September 2, 2020
Requested by the House Committee on Transportation and Infrastructure
FAA and Its Partner Agencies Have Begun Work on the Aviation Cyber Initiative and Are Implementing Priorities
What We Looked At
FAA oversees the safety of civil aviation through a complex network of information systems at air traffic control facilities. Cyber-based threats are rapidly evolving and may put air traffic control systems at risk for compromise. The FAA Extension, Safety, and Security Act of 2016 directs FAA to develop a comprehensive, strategic framework to reduce cybersecurity risks to civil aviation. Part of FAA’s efforts to implement this framework involves coordination and collaboration on aviation cybersecurity with the Departments of Homeland Security (DHS) and Defense (DOD) through the Aviation Cyber Initiative (ACI). The former Chairman of the House Committee on Transportation and Infrastructure requested that we examine FAA’s roles, responsibilities, and actions as an ACI member. Specifically, we assessed ACI’s progress in achieving its mission.
What We Found
For 3 years, FAA and its ACI partners have been providing regular updates to Federal agencies on their work, and are collaborating with Federal and aviation industry cybersecurity stakeholders. In May 2019, the Secretaries of DHS, DOD, and the Department of Transportation (DOT) finalized the approval of a charter that outlines ACI’s objectives. As DOT’s representative, FAA is an ACI co-chair with DHS and DOD. The co-chairs report to an Executive Committee of senior Agency executives. At the first ACI Executive Committee meeting in May 2019, 10 priorities were set for 2019 and 2020. ACI has implemented three of these priorities and they are on-going. ACI has also initiated work on the remaining seven. However, ACI has not developed mechanisms to monitor and evaluate results for meeting milestones and timetables for its priorities. ACI lacks an integrated budget and dedicated resources. As a result, FAA and its ACI partners face challenges in achieving its priorities; these challenges could inhibit FAA’s ability to develop a comprehensive and strategic framework for cybersecurity.
To enhance FAA’s progress in achieving ACI’s mission, we made one recommendation. FAA concurred with our recommendation.