Audit Reports

-A A +A
skip-to-content

FAA Lacks Sufficient Security Controls and Contingency Planning for Its DroneZone System

Self-initiated
Project ID: 
IT2020027
What We Looked At
In 2012, Congress directed the Federal Aviation Administration (FAA) to develop a plan for the safe integration of unmanned aircraft systems (UAS)—also known as drones—into the National Airspace System. As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports. Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place. Our audit objectives were to (1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service.
 
What We Found
FAA has not effectively ensured that DroneZone and LAANC have adequate security—including privacy—controls. For example, FAA has continued to authorize DroneZone operations without conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised. Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII. We also found that FAA’s contingency planning does not adequately limit the effects caused by a potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability.
 
Our Recommendations
FAA concurred with all 13 of our recommendations to improve the security of the DroneZone and LAANC systems and privacy of user information.

Recommendations

Open

Closed

No. 1 to FAA

Perform a comprehensive assessment of DroneZone and LAANC's security controls that at a minimum provides the correct implementation status for system specific, common, and hybrid controls, and issue a new Authorization to Operate decision for DroneZone and its interconnected system LAANC.

No. 2 to FAA

Update the security assessment documents for DroneZone and LAANC to reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessing, per DOT requirements.

No. 3 to FAA

Establish and implement controls for monitoring, updating, and remediating open security weaknesses as well as the accepted risk in DOT repository for managing security weaknesses, per the DOT Security Weakness Management Guide.

No. 4 to FAA

Implement procedures to validate that Security Officials responsible for DroneZone and LAANC are trained on NIST and DOT policy for assessing security controls, and require them to follow the guidance.

No. 5 to FAA

Develop Standard Operating Procedures for the use of common and hybrid controls to include at a minimum: a.) System owners must review the cloud provider Control Implementation Summary report to verify and document what controls are the customer's versus the cloud provider's. b.) System owners must review monthly cloud provider POA&Ms and develop a risk mitigation strategy or compensating controls to address any identified vulnerabilities that may impact its system cybersecurity posture. c.) System owners must coordinate with FAA common/hybrid control providers to verify the controls' actual implementation status and document them accurately in the appropriate security document.

No. 6 to FAA

Verify and validate that all external information systems providing cloud services to DroneZone and LAANC are FedRAMP-authorized; if not, obtain a departmental waiver approving their use.

No. 7 to FAA

Develop and implement a process clearly defining how privacy controls are identified, assessed, and documented, and work with the departmental Chief Privacy Officer in developing and implementing the process.

No. 8 to FAA

Complete modification to LAANC Memorandums of Agreement with UAS Service Suppliers to enhance data security and transparency and direct the Authorizing Official to verify and validate that all UAS Service Suppliers are adhering to security requirements outlined in the Memorandum of Agreement.

No. 9 to FAA

Develop and implement a process for testing DroneZone information systems for contingency planning, to include business impact analysis continuity of operations plans, business continuity plans, disaster recovery plans, and Information System Contingency Planning (ISCP).

No. 10 to FAA

Develop a process to annually document FAA security officials communicating all contingency planning development, planning, and recovery activities to all stakeholders and executive management prior to authorizing officials making risk-based decisions.

No. 11 to FAA

Complete an appropriate ISCP test for DroneZone with its contractor and cloud service provider to ensure the ISCP strategies can be implemented successfully.

No. 12 to FAA

Provide and verify that the required DroneZone personnel listed in the ISCP receive annual contingency planning training.

No. 13 to FAA

Develop, test and implement an alternative back-up solution verifying that DroneZone data can be backed-up and available to transport to alternate sites in the event the cloud service provider availability zone is unavailable