The Federal Information Processing Standards (FIPS) Publication 199, Security Categorization Ratings, defines three levels of impact—low, moderate, and high—on organizations or individuals when a security breach of an information system causes a loss of confidentiality, integrity, or availability. Such a loss in a system categorized as high impact is expected to have a severe or catastrophically adverse effect on organizational operations, assets, or individuals.
In August 2017, the Federal Aviation Administration (FAA) informed program managers in its Air Traffic Organization (ATO) that it was re-categorizing 61 ATO systems from low or moderate impact to high. In January 2018, many system owners appealed the re-categorizations to an FAA-convened adjudication board. After the completion of the appeal process, 50 of the 61 systems had been re-categorized as high impact.
Due to the importance of ATO’s information systems to the security of air traffic control and traveler safety, we are initiating this audit. Our audit objectives will be to assess (1) FAA’s information system categorization process and (2) the security controls that FAA has selected for its systems recently re-categorized as high impact.