August 2, 2021
FAA Is Taking Steps to Properly Categorize High-Impact Information Systems but Security Risks Remain Until High Security Controls Are Implemented
What We Looked At
As the Federal Aviation Administration’s (FAA) operational arm, Air Traffic Organization (ATO) is responsible for providing safe and efficient air navigation services in U.S. controlled airspace. ATO provides air navigation services in over 17 percent of the world’s airspace and includes large portions of international airspace over the Atlantic and Pacific Oceans and the Gulf of Mexico. Until recently, FAA ATO had never applied the high-impact security categorization rating to any of its information systems. While many of these systems provide safety-critical services and would have adverse high impact to FAA’s mission in the event of system failure, and on the safety and efficiency of the National Airspace System (NAS), FAA categorized all of them as low or moderate. Given the importance of ATO’s information systems to air traffic control security and traveler safety, we initiated this audit. Our audit objectives were to assess (1) FAA’s information system categorization process and (2) the security controls that FAA has selected for the systems it recently re-categorized as high impact.
What We Found
FAA is beginning to properly categorize its high-impact systems but gaps remain in its security categorization process. In 2017, FAA officials realized they had been categorizing their systems incorrectly, and by December 2020, the Agency had re-categorized 45 ATO systems from low or moderate impact to high impact. However, because FAA used an outdated NAS Requirement Document 2013 to identify its high-impact systems, the Agency may not be identifying all the systems in the NAS that provide safety-critical and efficiency-critical services that it needs to re-categorize as high-impact systems. In addition, FAA lacks formalized policies and procedures for selecting and implementing high security controls for its high-impact systems and continues to develop mitigations for security risks. For example, FAA has not completed a gap analysis for its 45 high-impact systems, which will be used to identify high security controls not implemented and assess any tailoring of these controls based on system operating environment and potential impact to operations. The gap analysis is also required by National Institute of Standards and Technology’s Federal standards and is essential for determining whether the organization’s security and privacy risks have been effectively managed. Finally, FAA has not yet mitigated the risk that the NAS could be vulnerable to threats as the Agency works to implement high security controls because it has not fully implemented enterprise security initiatives designed to protect NAS assets.
FAA concurred with all six of our recommendations to enhance FAA’s categorization process, and mitigate security risks until the Agency selects and implements high security controls for its re-categorized high-impact systems.
THE DEPARTMENT HAS DETERMINED THAT THIS REPORT CONTAINS SENSITIVE SECUITY INFORMATION (SSI) that is controlled under 49 CFR parts 15 and 1520 to protect Sensitive Security Information exempt from public disclosure. For U.S. Government agencies, public disclosure is governed by 5 U.S.C. § 552 and 49 CFR parts 15 and 1520. This public version of the report has been redacted.