recommend cybersecurity rulemaking and policies for aircraft systems. Furthermore, while FAA is applying its cyber threat model across the National Airspace System, mission support, and research and development areas, it has not established target dates for full model implementation. Finally, as outlined in its cybersecurity research and development plan, FAA anticipates increased investments in research areas, but has not completed decisions on its research and development priorities in upcoming fiscal years.
FAA concurred with all three of our recommendations and proposed appropriate actions and completion dates.
Closed on 10.28.2019
No. 1 to FAA
Develop a plan with target dates to address the Working Group's four deferred recommendations to enhance aircraft systems cybersecurity.
Closed on 12.11.2019
No. 2 to FAA
Develop a plan with target dates to finalize the application of CyRM to the mission support and research and development areas, and determine when full application of CyRM will occur.
Closed on 02.10.2020
No. 3 to FAA
Establish priorities for FAA-led research and development activities and incorporate these priorities into the budget process.