Audit Reports

-A A +A

FAA Is Not Remediating STARS Security Weaknesses in a Timely Manner and Contingency Planning Is Insufficient

Project ID: 

THE DEPARTMENT HAS DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECURITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520. A redacted version of the report has been posted here on our website.

What We Looked At
The Federal Aviation Administration (FAA) operates up to 172 Terminal Radar Approach Control (TRACON) facilities, which provide air traffic control services to pilots in the airspace immediately surrounding major airports. Currently, air traffic controllers use the Standard Terminal Automation Replacement System (STARS) to provide critical air traffic services at the 11 largest TRACONs, which handle about 33 percent of all TRACON traffic in the United States. Effective security controls and contingency plans at these 11 facilities are critical to maintaining the safety and security of the National Airspace System. Accordingly, we initiated this audit to (1) assess FAA’s identification and mitigation of security risks in STARS and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of STARS operations at large TRACON facilities during emergencies.
What We Found
FAA is identifying STARS’ security risks but is not mitigating vulnerabilities in a timely manner. In March 2019, for example, FAA found vulnerabilities in 53 of 73 STARS security controls but did not meet its own schedule for remediating them. DOT policy requires timely remediation of vulnerabilities to reduce the risk that an attacker could gain unauthorized access to mission-critical systems. In addition, the Agency’s STARS incident response policy does not comply with Federal requirements, and we found security control weaknesses that could make it harder for the Agency to ensure the confidentiality, integrity, and availability of STARS. Finally, FAA’s contingency plans for three large TRACONS are not sufficient to maintain continuity of air traffic operations during unplanned outages, as Agency policy requires.
Our Recommendations
We made 11 recommendations and consider recommendations 1–9 and 11 resolved but open pending completion of FAA’s planned actions. In accordance with DOT Order 8000.1C, we have asked the Agency to provide additional information on its planned actions for recommendation 10 within 30 days of the date of this report.




No. 1 to FAA

Develop and implement a plan with a timeline that identifies when critical, high, and medium vulnerabilities in STARS will be mitigated and implemented at the 11 largest TRACON facilities and includes a patch management program to ensure that the security patches for all operating systems, software, and applications are up to date; and timeline when FAA will implement security-relevant software updates for critical, high, and medium vulnerabilities, in accordance with requirements.

No. 2 to FAA

Sensitive information redacted

No. 3 to FAA

Sensitive information redacted

Closed on 12.23.2021
No. 4 to FAA

Sensitive information redacted

No. 5 to FAA

Sensitive information redacted

No. 6 to FAA

Direct STARS officials to prioritize mitigation efforts to resolve the security weaknesses for the 27 security controls identified in this report; develop a Plan of Action and Milestones that realistically reflects resources and timeframes for the completion of these actions; and report on these actions in the Department's Cybersecurity Assessment and Management monitoring system.

No. 7 to FAA

Update the STARS incident response policy to include the missing elements from the National Institute of Standards and Technology.

No. 8 to FAA

Sensitive information redacted

No. 9 to FAA

Develop and implement an internal control that ensures that Agency staff follow requirements for access control in accordance with the STARS Security Handbook.

No. 10 to FAA

Sensitive information redacted

No. 11 to FAA

Sensitive information redacted