A new federal audit has found that the Federal Aviation Administration (FAA) is falling short in securing some of the nation’s 45 most critical aviation systems, raising concerns about potential vulnerabilities in the infrastructure that supports U.S. air travel.
The Department of Transportation Office of Inspector General (OIG) report, issued last week, said 15 of the 45 FAA systems are still aligned to outdated National Institute of Standards and Technology (NIST) standards, and that FAA had not fully implemented 1,836 of 16,245 required security controls – 11.3% of the total.
The OIG explained those 45 systems provide safety-critical services and are now subject to stricter security requirements, including controls tied to penetration testing, supply chain protection, and access management.
Without fixes, “FAA cannot ensure required safeguards are in place to protect the systems from being compromised, which may cause a severe impact on the NAS [national airspace] and the flying public,” the OIG said.
The report said that FAA has made some progress in selecting and implementing required controls, but significant gaps remain in execution and documentation. According to the OIG, some high-impact systems still have missing baseline security controls, and 38 of the 45 systems – 84% – did not have updated documentation for required high-baseline controls.
In many cases, the OIG said controls were listed as planned or not implemented, or were missing from system records entirely.
“Selecting and implementing required high-security baseline controls such as penetration testing, supply chain protection, and other access controls is vital to securing NAS systems and mitigating cybersecurity risks,” the OIG said.
The FAA is also failing to fully track and mitigate vulnerabilities in the department’s official system of record, the OIG said. Instead, FAA has been using an internal tracking tool to document and manage vulnerabilities, manually transferring into the department’s primary cybersecurity assessment and management system.
That has resulted in reporting delays, OIG said, and added that the FAA told auditors the problems stem from funding shortfalls, technicals issues tied to legacy systems, and limited resources.
The OIG found that all systems supporting automation, communication, navigation, and weather capabilities had vulnerabilities that were not reported, tracked, and mitigated in the departmentwide system, while 14 of 17 surveillance systems had the same issue.
With incomplete tracking, the OIG said FAA is “not being fully transparent with the Department in identifying its vulnerabilities.”
FAA’s current system of documentation can also overstate cybersecurity readiness, the OIG said.
Auditors said some controls were marked implemented even when they did not satisfy requirements, and left officials without reliable information on how safeguards were operating.
“Lack of transparency increases the risk that FAA and the Department may not be able to identify common threats and vulnerabilities,” the OIG said.
The OIG urged the FAA to fully implement required security controls, update outdated system records, shift vulnerability tracking to the official federal system, and accurately document and fix known cybersecurity weaknesses.
According to the report, the FAA concurred with all four recommendations.