The Federal Aviation Administration (FAA) oversees the safety of civil aviation by managing our Nation's air traffic system through a network of information systems and air traffic control facilities. Cyber-based threats from both internal and external sources are rapidly evolving, while FAA’s air traffic control system becomes more interconnected as the Agency introduces a range of new communication, navigation, and surveillance capabilities.
In December 2018, the Chairman of the U. S. House Committee on Transportation and Infrastructure requested that we initiate an audit focusing on the activities of the Aviation Cybersecurity Initiative (ACI) and FAA’s role and responsibilities as a member. ACI is an interagency task force made up of FAA and the Departments of Homeland Security and Defense. The Agencies work together to identify and mitigate cybersecurity vulnerabilities in systems affecting the aviation industry and the public. Furthermore, Section 2111 of the FAA Extension, Safety, and Security Act of 2016 directed FAA to develop a comprehensive and strategic framework of principles and policies to reduce cybersecurity risks to the air traffic system.
Accordingly, our audit objective is to examine FAA’s roles, responsibilities, and actions as an ACI member, especially those that pertain to its authority over civil aviation and air traffic management.